Return-Path: Delivered-To: apmail-hadoop-common-user-archive@www.apache.org Received: (qmail 53166 invoked from network); 24 Jul 2009 00:51:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Jul 2009 00:51:58 -0000 Received: (qmail 46989 invoked by uid 500); 24 Jul 2009 00:53:01 -0000 Delivered-To: apmail-hadoop-common-user-archive@hadoop.apache.org Received: (qmail 46908 invoked by uid 500); 24 Jul 2009 00:53:01 -0000 Mailing-List: contact common-user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-user@hadoop.apache.org Delivered-To: mailing list common-user@hadoop.apache.org Received: (qmail 46898 invoked by uid 99); 24 Jul 2009 00:53:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Jul 2009 00:53:01 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ted.dunning@gmail.com designates 209.85.217.218 as permitted sender) Received: from [209.85.217.218] (HELO mail-gx0-f218.google.com) (209.85.217.218) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Jul 2009 00:52:52 +0000 Received: by gxk18 with SMTP id 18so2226827gxk.5 for ; Thu, 23 Jul 2009 17:52:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=pFPE0vCIDdj8GQtHv1rIflx/P7JaLH/kd7luMorLexk=; b=HQWvkXdb+I52bqGtAyIFGMRwKd/sDEVGK3JIYsOmjh+O+D0N1Wni965KLXWjMr+CDk zgKwvPtnvlc2RnFcReZMnF3SFHk3MpIx6haLCqQnGEAOd4x4D/7lYUmpy3RnRp7bjZvO MS4+fJseKL/acZVv+Fo/RqrfUNyucH4/bUgBU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=d8QDvj8Mgq0WAo7HHtZOKtmGrkijUG2QU95XfA7Kquk3b04PX52Xj3PvHjatQu+Z2F oX3YqQ4UscRy7E0tvTWhSmkz2fYPQbkVMQ96ysbdY2xOunoJob6KkGg4hleTNiGu8Ew+ cXjtB3khP7OI5bKE5cSqQPdniLTiDxOOsITFs= MIME-Version: 1.0 Received: by 10.150.219.9 with SMTP id r9mr4288899ybg.285.1248396752084; Thu, 23 Jul 2009 17:52:32 -0700 (PDT) In-Reply-To: <4A68E40E.2000701@holsman.net> References: <2AAFC2B9E4C5DC4F859F154FB664CF5F061A86C3@EVSBNG01.ad.office.aol.com> <1c5747850907222345vf912191s7b03b3f2d1a425fd@mail.gmail.com> <4A683A28.6030902@apache.org> <4A68E40E.2000701@holsman.net> From: Ted Dunning Date: Thu, 23 Jul 2009 17:52:12 -0700 Message-ID: Subject: Re: Remote access to cluster using user as hadoop To: common-user@hadoop.apache.org Content-Type: multipart/alternative; boundary=000e0cd3f932f261f7046f690497 X-Virus-Checked: Checked by ClamAV on apache.org --000e0cd3f932f261f7046f690497 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Interesting approach. My guess is that this would indeed protect the datanodes from accidental "attack" by stopping access before they are involved. You might also consider just changing the name of the magic hadoop user to something that is more unlikely. The name "hadoop" is not far off what somebody might come up with as a user name for experimenting or running scheduled jobs. On Thu, Jul 23, 2009 at 3:28 PM, Ian Holsman wrote: > I was thinking of alternatives similar to creating a proxy nameserver that > non-privileged users can attach to that forwards those to the "real" > nameserver or just hacking the nameserver so that it switches "hadoop" to > "hadoop_remote" for sessions from untrusted IP's. > > not being familiar with the code, I am presuming that there is a point > where the code determines the userID. can anyone point me to that bit? > I just want to hack it to downgrade superusers, and it doesn't have to be > too clean or work for every edge case. it's more to stop accidental > problems. > -- Ted Dunning, CTO DeepDyve --000e0cd3f932f261f7046f690497--