hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Chu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-4671) DFSAdmin fetchImage should require superuser privilege even when security is not enabled
Date Mon, 08 Apr 2013 19:51:16 GMT
Stephen Chu created HDFS-4671:
---------------------------------

             Summary: DFSAdmin fetchImage should require superuser privilege even when security
is not enabled
                 Key: HDFS-4671
                 URL: https://issues.apache.org/jira/browse/HDFS-4671
             Project: Hadoop HDFS
          Issue Type: Bug
    Affects Versions: 2.0.3-alpha
            Reporter: Stephen Chu


When security is not enabled, non-superusers can fetch the fsimage. This is problematic because
the non-superusers can then process the fsimage for contents the user should not have access
to.

For example, schu is not a superuser and does not have access to hdfs://user/hdfs/. However,
schu can still fetch the fsimage and run the OfflineImageViewer on the fsimage to examine
the contents of hdfs://user/hdfs/.

{code}
[schu@hdfs-vanilla-1 images]$ hadoop fs -ls /user/hdfs
ls: Permission denied: user=schu, access=READ_EXECUTE, inode="/user/hdfs":hdfs:supergroup:drwx------
[schu@hdfs-vanilla-1 images]$ hdfs dfsadmin -fetchImage ~/images/
13/04/08 12:45:20 INFO namenode.TransferFsImage: Opening connection to http://hdfs-vanilla-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
13/04/08 12:45:21 INFO namenode.TransferFsImage: Transfer took 0.91s at 91.61 KB/s
[schu@hdfs-vanilla-1 images]$ hdfs oiv -i ~/images/fsimage_0000000000000947148 -o ~/images/oiv.out
{code}

When kerberos authentication is enabled, superuser privilege is enforced:
{code}
[testuser@hdfs-secure-1 ~]$ hdfs dfsadmin -fetchImage ~/images/
13/04/08 12:48:23 INFO namenode.TransferFsImage: Opening connection to http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
13/04/08 12:48:23 ERROR security.UserGroupInformation: PriviledgedActionException as:testuser@ENT.CLOUDERA.COM
(auth:KERBEROS) cause:org.apache.hadoop.hdfs.server.namenode.TransferFsImage$HttpGetFailedException:
Image transfer servlet at http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet
fetchImage: Image transfer servlet at http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet
[testuser@hdfs-secure-1 ~]$ 
{code}

We should still enforce checking privileges when kerberos authentication is disabled.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message