Are you asking about accessing HDFS files or something else? If it’s the former then yes they do work. But just like with Linux files it all depends on having users in groups. Otherwise if hbase owns the files and trafodion isn’t part of the same group the access options are limited. That is, either every user has the same access as trafodion via the “other” bits or you have to use ACLs to give trafodion access if the access will be via the trafodion userid. Trafodion tables are owned by the hbase userid but there appears to be cases when the process accessing some HDFS files use the trafodion userid.
--Dennis From: Gunnar Tapper [mailto:[email protected]] Sent: Friday, February 12, 2016 12:31 AM To: [email protected] Subject: Re: Trafodion Runtime Security I'll bite. Do the traditional Posix bits work under Trafodion? Gunnar On Wed, Feb 10, 2016 at 7:56 PM, Qifan Chen <[email protected] <mailto:[email protected]> > wrote: Should we also briefly mention if the traditional Posix permission bits does/does not work under trafodion? thanks --Qifan On Wed, Feb 10, 2016 at 8:16 PM, Hans Zeller <[email protected] <mailto:[email protected]> > wrote: Hi Gunnar, sounds good to me. Two somewhat related comments: One is that if Trafodion uses a floating IP address in a cloud deployment, like Amazon AWS, the trafodion id will need limited sudo capabilities to move the elastic IP address from one node to another. The other is what we should not do: The trafodion id should not be given any other sudo privileges. Also, the trafodion id should be locked (sudo passwd -l trafodion). Users who need to be running as the trafodion id should do that using the sudo command, e.g. sudo -u trafodion -i. Thanks, Hans On Fri, Feb 5, 2016 at 1:57 PM, Gunnar Tapper <[email protected] <mailto:[email protected]> > wrote: Hi, I'm trying to document introductory-level security requirements for Trafodion, both runtime and during provisining (installation/upgrade/resizing/removal). This is what I have for runtime: The `trafodion:trafodion` user ID is created as part of the installation process. Trafodion runs under this ID, which must be registered as a user in the Hadoop Distributed File System (HDFS) to store and access objects in HDFS, HBase, and Hive. In addition, the `trafodion` user ID required passwordless access among the nodes where Trafodion is installed to run cross-node Trafodion functions such as scripts. Trafodion requires that either HDFS ACLs or Kerberos is enabled. Trafodion users are managed by the Trafodion SQL security features (grant, revoke, etc.), which can be integrated with LDAP if so desired. These users are referred to as *database users* and do not have direct access to the operating system. What did I miss? What did I get wrong? -- Thanks, Gunnar If you think you can you can, if you think you can't you're right. -- Regards, --Qifan -- Thanks, Gunnar If you think you can you can, if you think you can't you're right.
