Configuration and binary permissions
All configuration files for HDFS transparency are located in the /usr/lpp/mmfs/hadoop/etc/hadoop folder after installation. Configuration files can be read and modified only by the root user.
Note: For security considerations, the root user must not grant read
and write permissions to the non-root users.
The following example shows the output of the ls -la command:
/usr/lpp/mmfs/hadoop]# ls –la
drwx------ 3 root root 4096 Nov 9 09:56 etc
The output of the ls -la command displays the
permissions of the HDFS transparency scripts:
/usr/lpp/mmfs/hadoop/bin]# ls –la
-r-xrxr-x 1 root root 4484 Nov 6 10:38 gpfs
/usr/lpp/mmfs/hadoop/sbin
[root@c8f2n09 sbin]# ls –la
total 48
drwxr-xr-x 2 root root 4096 Nov 16 05:21 .
drwxr-xr-x 10 root root 4096 Nov 16 05:38 ..
-r-x------ 1 root root 3310 Nov 16 05:20 deploy-gpfs.sh
-r-xr-xr-x 1 root root 697 Nov 16 05:20 gpfs-state.sh
-r-xr-xr-x 1 root root 5380 Nov 16 05:20 hadoop-daemon.sh
-r-xr-xr-x 1 root root 1360 Nov 16 05:20 hadoop-daemons.sh
-r-xr-xr-x 1 root root 4959 Nov 16 05:20 mmhadoopctl
-r-xr-xr-x 1 root root 2145 Nov 16 05:20 slaves.sh
-r-x------ 1 root root 1111 Nov 16 05:20 start-gpfs.sh
-r-x------ 1 root root 740 Nov 16 05:20 stop-gpfs.sh
The root user must keep the permissions of all the configuration
files unchanged after the installation.
Note: The root user must not
grant the write permission to the non-root users.
The root user must start the connector because the Java™ binaries check the UID of the user that starts the connector and exits when the UID does not belong to a root user. Users other than root user cannot start or stop the HDFS transparency service because the HDFS transparency binary code checks the UID of the user. If the user who starts the service is not a root user, it exits.
The non-root users can run the mmhadoopctl connector getstate command
to view the state of the connector. The read and execute permissions
of the gpfs-state.sh, hadoop-daemon.sh, hadoop-daemons.sh, and slaves.sh
files can be used by the non-root users to view the state of the connector.
Note: By
default, HDFS transparency installs the above scripts with the default
permissions. To avoid security vulnerability, the cluster administrators
must ensure that the permissions for these files are not changed.