hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5569) WebHDFS should support a deny/allow list for data access
Date Tue, 03 Dec 2013 19:05:37 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13838046#comment-13838046

Haohui Mai commented on HDFS-5569:

[~farisa], I think I'm still missing which types of objects that you want to have authorization.
In HDFS / WebHDFS, I'm assuming that the objects are files, that is, certain principals can
only access certain files. Let's say you have a file foo in hdfs with the following permission:

adam:group rw----- foo

HDFS enforces that you can read and write to the file foo only if you're the user adam. WebHDFS
is just a gateway of HDFS, which means that the same permission models apply.

You can only access the file via WebHDFS only if you prove your identity as the user adam
through Kerberos / spnego.

If someone fails to show he / she is the user adam, he'll get a 401 when he / she is using
WebHDFS to access the file.

Does it address your concerns?

> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>                 Key: HDFS-5569
>                 URL: https://issues.apache.org/jira/browse/HDFS-5569
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: webhdfs
>            Reporter: Adam Faris
>              Labels: features
> Currently we can't restrict what networks are allowed to transfer data using WebHDFS.
 Obviously we can use firewalls to block ports, but this can be complicated and problematic
to maintain.  Additionally, because all the jetty servlets run inside the same container,
blocking access to jetty to prevent WebHDFS transfers also blocks the other servlets running
inside that same jetty container.
> I am requesting a deny/allow feature be added to WebHDFS.  This is already done with
the Apache HTTPD server, and is what I'd like to see the deny/allow list modeled after.  

This message was sent by Atlassian JIRA

View raw message