hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Evans <ev...@yahoo-inc.com>
Subject Re: 答复: in security mode, one MR job visit two user's data
Date Mon, 11 Feb 2013 15:19:14 GMT
I think he is talking about using groups and read only permissions.

Once the table is loaded into hive you can make the files read only by a
group that both users share.  The Hadoop code is really not setup to allow
a single job to pretend to be more then one user.  You might be able to
fake it, but because the assumption has always been one user there are
likely to be other problems that you run into, even if you get the tokens
to work.  I think the preferable alternative would be to work for true
ACLs in HDFS.  Then you can set up an ACL to give read only access to the
table for the one user that needs it, and you don't have to set up a
special HDFS group for it.


On 2/9/13 8:31 PM, "wang" <wwli05@126.com> wrote:

>Thank your 's response~
>In hive, user can directly execute load path command, if the dir is
>accessible by two user, then, one user can directly load another user's
>into his table. Also. User can execute dfs command directly through
>hiveserver. so the user's data in hdfs is better be 700.
>Whether it is possible I customize the TokenSelector? what i want is at
>client , I got all user's delegation token, and in map task, it can choose
>the correct user's token according the pat it accessed.
>I am not sure whether I can achieve this or how much effort it required. I
>still think of this, welcome the guide from yours.
>发件人: yarn-dev-return-893-wwli05=126.com@hadoop.apache.org
>[mailto:yarn-dev-return-893-wwli05=126.com@hadoop.apache.org] 代表 Alejandro
>发送时间: 2013年2月10日 0:21
>收件人: yarn-dev@hadoop.apache.org
>主题: Re: in security mode, one MR job visit two user's data
>How about leveraging filesystem permissions so the user has access to both
>On Feb 9, 2013, at 1:54 AM, "wang" <wwli05@126.com> wrote:
>> Hi,
>> In security mode, Is it possible in one mr job visit two user's data
>> in hdfs? Means: there are two maps in one job, one map read user1's
>> data, another read user2's data.  As I know, before submit job,
>> jobclient get the delegation token for MR task, but in class
>> credentials, the tokenmap can only take one token for one type of
>> service. If I get user2's token, and add to credentials, the user1's
>will be overwrite.
>> Anyone met the same situation or someone can give some suggestions?
>> The background is in hive, one sql maybe visit different user's data.
>> Regards
>> wwli

View raw message