hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Weiwei Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-11655) Ozone: CLI: Guarantees user runs SCM commands has appropriate permission
Date Thu, 18 May 2017 06:17:04 GMT

    [ https://issues.apache.org/jira/browse/HDFS-11655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015270#comment-16015270
] 

Weiwei Yang commented on HDFS-11655:
------------------------------------

Submitted a patch to check user privilege in SCM client RPC module {{StorageContainerLocationProtocolServerSideTranslatorPB}},
which only allows client RPC calls from scm super user (user who starts scm service). Tested
on CLI, if run SCM CLI with a different user, it will get following error

{noformat}
[yangww@ozone1 hadoop-3.0.0-alpha3-SNAPSHOT]$ ./bin/hdfs scm -container -info 20170519c1
Error executing command:org.apache.hadoop.ipc.RemoteException(java.lang.IllegalAccessException):
Access denied for user yangww. Superuser privilege is required.
	at org.apache.hadoop.ozone.protocolPB.StorageContainerLocationProtocolServerSideTranslatorPB.checkSuperUserPrivilege(StorageContainerLocationProtocolServerSideTranslatorPB.java:264)
	at org.apache.hadoop.ozone.protocolPB.StorageContainerLocationProtocolServerSideTranslatorPB.getContainer(StorageContainerLocationProtocolServerSideTranslatorPB.java:159)
	at org.apache.hadoop.ozone.protocol.proto.StorageContainerLocationProtocolProtos$StorageContainerLocationProtocolService$2.callBlockingMethod(StorageContainerLocationProtocolProtos.java:12230)
	at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:522)
	at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:991)
	at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:867)
	at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:813)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1965)
	at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2659)
{noformat}

Please kindly review.

> Ozone: CLI: Guarantees user runs SCM commands has appropriate permission
> ------------------------------------------------------------------------
>
>                 Key: HDFS-11655
>                 URL: https://issues.apache.org/jira/browse/HDFS-11655
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>    Affects Versions: HDFS-7240
>            Reporter: Weiwei Yang
>            Assignee: Weiwei Yang
>              Labels: command-line, security
>         Attachments: HDFS-11655-HDFS-7240.001.patch
>
>
> We need to add a permission check module for ozone command line utilities, to make sure
users run commands with proper privileges. For now, commands in [design doc| https://issues.apache.org/jira/secure/attachment/12861478/storage-container-manager-cli-v002.pdf]
all require admin privilege.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message