You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Chris Nauroth (JIRA)" <ji...@apache.org> on 2015/06/24 19:55:04 UTC

[jira] [Commented] (HADOOP-12102) Add option to list up allowed hosts that can do any operation as generic ACL.

    [ https://issues.apache.org/jira/browse/HADOOP-12102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14599831#comment-14599831 ] 

Chris Nauroth commented on HADOOP-12102:
----------------------------------------

I think it's a reasonable idea.  A host/IP-based whitelist alone wouldn't be sufficient protection, but in combination with Kerberos authentication, it's an extra safety net.  Administrators could lock down login to a specific set of admin hosts and reduce the likelihood of accidentally running admin commands.

I also agree that it would be nice if the functionality could be implemented in Hadoop Common RPC so that all daemons can take advantage of it.  However, there might be a challenge with that for the HDFS requirements.  Current service-level ACLs are specified at the level of an entire protocol, like security.client.protocol.acl.  I don't believe there is a way to specify a different ACL per method within a protocol.  Since ClientProtocol includes both admin operations and HDFS client operations, this wouldn't be granular enough to block just the admin operations, yet still leave the HDFS client operations accessible.

If admin was in a separate protocol, then service ACLs would work, but I expect that would be a backwards-incompatible change.  Even if the functionality goes into Hadoop Common, we still might need some special case logic to implement this in HDFS while remaining compatible within 2.x.

> Add option to list up allowed hosts that can do any operation as generic ACL.
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-12102
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12102
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.0
>            Reporter: Kai Sasaki
>            Assignee: Kai Sasaki
>            Priority: Minor
>
> Current NameNode receives all operations through client protocol from any hosts.
> However, some critical operations such as format should be restricted with not only Kerberos authentication but also with host names in order to prevent us from formatting NameNode by mistake. It is better to add option to write some allowed hosts which can do any operations to NameNode.
> Although originally this is about HDFS daemons, this feature should be implemented as one of generic ACL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)