Configuration and binary permissions

All configuration files for HDFS transparency are located in the /usr/lpp/mmfs/hadoop/etc/hadoop folder after installation. Configuration files can be read and modified only by the root user.

Note: For security considerations, the root user must not grant read and write permissions to the non-root users.
The following example shows the output of the ls -la command:
/usr/lpp/mmfs/hadoop]# ls –la
drwx------  3 root root 4096 Nov  9 09:56 etc
The output of the ls -la command displays the permissions of the HDFS transparency scripts:
/usr/lpp/mmfs/hadoop/bin]# ls –la
-r-xrxr-x 1 root root 4484 Nov  6 10:38 gpfs

/usr/lpp/mmfs/hadoop/sbin
[root@c8f2n09 sbin]# ls –la
total 48
drwxr-xr-x  2 root root 4096 Nov 16 05:21 .
drwxr-xr-x 10 root root 4096 Nov 16 05:38 ..
-r-x------  1 root root 3310 Nov 16 05:20 deploy-gpfs.sh
-r-xr-xr-x  1 root root  697 Nov 16 05:20 gpfs-state.sh
-r-xr-xr-x  1 root root 5380 Nov 16 05:20 hadoop-daemon.sh
-r-xr-xr-x  1 root root 1360 Nov 16 05:20 hadoop-daemons.sh
-r-xr-xr-x  1 root root 4959 Nov 16 05:20 mmhadoopctl
-r-xr-xr-x  1 root root 2145 Nov 16 05:20 slaves.sh
-r-x------  1 root root 1111 Nov 16 05:20 start-gpfs.sh
-r-x------  1 root root  740 Nov 16 05:20 stop-gpfs.sh
The root user must keep the permissions of all the configuration files unchanged after the installation.
Note: The root user must not grant the write permission to the non-root users.

The root user must start the connector because the Java™ binaries check the UID of the user that starts the connector and exits when the UID does not belong to a root user. Users other than root user cannot start or stop the HDFS transparency service because the HDFS transparency binary code checks the UID of the user. If the user who starts the service is not a root user, it exits.

The non-root users can run the mmhadoopctl connector getstate command to view the state of the connector. The read and execute permissions of the gpfs-state.sh, hadoop-daemon.sh, hadoop-daemons.sh, and slaves.sh files can be used by the non-root users to view the state of the connector.
Note: By default, HDFS transparency installs the above scripts with the default permissions. To avoid security vulnerability, the cluster administrators must ensure that the permissions for these files are not changed.
Parent topic: HDFS transparency security