hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4671) DFSAdmin fetchImage should require superuser privilege even when security is not enabled
Date Wed, 24 Apr 2013 02:45:16 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13640017#comment-13640017
] 

Aaron T. Myers commented on HDFS-4671:
--------------------------------------

bq. I can see the argument for this change, but the user can sidestep the authorization by
setting the env HADOOP_USER_NAME=hdfs so I'm not sure there's much value.

I think we should still do it, at least for consistency with other commands. We don't disable
dfs.permissions when you have Kerberos turned off, even though it is trivially sidestepped
as you describe.
                
> DFSAdmin fetchImage should require superuser privilege even when security is not enabled
> ----------------------------------------------------------------------------------------
>
>                 Key: HDFS-4671
>                 URL: https://issues.apache.org/jira/browse/HDFS-4671
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.0.3-alpha
>            Reporter: Stephen Chu
>
> When security is not enabled, non-superusers can fetch the fsimage. This is problematic
because the non-superusers can then process the fsimage for contents the user should not have
access to.
> For example, schu is not a superuser and does not have access to hdfs://user/hdfs/. However,
schu can still fetch the fsimage and run the OfflineImageViewer on the fsimage to examine
the contents of hdfs://user/hdfs/.
> {code}
> [schu@hdfs-vanilla-1 images]$ hadoop fs -ls /user/hdfs
> ls: Permission denied: user=schu, access=READ_EXECUTE, inode="/user/hdfs":hdfs:supergroup:drwx------
> [schu@hdfs-vanilla-1 images]$ hdfs dfsadmin -fetchImage ~/images/
> 13/04/08 12:45:20 INFO namenode.TransferFsImage: Opening connection to http://hdfs-vanilla-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
> 13/04/08 12:45:21 INFO namenode.TransferFsImage: Transfer took 0.91s at 91.61 KB/s
> [schu@hdfs-vanilla-1 images]$ hdfs oiv -i ~/images/fsimage_0000000000000947148 -o ~/images/oiv.out
> {code}
> When kerberos authentication is enabled, superuser privilege is enforced:
> {code}
> [testuser@hdfs-secure-1 ~]$ hdfs dfsadmin -fetchImage ~/images/
> 13/04/08 12:48:23 INFO namenode.TransferFsImage: Opening connection to http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
> 13/04/08 12:48:23 ERROR security.UserGroupInformation: PriviledgedActionException as:testuser@ENT.CLOUDERA.COM
(auth:KERBEROS) cause:org.apache.hadoop.hdfs.server.namenode.TransferFsImage$HttpGetFailedException:
Image transfer servlet at http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
failed with status code 403
> Response message:
> Only Namenode, Secondary Namenode, and administrators may access this servlet
> fetchImage: Image transfer servlet at http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
failed with status code 403
> Response message:
> Only Namenode, Secondary Namenode, and administrators may access this servlet
> [testuser@hdfs-secure-1 ~]$ 
> {code}
> We should still enforce checking privileges when kerberos authentication is disabled.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message