[jira] [Updated] (HADOOP-11321) copyToLocal cannot save a file to an SMB share unless the user has Full Control permissions.

Wed, 19 Nov 2014 16:23:16 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-11321?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Nauroth updated HADOOP-11321:
-----------------------------------
    Attachment: HADOOP-11321.1.patch

I'm attaching a patch.  The idea is to stop treating it as an error condition 
if an implicit {{setPermission}} fails due to access denied on a local file 
system.  By "implicit", I mean that the {{setPermission}} was not called 
explicitly by an external caller, but implicitly as part of the caller's main 
operation, like a {{create}}.  I'm not aware of any other local file systems 
where a user could be authorized to create a file, but then unauthorized to 
{{chmod}} that same file.  The difference in behavior would have to be a known 
limitation when operating on SMB shares without Full Control permissions.

Fixing this was a bit messy.  If anyone has another idea, I'd like to hear it.  
I'd especially appreciate if I could get a review from one of the Windows 
experts, such as [~chuanliu], [~ivanmi], [~rusanu] or [~shanyu].

> copyToLocal cannot save a file to an SMB share unless the user has Full 
> Control permissions.
> --------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11321
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11321
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs
>    Affects Versions: 2.6.0
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HADOOP-11321.1.patch
>
>
> In Hadoop 2, it is impossible to use {{copyToLocal}} to copy a file from HDFS 
> to a destination on an SMB share.  This is because in Hadoop 2, the 
> {{copyToLocal}} maps to 2 underlying {{RawLocalFileSystem}} operations: 
> {{create}} and {{setPermission}}.  On an SMB share, the user may be 
> authorized for the {{create}} but denied for the {{setPermission}}.  Windows 
> denies the {{WRITE_DAC}} right required by {{setPermission}} unless the user 
> has Full Control permissions.  Granting Full Control isn't feasible for most 
> deployments, because it's insecure.  This is a regression from Hadoop 1, 
> where {{copyToLocal}} only did a {{create}} and didn't do a separate 
> {{setPermission}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to