Return-Path: X-Original-To: apmail-hadoop-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1393FEFFB for ; Wed, 27 Feb 2013 17:14:51 +0000 (UTC) Received: (qmail 78888 invoked by uid 500); 27 Feb 2013 17:14:45 -0000 Delivered-To: apmail-hadoop-user-archive@hadoop.apache.org Received: (qmail 78804 invoked by uid 500); 27 Feb 2013 17:14:45 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 78779 invoked by uid 99); 27 Feb 2013 17:14:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 17:14:44 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of rohitsarewar@gmail.com designates 209.85.128.177 as permitted sender) Received: from [209.85.128.177] (HELO mail-ve0-f177.google.com) (209.85.128.177) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 17:14:37 +0000 Received: by mail-ve0-f177.google.com with SMTP id m1so822176ves.22 for ; Wed, 27 Feb 2013 09:14:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=m2tWdIFMGkcxc0rhZiRx+m6C3hqZM84QmXfautH5Sg0=; b=e044gm5xzd4NqmjSauHLevIGdRcLE0RPMRkhfcTI5QTr7AkEOFZwq2dIFMJqurunqr hKYi39EP3aWSmaXFBdQKzDjYkmTekI9d+cV0K36AIhsbnSS6uc1VtaM7bNSpbbah0nYn zuH3s93tuyzwjML2tH1aOebXd4N7JhNt+CraRh/ADHPAT8dTOy03WIZPyCBrJZ7VNfor Cl23QJUXp7PXNbHiD71TJwObBM7wJ/0XBWf75fTA2fOpTFsyTPfQEztcm9bIqbvbW9k7 qYG6o9kgghyq2mF/sI5yPbE61SCeRlqw2Vr/3WMVmILKDOGVLj60buWzPC8ro6tA/bZe cZ9w== MIME-Version: 1.0 X-Received: by 10.58.181.201 with SMTP id dy9mr1203840vec.34.1361985256989; Wed, 27 Feb 2013 09:14:16 -0800 (PST) Received: by 10.220.151.69 with HTTP; Wed, 27 Feb 2013 09:14:16 -0800 (PST) Date: Wed, 27 Feb 2013 22:44:16 +0530 Message-ID: Subject: Hadoop Security via Kerberos From: rohit sarewar To: user@hadoop.apache.org Content-Type: multipart/alternative; boundary=047d7b5d88236ead1704d6b7e71a X-Virus-Checked: Checked by ClamAV on apache.org --047d7b5d88236ead1704d6b7e71a Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi I am trying to learn how Kerberos can be implemented in Hadoop. I have gone through this doc https://issues.apache.org/jira/browse/HADOOP-4487 I have also gone through Basic Kerberos stuff (http://web.mit.edu/kerberos/= , https://www.youtube.com/watch?v=3DKD2Q-2ToloE) 1) The apache doc uses the word "Token" whereas the general doc over the internet uses the term "Ticket". Are Token and Ticket same ? 2) The apache doc also "DataNodes do not enforce any access control on accesses to its data blocks. This makes it possible for an unauthorized client to read a data block as long as she can supply its block ID. It=92s also possible for anyone = to write arbitrary data blocks to DataNodes." My thoughts on this:- *I can fetch the block Id from file path using the command:-* hadoop@Studio-1555:/opt/hadoop/hadoop-1.0.2/bin$ ./hadoop fsck /hadoop/mapred/system/jobtracker.info -files -blocks FSCK started by hadoop from /127.0.0.1 for path /hadoop/mapred/system/ jobtracker.info at Mon Jul 09 06:57:14 EDT 2012 /hadoop/mapred/system/jobtracker.info 4 bytes, 1 block(s): OK 0. blk_-9148080207111019586_1001 len=3D4 repl=3D1 As I was authorized to access this file jobtracker.info, I was able to find its blockID using the above command. I think that if I add some offset to this block ID and write to that datanode. * How can I explicitly mention the blockID while writing a file to HDFS.(What is the command ?)* Any other way to write arbitrary data blocks to DataNodes ? Please tell me if my approach is wrong ? --047d7b5d88236ead1704d6b7e71a Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi

I am trying to learn how Kerberos can be implemented in Hadoop.<= br>I have gone through this doc=A0 https://issues.apache.org/jira/brow= se/HADOOP-4487
I have also gone through Basic Kerberos stuff (http://web.mit.edu/kerberos/ , https://www.youtube.com/wa= tch?v=3DKD2Q-2ToloE)

1) The apache doc uses the word "Token" whereas the general d= oc over the internet uses the term "Ticket".
=A0=A0=A0=A0 Are = Token and Ticket same ?


=A0

2) The apache doc also=A0 =A0= "DataNodes do not enforce any access control on accesses to its data = blocks.
=A0=A0=A0=A0 This makes it possible for an unauthorized client to read a da= ta block as
=A0=A0=A0=A0=A0 long as she can supply its block ID. It=92s = also possible for anyone to write
=A0=A0=A0=A0=A0 arbitrary data blocks = to DataNodes."

My thoughts on this:-
I can fetch the block Id from file path usin= g the command:-
hadoop@Studio-1555:/opt/hadoop/hadoop-1.0.2/bin$= ./hadoop fsck /hadoop/mapred/system/job= tracker.info -files -blocks
FSCK started by hadoop from /127.0.0.1 for= path /hadoop/mapred/system/jobtracker.i= nfo at Mon Jul 09 06:57:14 EDT 2012
/hadoop/mapred/system/jobtracker.info 4 bytes, 1 block(s):=A0 OK
0. blk_-9148080207111019586_1001 len=3D4 repl=3D1

As I was authorize= d to access this file jobtracker.info, I was able to find its blockID using the above command.
I think that = if I add some offset to this block ID and write to that datanode.

How can I explicitly mention the blockID while writing a file to HDF= S.(What is the command ?)
Any other way to=A0 write arbitrary data b= locks to DataNodes ?

Please tell me if my approach is wrong ?





--047d7b5d88236ead1704d6b7e71a--