You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Stephen Chu (JIRA)" <ji...@apache.org> on 2013/04/08 21:51:16 UTC

[jira] [Created] (HDFS-4671) DFSAdmin fetchImage should require superuser privilege even when security is not enabled

Stephen Chu created HDFS-4671:
---------------------------------

             Summary: DFSAdmin fetchImage should require superuser privilege even when security is not enabled
                 Key: HDFS-4671
                 URL: https://issues.apache.org/jira/browse/HDFS-4671
             Project: Hadoop HDFS
          Issue Type: Bug
    Affects Versions: 2.0.3-alpha
            Reporter: Stephen Chu


When security is not enabled, non-superusers can fetch the fsimage. This is problematic because the non-superusers can then process the fsimage for contents the user should not have access to.

For example, schu is not a superuser and does not have access to hdfs://user/hdfs/. However, schu can still fetch the fsimage and run the OfflineImageViewer on the fsimage to examine the contents of hdfs://user/hdfs/.

{code}
[schu@hdfs-vanilla-1 images]$ hadoop fs -ls /user/hdfs
ls: Permission denied: user=schu, access=READ_EXECUTE, inode="/user/hdfs":hdfs:supergroup:drwx------
[schu@hdfs-vanilla-1 images]$ hdfs dfsadmin -fetchImage ~/images/
13/04/08 12:45:20 INFO namenode.TransferFsImage: Opening connection to http://hdfs-vanilla-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
13/04/08 12:45:21 INFO namenode.TransferFsImage: Transfer took 0.91s at 91.61 KB/s
[schu@hdfs-vanilla-1 images]$ hdfs oiv -i ~/images/fsimage_0000000000000947148 -o ~/images/oiv.out
{code}

When kerberos authentication is enabled, superuser privilege is enforced:
{code}
[testuser@hdfs-secure-1 ~]$ hdfs dfsadmin -fetchImage ~/images/
13/04/08 12:48:23 INFO namenode.TransferFsImage: Opening connection to http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
13/04/08 12:48:23 ERROR security.UserGroupInformation: PriviledgedActionException as:testuser@ENT.CLOUDERA.COM (auth:KERBEROS) cause:org.apache.hadoop.hdfs.server.namenode.TransferFsImage$HttpGetFailedException: Image transfer servlet at http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet
fetchImage: Image transfer servlet at http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet
[testuser@hdfs-secure-1 ~]$ 
{code}

We should still enforce checking privileges when kerberos authentication is disabled.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira