hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam Faris (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5569) WebHDFS should support a deny/allow list for data access
Date Wed, 04 Dec 2013 17:30:39 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839093#comment-13839093
] 

Adam Faris commented on HDFS-5569:
----------------------------------

{quote}
Incidentally, it is not true that IP spoofing is impossible to do with TCP. Kevin Mitnick
famously used TCP sequence number guessing plus IP spoofing to attack Tsutomu Shimomura. See
http://www.networkcomputing.com/unixworld/security/001.txt.html
{quote}

Colin, the information you cite and and the cert.org doc embedded in the link is from the
 mid 1990's.  It's a great history read but RFC-1948 (1996) and RFC-6528 (2012) were both
written to defend against sequence attacks.

{quote}
Maybe some other folks can speak up too, ...
{quote}

Yes please do.  

> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
>                 Key: HDFS-5569
>                 URL: https://issues.apache.org/jira/browse/HDFS-5569
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: webhdfs
>            Reporter: Adam Faris
>              Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using WebHDFS.
 Obviously we can use firewalls to block ports, but this can be complicated and problematic
to maintain.  Additionally, because all the jetty servlets run inside the same container,
blocking access to jetty to prevent WebHDFS transfers also blocks the other servlets running
inside that same jetty container.
> I am requesting a deny/allow feature be added to WebHDFS.  This is already done with
the Apache HTTPD server, and is what I'd like to see the deny/allow list modeled after.  
Thanks.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message