echo "***INFO: Setting HDFS ACLs for snapshot scan support"
Yes. As the display indicates ACL changes are needed for snapshot scan support. Trafodion allows the user to create hbase snapshots on the Trafodion tables and allows it to be accessed by its engine and ACL to be enabled for this purpose. Actually, it should be changed to create /hbase/archive/data/default directory and set ACL too. Possibly a JIRA has been already filed to make this change. Selva *From:* Gunnar Tapper [mailto:[email protected]] *Sent:* Thursday, February 4, 2016 2:39 PM *To:* [email protected] *Subject:* Re: HDFS ACLs dependency Well yes, if you enable ACLs then you have to create the ACLs, too. :) Perhaps the issue here is that Trafodion can't get access to /hbase/archives w/o ACLs since that directory may be owned by another user in a group other than trafodion? I'm mostly trying to document requirements and reasoning for things like this to provide "comfort" when doing installation: "during installation, Trafodion will make these changes to your environment for these reasons" is a lot better than "hey, what happened to my environment? HDFS ACLs are enabled!" Thanks, Gunnar On Thu, Feb 4, 2016 at 3:31 PM, Amanda Moran <[email protected]> wrote: # NOTE: These command must be done AFTER acls are # enabled and HDFS has been restarted echo "***INFO: Setting HDFS ACLs for snapshot scan support" sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -mkdir -p /hbase/archive" if [ $? != 0 ]; then echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -mkdir -p /hbase/archive) command failed" exit -1 fi sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -chown hbase:hbase /hbase/archive" if [ $? != 0 ]; then echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -chown hbase:hbase /hbase/archive) command failed" exit -1 fi sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m user:$TRAF_USER:rwx /hbase/archive" if [ $? != 0 ]; then echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m user:$TRAF_USER:rwx /hbase/archive) command failed" exit -1 fi sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m default:user:$TRAF_USER:rwx /hbase/archive" if [ $? != 0 ]; then echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m default:user:$TRAF_USER:rwx /hbase/archive) command failed" exit -1 fi sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m mask::rwx /hbase/archive" if [ $? != 0 ]; then echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m mask::rwx /hbase/archive) command failed" exit -1 fi Here is the code that needs ACLS to be set to true. Maybe this helps ... :) On Thu, Feb 4, 2016 at 2:26 PM, Gunnar Tapper <[email protected]> wrote: Hi, I noticed that Trafodion requires that dfs.namenode.acls.enabled is set to true. The reason for this seems to be a desire to do a set setfacl on hbase/archive. Is this a true requirement or an embedded best practices? I'm wondering since we're now imposing security policies on the user even if the user has chosen to rely on the traditional POSIX permission model over implementing the extended POSIX ACL model. Also, how does this HDFS configuration flag relate to a user that is using Kerberos? -- Thanks, Gunnar *If you think you can you can, if you think you can't you're right.* -- Thanks, Amanda Moran -- Thanks, Gunnar *If you think you can you can, if you think you can't you're right.*
