You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Gary Helmling (JIRA)" <ji...@apache.org> on 2016/02/12 23:39:18 UTC

[jira] [Updated] (HADOOP-12799) Allow bypassing file owner check in SecureIOUtils when security is enabled

     [ https://issues.apache.org/jira/browse/HADOOP-12799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gary Helmling updated HADOOP-12799:
-----------------------------------
    Attachment: HADOOP-12799.001.patch

Patch adding a config option "security.local.file.owner.check" (true by default), which when disabled would bypass the local file owner validation.

> Allow bypassing file owner check in SecureIOUtils when security is enabled
> --------------------------------------------------------------------------
>
>                 Key: HADOOP-12799
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12799
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Gary Helmling
>         Attachments: HADOOP-12799.001.patch
>
>
> When secure authentication is enabled, SecureIOUtils enforces that the local file owner matches the expected (authenticated) user when opening a file for read.  Effectively, this means that: 1) LinuxContainerExecutor must be configured for YARN when Hadoop security is enabled, 2) all users running YARN jobs must be resolvable by the underlying OS.
> While the check in SecureIOUtils.checkStat() protects against possible symlink attacks by malicious local users, preventing it from being disabled makes it impossible to run with a perimeter security model, where all access is strongly authenticated and only a select set of trusted users are allowed to run YARN jobs.  Since it is possible to lock down who is allowed to submit YARN jobs, this lack of flexibility seems unfortunate.
> I'd like to propose adding a configuration option to allow disabling the local file owner check.  It would remain enabled by default, but when disabled would allow running Hadoop with strong authentication, but with relaxed security on YARN using DefaultContainerExecutor for environments where resolving all users from the local OS is impractical.  For these situations, it would of course need to be acceptable to mitigate the additional exposure to local file attacks for YARN containers by controlling which users are allowed to submit YARN jobs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)