Permissions Issue Seen with Kerberos for Some Users When New Groups Created (Doc ID 1941092.1)

Last updated on MARCH 16, 2016

Applies to:

Big Data Appliance Integrated Software - Version 4.0 and later
Linux x86-64

Symptoms

1. On a Kerberos enabled cluster users are configured per the following note:

Document 1600752.1 - How to Create and Add a User to a Secure Cluster with Kerberos for Oracle Big Data Appliance v2.3.1 and Higher

2. Per the document, user directories are created under /user and each directory is owned by the user e.g. like for user, testuser:

$ hadoop fs -ls -d /user/testuser
Found 1 items
drwxr-xr-x   - testuser supergroup          0 2014-10-23 12:52 /user/testuser

3. All users can access their corresponding folders under /user/<username> which they are owner of.

4. The /user directory is owned by hdfs:supergroup, like:

$ hadoop fs -ls -d /user
Found 1 items
drwxr-xr-x   - hdfs supergroup          0 2014-09-25 10:39 /user

5. Then additional groups are created, for example (prod, dev, test) on the local Linux environment.  Users are added to each group. In the same way, three directories are created in hdfs for these groups for example in hdfs directories are created for (prod, dev, and test).

6. Next the permissions on each group create is changed to hdfs:<group> for example:

hdfs:prod
hdfs:dev
hdfs:test

7. A permission of 770 is granted to all these hdfs directories e.g., hdfs:prod, hdfs:dev, hdfs:test.

This would show as follows in this example:

$ hadoop fs -ls /
Found 4 items
...
drwxr-xr-x   - hdfs  supergroup           0 2014-09-25 10:39 /user
drwxrwx---   - hdfs  prod                    0 2014-09-25 10:39 /prod
drwxrwx---   - hdfs  dev                     0 2014-09-25 10:39 /dev
drwxrwx---   - hdfs  test                     0 2014-09-25 10:39 /test

8. However none of the users are able to access these directories. All users come under the "other category" rather than their group category.

9. When the group ownership is changed on any of these directories to supergroup then it works for all the users:

$ hadoop fs -ls /
Found 4 items
...
drwxr-xr-x   - hdfs  supergroup           0 2014-09-25 10:39 /user
drwxrwx---   - hdfs  supergroup           0 2014-09-25 10:39 /prod
drwxrwx---   - hdfs  supergroup           0 2014-09-25 10:39 /dev
drwxrwx---   - hdfs  supergroup           0 2014-09-25 10:39 /test

However it does not work when the group ownership is hdfs:prod, hdfs:dev, or hdfs:test. The users do not appear to have access to the directories. An error is received as follows:

$ hadoop fs -ls /prod/
ls: Permission denied: user=<username>, access=READ_EXECUTE, inode="/prod":hdfs:prod:drwxrwx—T

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms