Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

How to prevent users from modifying HADOOP_USER_NAME ?

Contributor
 
2 REPLIES 2

Cloudera Employee

@Rishi

You can't really. Your best bet is to enable Kerberos on your cluster: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/ch_hdp-security-guide-a...

You can connect to an AD/LDAP or local MIT KDC.

Once you have Kerberized your cluster, HADOOP_USER_NAME has no effect anymore.

Rising Star

@Rishi

Currently if your cluster in not kerberised, any user can just export the HADOOP_USER_NAME variable and can perform any activities., there is no way to restrict that. For example :

[kunal@s261 ~]$ hdfs dfs -ls /mapred 
Found 1 items 
drwxr-xr-x - hdfs hdfs 0 2017-04-24 11:33 /mapred/system 
[kunal@s261 ~]$ hdfs dfs -ls /mapred/system 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ hdfs dfs -rmr /mapred/system 
rmr: DEPRECATED: Please use 'rm -r' instead. 
17/04/26 14:30:56 WARN fs.TrashPolicyDefault: Can't create trash directory: hdfs://s261.openstacklocal:8020/user/kunal/.Trash/Current/mapred 
org.apache.hadoop.security.AccessControlException: Permission denied: user=kunal, access=WRITE, inode="/user/kunal/.Trash/Current/mapred":hdfs:hdfs:drwxr-xr-x 
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:319) 
Then if you export the above variable, we can delete the file :
[kunal@s261 ~]$ export HADOOP_USER_NAME=hdfs 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ 
[kunal@s261 ~]$ hdfs dfs -rmr /mapred/system 
rmr: DEPRECATED: Please use 'rm -r' instead. 
17/04/26 14:31:15 INFO fs.TrashPolicyDefault: Moved: 'hdfs://s261.openstacklocal:8020/mapred/system' to trash at: hdfs://s261.openstacklocal:8020/user/hdfs/.Trash/Current/mapred/system 
The only way is to setup kerberos which can fix this issue, even if you export the variable the user is derived from the kerberos principal :
[root@krajguru-e1 ~]# kinit kunal

Password for kunal@LAB.HORTONWORKS.NET: 

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# klist 

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: kunal@LAB.HORTONWORKS.NET

Valid starting       Expires              Service principal

07/03/2017 12:24:39  07/03/2017 22:24:39  krbtgt/LAB.HORTONWORKS.NET@LAB.HORTONWORKS.NET

renew until 07/10/2017 12:24:34

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# hdfs dfs -ls /mapred/

Found 1 items

drwxr-xr-x   - hdfs hdfs          0 2017-04-21 11:47 /mapred/system

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# export HADOOP_USER_NAME=hdfs

[root@krajguru-e1 ~]# 

[root@krajguru-e1 ~]# hdfs dfs -rmr /mapred/system

rmr: DEPRECATED: Please use 'rm -r' instead.

17/07/03 12:25:11 INFO fs.TrashPolicyDefault: Namenode trash configuration: Deletion interval = 360 minutes, Emptier interval = 0 minutes.

rmr: Failed to move to trash: hdfs://e1.openstacklocal:8020/mapred/system: Permission denied: user=kunal, access=WRITE, inode="/mapred/system":mapred:hdfs:drwxr-xr-x