我有一个 HDFS 资源的游侠策略,看起来像......
现在尝试通过hadoop fs <path to the hdfs location>
两个不同的用户访问该 HDFS 路径:
# as an unauthorized user
[ml1@HW04 ml1c]$ hadoop fs -ls <path to the hdfs location>
ls: Permission denied: user=ml1, access=EXECUTE, inode="<path to the hdfs location>"
# as an authorized user
[hph_etl@HW04 hph_etl]$ hadoop fs -ls <path to the hdfs location>
Found 4 items
drwxrwxr-x - hph_etl hph_etl 0 2019-07-31 15:13 <path to the hdfs location>
drwxrwxr-x - hph_etl hph_etl 0 2019-08-07 10:52 <path to the hdfs location>
drwxrwxr-x - hph_etl hph_etl 0 2019-07-31 14:28 <path to the hdfs location>
drwxrwxr-x - hph_etl hph_etl 0 2019-07-26 16:12 <path to the hdfs location>
按预期工作。现在尝试通过ls -lh <nfs path to the hdfs location>
本地文件系统:
# as an unauthorized user
[ml1@HW04 ml1c]$ ls -lh <nfs path to the hdfs location>
total 2.0K
drwxrwxr-x. 4 hph_etl hph_etl 128 Jul 31 15:13 export
drwxrwxr-x. 5 hph_etl hph_etl 160 Aug 7 10:52 import
drwxrwxr-x. 5 hph_etl hph_etl 160 Jul 31 14:28 storage
drwxrwxr-x. 3 hph_etl hph_etl 96 Jul 26 16:12 tests
# as an authorized user
[hph_etl@HW04 hph_etl]$ ls -lh <nfs path to the hdfs location>
total 2.0K
drwxrwxr-x. 4 hph_etl hph_etl 128 Jul 31 15:13 export
drwxrwxr-x. 5 hph_etl hph_etl 160 Aug 7 10:52 import
drwxrwxr-x. 5 hph_etl hph_etl 160 Jul 31 14:28 storage
drwxrwxr-x. 3 hph_etl hph_etl 96 Jul 26 16:12 tests
我们看到两个用户都能够通过 NFS 访问 HDFS 位置(即使只有hph_etl
用户应该能够)。有人知道这里发生了什么吗?任何调试提示或修复?
更新:
显然,这不是意外的行为。与 Hortonworks 的人交谈,目的是...
- 使用基于 POSIX 限制的权限通过 NFS 将 HDFS 的特定部分挂载到机器上
- 然后让 NiFi(例如来自 HDF)不断监听这些位置,然后将数据加载到HDFS 中其他受 Ranger 保护的位置
对我来说,这似乎是一个安全问题,因为我可以轻松地做这样的事情
$ cd /hdfs_nfs_mount/some/private/location
$ head some_private_file.txt
<shows all the contents>
# even when Ranger would rather this user not go there...
$ whoami
<some unauthorized user>
$ hadoop fs -ls /some/private/location
ls: Permission denied: user=<some unauthorized user>, access=EXECUTE, inode="/some/private/location"
如果在仅将所有 HDFS 挂载到位于 HDFS 根目录的服务器的常规集群节点上。不写这个作为答案,因为有点希望这不是答案;将继续寻找。