hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4983) Numeric usernames do not work with WebHDFS FS
Date Wed, 04 Dec 2013 23:56:36 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839499#comment-13839499
] 

Haohui Mai commented on HDFS-4983:
----------------------------------

bq. I did a quick search, but wasn't able to find any restrictions on the usernames which
HDFS or Hadoop allows. In UserGroupInformation#getLoginUser, for example, you can see that
it reads certain environment variables and just uses them directly to get a username in some
cases. org.apache.hadoop.security.User doesn't seem to have any validation either.

I think it might be a good idea to open a new jira to address it. In general you don't want
control characters to be parts of the user / group name. For example, if hdfs allows \0 in
the username, libhdfs might break.

bq. my impression was that user name validation was added to httpfs to help prevent problems
caused by usernames which included HTTP metacharacters such as %. The same problems apply
to both webhdfs and httpfs, since they both use HTTP and both are susceptible to those metacharacters.

My impression is that in webhdfs jersey is escaping / unescaping the parameters automatically.
It shouldn't be a problem of WebHDFS. I think it's okay to have these additional checks around,
but I don't quite understand the values of making these checks generic and configurable.

Do you think the new pattern will be good enough for both everyday uses and migration? If
this is the case we can just tweak the pattern and claim victory. We should avoid adding a
new configuration when it is possible, as it complicates the deployment and operations.

> Numeric usernames do not work with WebHDFS FS
> ---------------------------------------------
>
>                 Key: HDFS-4983
>                 URL: https://issues.apache.org/jira/browse/HDFS-4983
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: webhdfs
>    Affects Versions: 2.0.0-alpha
>            Reporter: Harsh J
>            Assignee: Yongjun Zhang
>              Labels: patch
>         Attachments: HDFS-4983.001.patch, HDFS-4983.002.patch, HDFS-4983.003.patch
>
>
> Per the file hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserParam.java,
the DOMAIN pattern is set to: {{^[A-Za-z_][A-Za-z0-9._-]*[$]?$}}.
> Given this, using a username such as "123" seems to fail for some reason (tried on insecure
setup):
> {code}
> [123@host-1 ~]$ whoami
> 123
> [123@host-1 ~]$ hadoop fs -fs webhdfs://host-2.domain.com -ls /
> -ls: Invalid value: "123" does not belong to the domain ^[A-Za-z_][A-Za-z0-9._-]*[$]?$
> Usage: hadoop fs [generic options] -ls [-d] [-h] [-R] [<path> ...]
> {code}



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message