Return-Path: Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Received: (qmail 93549 invoked from network); 9 Sep 2010 17:11:15 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 9 Sep 2010 17:11:15 -0000 Received: (qmail 24453 invoked by uid 500); 9 Sep 2010 17:11:15 -0000 Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org Received: (qmail 24409 invoked by uid 500); 9 Sep 2010 17:11:14 -0000 Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: mapreduce-issues@hadoop.apache.org Delivered-To: mailing list mapreduce-issues@hadoop.apache.org Received: (qmail 24401 invoked by uid 99); 9 Sep 2010 17:11:14 -0000 Received: from Unknown (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Sep 2010 17:11:14 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Sep 2010 17:10:56 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o89HAY6k022307 for ; Thu, 9 Sep 2010 17:10:35 GMT Message-ID: <27319940.98601284052234777.JavaMail.jira@thor> Date: Thu, 9 Sep 2010 13:10:34 -0400 (EDT) From: "Allen Wittenauer (JIRA)" To: mapreduce-issues@hadoop.apache.org Subject: [jira] Commented: (MAPREDUCE-2057) Job Tracker appears to do host access-control (mapred.hosts, mapred.hosts.exclude) based on presented name from TaskTracker In-Reply-To: <31361583.98331284051333616.JavaMail.jira@thor> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/MAPREDUCE-2057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12907681#action_12907681 ] Allen Wittenauer commented on MAPREDUCE-2057: --------------------------------------------- >From a security perspective, the patches coming in 0.22 will make sure that a host is who it says it is by requiring Kerberized credentials. (ignoring the some recognized MITM and IP spoofing attacks which the community has made the conscious choice to defer fixing) That said, it would be better if Hadoop in general took the IP addr, reverse resolved, and then compared that to the config. > Job Tracker appears to do host access-control (mapred.hosts, mapred.hosts.exclude) based on presented name from TaskTracker > --------------------------------------------------------------------------------------------------------------------------- > > Key: MAPREDUCE-2057 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-2057 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: jobtracker > Affects Versions: 0.20.1 > Environment: Hadoop 0.20.1 - cloudera distribution, multihomed environment. > Reporter: Matthew Byng-Maddick > > As far as I can tell, where the NameNode, in validating the dfs.hosts and dfs.hosts.exclude files uses the source IP address for the RPC connection, the JobTracker appears to use the presented hostname (set via slave.host.name or the standard hostname-search semantics) from the TaskTracker. Obviously this is a security bug as in a production environment it could allow rogue machines to present the hostname of a real TaskTracker and take over that role, but it also turns up as a configuration bug because it means that you can set up a (multi-homed, natch) environment where the same set of files work for the NameNode, but don't for the JobTracker or vice versa - with the same binding hostname for fs.default.name and mapred.job.tracker. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.