HADOOP-8460. Document proper setting of HADOOP_PID_DIR and HADOOP_SECURE_DN_PID_DIR (bobby)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1345304 13f79535-47bb-0310-9956-ffa450edef68

Author: revans2

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -222,6 +222,9 @@ Release 2.0.1-alpha - UNRELEASED
     HADOOP-8452. DN logs backtrace when running under jsvc and /jmx is loaded 
     (Andy Isaacson via bobby)
 
+    HADOOP-8460. Document proper setting of HADOOP_PID_DIR and 
+    HADOOP_SECURE_DN_PID_DIR (bobby)
+
 Release 2.0.0-alpha - UNRELEASED
 
   INCOMPATIBLE CHANGES

hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh

@@ -67,6 +67,9 @@ export HADOOP_LOG_DIR=${HADOOP_LOG_DIR}/$USER
 export HADOOP_SECURE_DN_LOG_DIR=${HADOOP_LOG_DIR}/${HADOOP_HDFS_USER}
 
 # The directory where pid files are stored. /tmp by default.
+# NOTE: this should be set to a directory that can only be written to by 
+#       the user that will run the hadoop daemons.  Otherwise there is the
+#       potential for a symlink attack.
 export HADOOP_PID_DIR=${HADOOP_PID_DIR}
 export HADOOP_SECURE_DN_PID_DIR=${HADOOP_PID_DIR}
 

hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm

@@ -85,6 +85,11 @@ Hadoop MapReduce Next Generation - Cluster Setup
     At the very least you should specify the <<<JAVA_HOME>>> so that it is 
     correctly defined on each remote node.
 
+    In most cases you should also specify <<<HADOOP_PID_DIR>>> and 
+    <<<HADOOP_SECURE_DN_PID_DIR>>> to point to directories that can only be
+    written to by the users that are going to run the hadoop daemons.  
+    Otherwise there is the potential for a symlink attack.
+
     Administrators can configure individual daemons using the configuration 
     options shown below in the table: