Return-Path: Delivered-To: apmail-hadoop-core-dev-archive@www.apache.org Received: (qmail 99627 invoked from network); 9 May 2009 06:01:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 May 2009 06:01:12 -0000 Received: (qmail 86161 invoked by uid 500); 9 May 2009 06:01:11 -0000 Delivered-To: apmail-hadoop-core-dev-archive@hadoop.apache.org Received: (qmail 86101 invoked by uid 500); 9 May 2009 06:01:11 -0000 Mailing-List: contact core-dev-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: core-dev@hadoop.apache.org Delivered-To: mailing list core-dev@hadoop.apache.org Received: (qmail 85988 invoked by uid 99); 9 May 2009 06:01:10 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 May 2009 06:01:10 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 May 2009 06:01:07 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 9BC9C234C041 for ; Fri, 8 May 2009 23:00:46 -0700 (PDT) Message-ID: <1112397460.1241848846627.JavaMail.jira@brutus> Date: Fri, 8 May 2009 23:00:46 -0700 (PDT) From: "Hadoop QA (JIRA)" To: core-dev@hadoop.apache.org Subject: [jira] Commented: (HADOOP-4359) Support for data access authorization checking on DataNodes In-Reply-To: <2138300697.1223352224225.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/HADOOP-4359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707614#action_12707614 ] Hadoop QA commented on HADOOP-4359: ----------------------------------- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12407587/at37.patch against trunk revision 772960. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 15 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-vesta.apache.org/314/console This message is automatically generated. > Support for data access authorization checking on DataNodes > ----------------------------------------------------------- > > Key: HADOOP-4359 > URL: https://issues.apache.org/jira/browse/HADOOP-4359 > Project: Hadoop Core > Issue Type: New Feature > Components: dfs > Reporter: Kan Zhang > Assignee: Kan Zhang > Attachments: at13.patch, at19.patch, at31.patch, at33.patch, at34.patch, at35.patch, at36.patch, at37.patch > > > Currently, DataNodes do not enforce any access control on accesses to its data blocks. This makes it possible for an unauthorized client to read a data block as long as she can supply its block ID. It's also possible for anyone to write arbitrary data blocks to DataNodes. > When users request file accesses on the NameNode, file permission checking takes place. Authorization decisions are made with regard to whether the requested accesses to those files (and implicitly, to their corresponding data blocks) are permitted. However, when it comes to subsequent data block accesses on the DataNodes, those authorization decisions are not made available to the DataNodes and consequently, such accesses are not verified. Datanodes are not capable of reaching those decisions independently since they don't have concepts of files, let alone file permissions. > In order to implement data access policies consistently across HDFS services, there is a need for a mechanism by which authorization decisions made on the NameNode can be faithfully enforced on the DataNodes and any unauthorized access is declined. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.