hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kan Zhang <...@yahoo-inc.com>
Subject Re: Design for security in Hadoop
Date Wed, 25 Mar 2009 19:23:36 GMT



On 3/25/09 2:49 AM, "Doug Cutting" <cutting@apache.org> wrote:

>> 2. The Jira doesnt have cover the access control aspect of things. As a
>> client, I can skip talking to the NN and get blocks from the DN straight
>> away. There is no way to prevent it. This paper takes care of that aspect as
>> well.
> 
> The intent is that access to a block on a datanode will require
> authentication.  Currently it does not, but as security features are
> added this clearly must change.  HADOOP-4343 does not mention how this
> will be done, but I believe it must be implemented in the same timeframe
> as namenode authentication.
> 

We plan to use capability tokens issued by NN to control accesses to DN (see
HADOOP-4359). If DN authenticates users, those capability tokens can be made
non-transferable. This will improve security since stolen tokens can't be
used by the attacker. Another benefit of having authentication is to be able
to establish an encrypted communication channel afterwards (if the
authentication protocol used supports it). However, I think DN user
authentication may not be necessary for many use cases and can be addressed
after NN authentication is done.

Kan


Mime
View raw message