Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HDFS default permissioning workes weird, CDH5.1

Labels:
avatar
author-rank Kranach
Explorer

Created ‎01-28-2015 05:58 AM

I read the documentation about permissioning in hdfs and it says:

 

1) by default Hadoop checks "groups" output of linux command for a user

2) "supergroup" is default super users group

 

My root directory looks like this:

 

drwxr-xr-x - hdfs supergroup 0 2015-01-27 23:08 /

 

So i would assume only hdfs and users belonging to supergroup would be able to create directory under it. But there is no "supergroup" group on any of my boxes! There is ony "hadoop" one, that contains hdfs, yarn and mapred. 

 

And basically any user that i create, can execute hdfs commands, like hdfs dfs -mkdir /blabla and do whatever he wants. The files created will have set him as an owner, and supergroup as a group. Even though he doesnt belong to "supergroup" neither to "hadoop". 

 

How does it work then? And is there some simple way to prevent it and make it work as in docs, i.e. make hadoop listen to linux permissions (the only access to cluster is through box managed by us anyway, so this would be enough).

5,804 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Harsh J author-rank
Mentor

Created ‎02-09-2015 02:01 PM

The UI approach is easier, and it serves the same file from the
location you're looking under, but to answer your question, you can
look for the latest (numbered or mtime) directory that carries just
the role name. For NameNodes, the following is the pattern:

NNNN-hdfs-NAMENODE

The other dirs with NNNN-hdfs-NAMENODE-xyz are specific sub-commands
that run on top of a live NN or similar, but the daemon itself runs on
the original dir format mentioned above.

Likewise for other role types.

View solution in original post

5,775 Views
0 Kudos
5 REPLIES 5

avatar
author-rank Kranach
Explorer

Created ‎02-06-2015 01:06 PM

Well, this is embarassing - I just saw in my cluster Cloudera Manager that security (dfs.permissioning) is false... That explains everything.

 

HOWEVER: the reason i was confused is I couldn't see this property set in any of conf files (grep dfs.permissions /etc/hadoop/conf/*.xml). And according to documentation the default value is true. Could anyone please let me know then where does this property get overriden?

5,788 Views
0 Kudos

avatar
author-rank Harsh J author-rank
Mentor

Created ‎02-06-2015 06:32 PM

The dfs.permissions property is a server-side (NameNode) one. It cannot be overriden by clients.

If you use CM, then /etc/hadoop/conf/ is just where your client properties are. The Server-side generated properties are maintained in isolation elsewhere, which you can view for example by going to CM ->HDFS -> Instances -> NameNode -> Processes -> hdfs-site.xml.

A good doc on understanding the CM approach can also be found at http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_intro_primer.html#co...
5,784 Views
0 Kudos

avatar
author-rank Kranach
Explorer

Created ‎02-09-2015 09:37 AM

Good read!

 

Administrators are sometimes surprised that modifying /etc/hadoop/conf and then restarting HDFS has no effect

 

Oh yes. Ok, I think I understand now where server-side configuration comes from. I can find it in CM, altough I still have a bit problem with finding it on a filesystem. When I go to my namenode I see this:

 

 

 

 

root@node9:/var/run/cloudera-scm-agent/process# ls -qlrt | grep NAME
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 12:40 4035-hdfs-NAMENODE
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:17 4091-hdfs-NAMENODE-refresh
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:18 4092-hdfs-NAMENODE-monitor-decommissioning
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:24 4097-hdfs-NAMENODE-refresh
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:25 4098-hdfs-NAMENODE-monitor-decommissioning
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:25 4100-hdfs-NAMENODE-refresh
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:30 4149-hdfs-NAMENODE-refresh
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:30 4150-hdfs-NAMENODE-monitor-decommissioning
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:30 4152-hdfs-NAMENODE-refresh
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:46 4167-hdfs-NAMENODE-createdir
drwxr-x--x 3 hdfs      hdfs      420 Sep 28 13:50 4185-hdfs-NAMENODE
drwxr-x--x 3 hdfs      hdfs      420 Jan 26 16:19 4785-hdfs-NAMENODE-refresh
drwxr-x--x 3 hdfs      hdfs      420 Jan 26 16:19 4787-hdfs-NAMENODE-monitor-decommissioning

 Soo,  which of these contains hdfs-site.xml of my currently running NameNode?

 

 

 

 

 

 

5,780 Views
0 Kudos

avatar
author-rank Harsh J author-rank
Mentor

Created ‎02-09-2015 02:01 PM

The UI approach is easier, and it serves the same file from the
location you're looking under, but to answer your question, you can
look for the latest (numbered or mtime) directory that carries just
the role name. For NameNodes, the following is the pattern:

NNNN-hdfs-NAMENODE

The other dirs with NNNN-hdfs-NAMENODE-xyz are specific sub-commands
that run on top of a live NN or similar, but the daemon itself runs on
the original dir format mentioned above.

Likewise for other role types.

5,776 Views
0 Kudos

avatar
author-rank MilesYao
Expert Contributor

Created ‎03-13-2015 09:43 AM

But this still doesn't answer the original question - why is dfs.permissions.superusergroup defaulted to supergroup, and then CM doesn't create it in Linux?

 

In our case, we also found discrepancies in other default Hadoop user/groups created from the documentation: Guide to Special Users in the Hadoop Environment  For example, hdfs user not assigned to hdfs group, mapred group not created at all.  We are running CDH 5.2.0 on Debian.

 

I've done my share of research, and still find the HDFS user/group permission mechanism confusing.  For the plain Linux-CDH installation without Kerberos (the majority I believe), HDFS relies on Unix user/group permission mechanism, but interprets in its own way.  Thus the confusing and unintuitive behaviors:

 

  1. Unix root has less privilege than 'hdfs' user in HDFS - treated like an (uninitialized) regular user.
  2. No built-in user-admin commands for HDFS similar to Linux useradd, userdel, gpasswd, etc.
  3. No tool to 'migrate' existing Linux users to HDFS in bulk
  4. Hadoop app users that need to create HDFS files (e.g. mapred, flume, mapred, etc.) are not automatically set up in /user
  5. No pre-defined Unix group to include *all* Hadoop app users that need HDFS superuser access
  6. Regular users cannot run 'hdfs fsck /', since staging dir /tmp/logs/hdfs is 770

Perhaps Cloudera can write a more understandable adaptation of the Apache HDFS document.

 

Thanks,

Miles

 

 

5,716 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements