This behavior is no different than normal multiprotocol data access on Isilon, for the user accessing the data an Isilon Access Token is created which constitutes the users persona on the cluster. The token is then used to evaluate authorization against the permissions defined on files & directories.
Dump a token using: #isi auth mapping token --user= --zone=
Like all Isilon file access, the file permissions can exist in one of two states:
1.POSIX(NFS, HDFS) + Synthetic ACL(SMB)
or
2.Real ACL ( + ) All protocol access is evaluated against the ACL, when a real ACL exists on the file(posix bits are approximated from the ACL but do not define file access)
So determine what permission exist on a file or directory using: ls -le/ls -len and ls -led/ls -lend and you will know which set is defining access. If the file/directory is a non-ACL's file the posix permissions will be used for HDFS & NFS access. Only in the case of a true Isilon ACL'd file will DACL's be evaluated and for all protocols
One area to be aware of is the use of HDFS username, HDFS only uses usernames and group membership and not UID's, this must be taken into account when accessing the data via other protocols, with Access Zones and while permissioning data.
russ_stevenson_
25 Posts
0
March 30th, 2015 10:00
Ashok,
This behavior is no different than normal multiprotocol data access on Isilon, for the user accessing the data an Isilon Access Token is created which constitutes the users persona on the cluster. The token is then used to evaluate authorization against the permissions defined on files & directories.
Dump a token using: #isi auth mapping token --user= --zone=
Like all Isilon file access, the file permissions can exist in one of two states:
1.POSIX(NFS, HDFS) + Synthetic ACL(SMB)
or
2.Real ACL ( + ) All protocol access is evaluated against the ACL, when a real ACL exists on the file(posix bits are approximated from the ACL but do not define file access)
So determine what permission exist on a file or directory using: ls -le/ls -len and ls -led/ls -lend and you will know which set is defining access. If the file/directory is a non-ACL's file the posix permissions will be used for HDFS & NFS access. Only in the case of a true Isilon ACL'd file will DACL's be evaluated and for all protocols
One area to be aware of is the use of HDFS username, HDFS only uses usernames and group membership and not UID's, this must be taken into account when accessing the data via other protocols, with Access Zones and while permissioning data.
Thx
russ