You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Mohammad Arafat Khan (Jira)" <ji...@apache.org> on 2023/05/09 05:23:00 UTC

[jira] [Commented] (HDDS-8573) Verify default setting for DN root dir to restrict non-admin access

    [ https://issues.apache.org/jira/browse/HDDS-8573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17720786#comment-17720786 ] 

Mohammad Arafat Khan commented on HDDS-8573:
--------------------------------------------

It was suggested by [~pifta] 

Together with this, we should also check the file system level protection on OM, SCM, and Recon metadata as well, and restrict it where necessary.

I tend to think that we should make this configurable wherever it is feasible, and defaults should be 700 for the process owner user (hdfs), similarly as we do for HDFS via the {_}dfs{_}.{_}datanode{_}.{_}data{_}.{_}dir{_}.{_}perm{_} property.

Currently the permissions are opening stuff up for everyone who has access to the host, the aim is not to secure it fully on its own, but at least we should make sure that a privileged access is needed to access the metadata we store for services. OM's RocksDb, and block data files are certainly critical, but the rest of it should as well be having limited access on the local filesystem.

> Verify default setting for DN root dir to restrict non-admin access
> -------------------------------------------------------------------
>
>                 Key: HDDS-8573
>                 URL: https://issues.apache.org/jira/browse/HDDS-8573
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: OM, Ozone Datanode, Ozone Recon, SCM
>            Reporter: Mohammad Arafat Khan
>            Priority: Blocker
>
> The permissions to the DN storage dirs should be 750 or tighter, to restrict non-root users from reading user data.
> This came up during the bootcamp where the DNs directories are configured with 755 by default. We may need to change the default in CDP.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org