Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to prevent users from modifying HADOOP_USER_NAME ?

How to prevent users from modifying HADOOP_USER_NAME ?

Contributor
 
2 REPLIES 2

Re: How to prevent users from modifying HADOOP_USER_NAME ?

Cloudera Employee

@Rishi

You can't really. Your best bet is to enable Kerberos on your cluster: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/ch_hdp-security-guide-a...

You can connect to an AD/LDAP or local MIT KDC.

Once you have Kerberized your cluster, HADOOP_USER_NAME has no effect anymore.

Highlighted

Re: How to prevent users from modifying HADOOP_USER_NAME ?

Rising Star

@Rishi

Currently if your cluster in not kerberised, any user can just export the HADOOP_USER_NAME variable and can perform any activities., there is no way to restrict that. For example :

[kunal@s261 ~]$ hdfs dfs -ls /mapred 
Found 1 items 
drwxr-xr-x - hdfs hdfs 0 2017-04-24 11:33 /mapred/system 
[kunal@s261 ~]$ hdfs dfs -ls /mapred/system 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ hdfs dfs -rmr /mapred/system 
rmr: DEPRECATED: Please use 'rm -r' instead. 
17/04/26 14:30:56 WARN fs.TrashPolicyDefault: Can't create trash directory: hdfs://s261.openstacklocal:8020/user/kunal/.Trash/Current/mapred 
org.apache.hadoop.security.AccessControlException: Permission denied: user=kunal, access=WRITE, inode="/user/kunal/.Trash/Current/mapred":hdfs:hdfs:drwxr-xr-x 
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:319) 
Then if you export the above variable, we can delete the file :
[kunal@s261 ~]$ export HADOOP_USER_NAME=hdfs 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ hdfs dfs -rmr /mapred/system 
rmr: DEPRECATED: Please use 'rm -r' instead. 
17/04/26 14:31:15 INFO fs.TrashPolicyDefault: Moved: 'hdfs://s261.openstacklocal:8020/mapred/system' to trash at: hdfs://s261.openstacklocal:8020/user/hdfs/.Trash/Current/mapred/system 
The only way is to setup kerberos which can fix this issue, even if you export the variable the user is derived from the kerberos principal :
[root@krajguru-e1 ~]# kinit kunal

Password for kunal@LAB.HORTONWORKS.NET: 

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# klist 

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: kunal@LAB.HORTONWORKS.NET

Valid starting       Expires              Service principal

07/03/2017 12:24:39  07/03/2017 22:24:39  krbtgt/LAB.HORTONWORKS.NET@LAB.HORTONWORKS.NET

renew until 07/10/2017 12:24:34

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# hdfs dfs -ls /mapred/

Found 1 items

drwxr-xr-x   - hdfs hdfs          0 2017-04-21 11:47 /mapred/system

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# export HADOOP_USER_NAME=hdfs

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# hdfs dfs -rmr /mapred/system

rmr: DEPRECATED: Please use 'rm -r' instead.

17/07/03 12:25:11 INFO fs.TrashPolicyDefault: Namenode trash configuration: Deletion interval = 360 minutes, Emptier interval = 0 minutes.

rmr: Failed to move to trash: hdfs://e1.openstacklocal:8020/mapred/system: Permission denied: user=kunal, access=WRITE, inode="/mapred/system":mapred:hdfs:drwxr-xr-x