[jira] [Commented] (HADOOP-11321) copyToLocal cannot save a file to an SMB share unless the user has Full Control permissions.

Wed, 03 Dec 2014 10:51:12 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14233329#comment-14233329
 ] 

Colin Patrick McCabe commented on HADOOP-11321:
-----------------------------------------------

Those are good points.

It sounds like for Windows, we can go with the solution you're looking at now.  
For Linux (and in general anything implementing POSIX.1-2001), perhaps we can 
just create the file with the requested permission, and then use {{fchmod}} on 
the file descriptor to "open it up" by setting that same permission.  Then we 
get the best of all worlds... there is no point at which the permissions are 
more open then we desire, and we ignore umask (except on filesystems like samba 
where fchmod silently fails, but we can't solve that anyway... and it never 
worked in the past.)  The solution is in the samba case is just to open up your 
umask and then the create will succeed with the desired permission.

> copyToLocal cannot save a file to an SMB share unless the user has Full 
> Control permissions.
> --------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11321
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11321
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs
>    Affects Versions: 2.6.0
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HADOOP-11321.1.patch, HADOOP-11321.2.patch, 
> winutils.tmp.patch
>
>
> In Hadoop 2, it is impossible to use {{copyToLocal}} to copy a file from HDFS 
> to a destination on an SMB share.  This is because in Hadoop 2, the 
> {{copyToLocal}} maps to 2 underlying {{RawLocalFileSystem}} operations: 
> {{create}} and {{setPermission}}.  On an SMB share, the user may be 
> authorized for the {{create}} but denied for the {{setPermission}}.  Windows 
> denies the {{WRITE_DAC}} right required by {{setPermission}} unless the user 
> has Full Control permissions.  Granting Full Control isn't feasible for most 
> deployments, because it's insecure.  This is a regression from Hadoop 1, 
> where {{copyToLocal}} only did a {{create}} and didn't do a separate 
> {{setPermission}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to