You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Chris Nauroth (JIRA)" <ji...@apache.org> on 2014/11/20 01:14:34 UTC
[jira] [Commented] (HADOOP-11321) copyToLocal cannot save a file to
an SMB share unless the user has Full Control permissions.
[ https://issues.apache.org/jira/browse/HADOOP-11321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14218764#comment-14218764 ]
Chris Nauroth commented on HADOOP-11321:
----------------------------------------
The access denied error occurs in libwinutils.c, in {{ChangeFileModeByMask}}, when it calls the Windows API {{SetFileSecurity}} with a security descriptor containing the new discretionary access control list. The SMB share denies the {{WRITE_DAC}} right. More details on those APIs are here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379577(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374892(v=vs.85).aspx
> copyToLocal cannot save a file to an SMB share unless the user has Full Control permissions.
> --------------------------------------------------------------------------------------------
>
> Key: HADOOP-11321
> URL: https://issues.apache.org/jira/browse/HADOOP-11321
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs
> Affects Versions: 2.6.0
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
>
> In Hadoop 2, it is impossible to use {{copyToLocal}} to copy a file from HDFS to a destination on an SMB share. This is because in Hadoop 2, the {{copyToLocal}} maps to 2 underlying {{RawLocalFileSystem}} operations: {{create}} and {{setPermission}}. On an SMB share, the user may be authorized for the {{create}} but denied for the {{setPermission}}. Windows denies the {{WRITE_DAC}} right required by {{setPermission}} unless the user has Full Control permissions. Granting Full Control isn't feasible for most deployments, because it's insecure. This is a regression from Hadoop 1, where {{copyToLocal}} only did a {{create}} and didn't do a separate {{setPermission}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)