Return-Path: X-Original-To: apmail-hadoop-common-dev-archive@www.apache.org Delivered-To: apmail-hadoop-common-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A07A111453 for ; Tue, 16 Sep 2014 08:19:57 +0000 (UTC) Received: (qmail 3415 invoked by uid 500); 16 Sep 2014 08:19:46 -0000 Delivered-To: apmail-hadoop-common-dev-archive@hadoop.apache.org Received: (qmail 3331 invoked by uid 500); 16 Sep 2014 08:19:45 -0000 Mailing-List: contact common-dev-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-dev@hadoop.apache.org Received: (qmail 2974 invoked by uid 99); 16 Sep 2014 08:19:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Sep 2014 08:19:45 +0000 X-ASF-Spam-Status: No, hits=2.8 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS,URIBL_BLACK X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of zshen@hortonworks.com designates 209.85.192.175 as permitted sender) Received: from [209.85.192.175] (HELO mail-pd0-f175.google.com) (209.85.192.175) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Sep 2014 08:19:41 +0000 Received: by mail-pd0-f175.google.com with SMTP id z10so8227700pdj.6 for ; Tue, 16 Sep 2014 01:19:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=oiWr4aP36MsMVhjsCLEaWtmWbbsllahC+KsxHTfnwOc=; b=OYCCr71Bd912urDUHsFNgUIVfVgflHAJRe+a7FxT/O5L+sTrkSaNM4DMFogXcbwJvb MNJEPQO2vq/U48NC8XS7gmshuLwOmRrrnPQ5AqxQcNdiV/AVaXz53m9KkWkNFRWktKwz 8E4H6HnTzeJcYbl6xoFzZ0xCfr65+dmqXckyWNcwzv3yC4ww0UDCQlU1GrE+eBfWqBTB sRwDoPeVpncwxH+CATp3evLoy8wey72a1u3/p64XwAS55QxRsbGby6vefM9XgihZ2L/D 0xgZZzZL2DjXLhrk1shdtmyxkfA7x7SqfuQ3Il4zXr3YopexHDu+ZiQY5h7y9JGkfb+X tBbQ== X-Gm-Message-State: ALoCoQkSg7jlu0W3JUNEZnopwWtrvL4YFFyPmJ902Ebmv2+qZEm+MRLLzaUedRggS9Pdaoqz7sOjCStfTkhKaUfL4gpncIhFLd3DNfPyEfHiCC29auE0XubL3sYhIwyVz7PGryGizZ0I MIME-Version: 1.0 X-Received: by 10.70.130.138 with SMTP id oe10mr57737132pdb.115.1410855560897; Tue, 16 Sep 2014 01:19:20 -0700 (PDT) Received: by 10.66.156.233 with HTTP; Tue, 16 Sep 2014 01:19:20 -0700 (PDT) Date: Tue, 16 Sep 2014 01:19:20 -0700 Message-ID: Subject: [DISUCSS] Reasonable Hadoop ACL Defaults From: Zhijie Shen To: security@hadoop.apache.org, "yarn-dev@hadoop.apache.org" , "common-dev@hadoop.apache.org" Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org Hi folks, There're a bunch of ACLs configuration defaults, which are set to "*": 1. yarn.admin.acl in yarn-default.xml 2. yarn.scheduler.capacity.root.default.[acl_submit_applications|acl_administer_queue] in capacity-scheduler.xml 3. security.*.protocol.acl in hadoop-policy.xml When ACL (or server authorization) is enabled, the resources that are supposed to be protected are still accessible. However, anybody can still access them because the default configurations are "*", accepting anybody. These defaults seem not to make much sense, but only confuse users. Instead, the reasonable behavior should be that when ACL is enabled, a user is going to be denied by default unless we explicitly add him/her into the admin ACLs or the authorized user/group list. I have a patch to invert "*" to " " to block all users by default. Please let me how what you think about it, and how we should progress. Thanks, Zhijie -- Zhijie Shen Hortonworks Inc. http://hortonworks.com/ -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.