You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by Zhijie Shen <zs...@hortonworks.com> on 2014/09/16 10:19:20 UTC

[DISUCSS] Reasonable Hadoop ACL Defaults

Hi folks,

There're a bunch of ACLs configuration defaults, which are set to "*":

1. yarn.admin.acl in yarn-default.xml
2. yarn.scheduler.capacity.root.default.[acl_submit_applications|acl_administer_queue]
in capacity-scheduler.xml
3. security.*.protocol.acl in hadoop-policy.xml

When ACL (or server authorization) is enabled, the resources that are
supposed to be protected are still accessible. However, anybody can
still access them because the default configurations are "*",
accepting anybody. These defaults seem not to make much sense, but
only confuse users. Instead, the reasonable behavior should be that
when ACL is enabled, a user is going to be denied by default unless we
explicitly add him/her into the admin ACLs or the authorized
user/group list.

I have a patch to invert "*" to " "  to block all users by default.
Please let me how what you think about it, and how we should progress.

Thanks,
Zhijie

-- 
Zhijie Shen
Hortonworks Inc.
http://hortonworks.com/

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: [DISUCSS] Reasonable Hadoop ACL Defaults

Posted by Allen Wittenauer <aw...@altiscale.com>.

Removing security@ , adding hdfs-dev@ .

On Sep 16, 2014, at 1:19 AM, Zhijie Shen <zs...@hortonworks.com> wrote:

> Hi folks,
> 
> There're a bunch of ACLs configuration defaults, which are set to "*":
> 
> 1. yarn.admin.acl in yarn-default.xml
> 2. yarn.scheduler.capacity.root.default.[acl_submit_applications|acl_administer_queue]
> in capacity-scheduler.xml
> 3. security.*.protocol.acl in hadoop-policy.xml
> 
> When ACL (or server authorization) is enabled, the resources that are
> supposed to be protected are still accessible. However, anybody can
> still access them because the default configurations are "*",
> accepting anybody. These defaults seem not to make much sense, but
> only confuse users. Instead, the reasonable behavior should be that
> when ACL is enabled, a user is going to be denied by default unless we
> explicitly add him/her into the admin ACLs or the authorized
> user/group list.
> 
> I have a patch to invert "*" to " "  to block all users by default.
> Please let me how what you think about it, and how we should progress.


	a) It would be an incompatible change and would need to go to trunk.
	b) Users enabling ACLs should be expected to go through and check the settings to see what exactly they are enabling/disabling.

Re: [DISUCSS] Reasonable Hadoop ACL Defaults

Posted by Allen Wittenauer <aw...@altiscale.com>.

Removing security@ , adding hdfs-dev@ .

On Sep 16, 2014, at 1:19 AM, Zhijie Shen <zs...@hortonworks.com> wrote:

> Hi folks,
> 
> There're a bunch of ACLs configuration defaults, which are set to "*":
> 
> 1. yarn.admin.acl in yarn-default.xml
> 2. yarn.scheduler.capacity.root.default.[acl_submit_applications|acl_administer_queue]
> in capacity-scheduler.xml
> 3. security.*.protocol.acl in hadoop-policy.xml
> 
> When ACL (or server authorization) is enabled, the resources that are
> supposed to be protected are still accessible. However, anybody can
> still access them because the default configurations are "*",
> accepting anybody. These defaults seem not to make much sense, but
> only confuse users. Instead, the reasonable behavior should be that
> when ACL is enabled, a user is going to be denied by default unless we
> explicitly add him/her into the admin ACLs or the authorized
> user/group list.
> 
> I have a patch to invert "*" to " "  to block all users by default.
> Please let me how what you think about it, and how we should progress.


	a) It would be an incompatible change and would need to go to trunk.
	b) Users enabling ACLs should be expected to go through and check the settings to see what exactly they are enabling/disabling.

Re: [DISUCSS] Reasonable Hadoop ACL Defaults

Posted by Allen Wittenauer <aw...@altiscale.com>.

Removing security@ , adding hdfs-dev@ .

On Sep 16, 2014, at 1:19 AM, Zhijie Shen <zs...@hortonworks.com> wrote:

> Hi folks,
> 
> There're a bunch of ACLs configuration defaults, which are set to "*":
> 
> 1. yarn.admin.acl in yarn-default.xml
> 2. yarn.scheduler.capacity.root.default.[acl_submit_applications|acl_administer_queue]
> in capacity-scheduler.xml
> 3. security.*.protocol.acl in hadoop-policy.xml
> 
> When ACL (or server authorization) is enabled, the resources that are
> supposed to be protected are still accessible. However, anybody can
> still access them because the default configurations are "*",
> accepting anybody. These defaults seem not to make much sense, but
> only confuse users. Instead, the reasonable behavior should be that
> when ACL is enabled, a user is going to be denied by default unless we
> explicitly add him/her into the admin ACLs or the authorized
> user/group list.
> 
> I have a patch to invert "*" to " "  to block all users by default.
> Please let me how what you think about it, and how we should progress.


	a) It would be an incompatible change and would need to go to trunk.
	b) Users enabling ACLs should be expected to go through and check the settings to see what exactly they are enabling/disabling.