You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Owen O'Malley (JIRA)" <ji...@apache.org> on 2009/07/06 19:07:14 UTC
[jira] Created: (HADOOP-6127) The real user name should be used by
bin/hadoop fs (ie. FsShell) instead of the one in the configuration.
The real user name should be used by bin/hadoop fs (ie. FsShell) instead of the one in the configuration.
---------------------------------------------------------------------------------------------------------
Key: HADOOP-6127
URL: https://issues.apache.org/jira/browse/HADOOP-6127
Project: Hadoop Common
Issue Type: Bug
Components: fs
Reporter: Owen O'Malley
The real user name should be used by FsShell instead of the one in the configuration. This will make it a tiny bit harder for someone to pretend to be someone else to the file system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6127) The real user name should be used
by bin/hadoop fs (ie. FsShell) instead of the one in the configuration.
Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12727624#action_12727624 ]
Todd Lipcon commented on HADOOP-6127:
-------------------------------------
How can you get the "real" username without being subject to spoofing? It seems to me that the user can always play LD_PRELOAD tricks so that the call out to "whoami" goes to "evil-whoami.sh". Without something like identd or real token-based authentication I don't know that it's really possible to add any security here.
> The real user name should be used by bin/hadoop fs (ie. FsShell) instead of the one in the configuration.
> ---------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-6127
> URL: https://issues.apache.org/jira/browse/HADOOP-6127
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs
> Reporter: Owen O'Malley
>
> The real user name should be used by FsShell instead of the one in the configuration. This will make it a tiny bit harder for someone to pretend to be someone else to the file system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6127) The real user name should be used
by bin/hadoop fs (ie. FsShell) instead of the one in the configuration.
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12727637#action_12727637 ]
Owen O'Malley commented on HADOOP-6127:
---------------------------------------
This isn't about making it secure. It is just about removing the ability to spoof from the command line interface to Hadoop. Even after this change, it is still easy to spoof without getting to LD_PRELOAD. Of course to get to real security, you need authentication via Kerberos or something similar.
> The real user name should be used by bin/hadoop fs (ie. FsShell) instead of the one in the configuration.
> ---------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-6127
> URL: https://issues.apache.org/jira/browse/HADOOP-6127
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs
> Reporter: Owen O'Malley
>
> The real user name should be used by FsShell instead of the one in the configuration. This will make it a tiny bit harder for someone to pretend to be someone else to the file system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.