Pretty sure this is the expected behavior. >From the stacktrace, you're impersonation is configured correctly (i.e. it successfully perform operation on behalf of user b) the problem is your file doesn't allow b to access it.
On Mon, Jul 30, 2018 at 1:25 PM Harinder Singh < [email protected]> wrote: > Hi I am using hadoop proxy user/impersonation to access a directory on > which the superuser has access, but it's giving me permission errors when > the proxy user tries to access it: > > Say user "a" is a superuser and "b" is trying to access a directory on > behalf of it. But "b" does not have permission on the directory, user "a" > does have permissions. So shouldn't "b" be able to access that directory as > well? Below is the exception I am getting: > > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker:invoke 11: Exception <- > abc-cdh-n1/192.168.*.*:8020: getListing > {org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): > Permission denied: user=b, access=READ_EXECUTE, > inode="/foo/one":hdfs:supergroup:drwx------ > at > org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkFsPermission(DefaultAuthorizationProvider.java:279) > at > org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.check(DefaultAuthorizationProvider.java:260) > at > org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkPermission(DefaultAuthorizationProvider.java:168) > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:152) > at > org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:3530) > at > org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:3513) > at > org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:3484) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPathAccess(FSNamesystem.java:6624) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getListingInt(FSNamesystem.java:5135) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getListing(FSNamesystem.java:5096) > at > org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getListing(NameNodeRpcServer.java:888) > at > org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.getListing(AuthorizationProviderProxyClientProtocol.java:336) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getListing(ClientNamenodeProtocolServerSideTranslatorPB.java:630) > at > org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2217) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2213) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:415) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1917) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2211) > > > My superuser is hdfs and I am using > UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, keyTabPath) with > the hdfs principal in place of user and I don't have ACL's enabled. I have > added the proxy user's settings as well. * for hdfs. > > So can someone guide me what am I missing here? > > -- > A very happy Hadoop contributor >
