You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Sumit Agrawal (Jira)" <ji...@apache.org> on 2023/01/02 04:30:00 UTC

[jira] [Resolved] (HDDS-7454) OM to DN token verification should include Pipeline

     [ https://issues.apache.org/jira/browse/HDDS-7454?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sumit Agrawal resolved HDDS-7454.
---------------------------------
    Resolution: Won't Fix

As discussion, this does not provide much benefits and impact is low. So this fix is not required.

> OM to DN token verification should include Pipeline
> ---------------------------------------------------
>
>                 Key: HDDS-7454
>                 URL: https://issues.apache.org/jira/browse/HDDS-7454
>             Project: Apache Ozone
>          Issue Type: Bug
>            Reporter: Sumit Agrawal
>            Assignee: Sumit Agrawal
>            Priority: Minor
>              Labels: pull-request-available
>
> Client will request for block information to be used to write data, In this process,
> - OM call allocateBlock to SCM, SCM will provide block information, pipeline and related DN
> - OM also create token (when security enabled) with block information
> - Client will pass this information to DN
> - DN will verify token for block information and start write block
> Here, pipeline information is not verified for which request is created. As security, this also needs to be verified.
> Pipeline and DN mapping is shared to DN which Pipeline command from SCM to DNs, CreatePipelineCommand
> Impact (If client is not trustable):
> 1. Client can forward request with token to different DN with different pipeline information.
> So DN since do not have information about SMC mapping of container to pipeline, that DN can start operating over that.
> Having pipeline in token verification, it will ensure,
> - block write is done with correct pipeline (DNs)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org