Can someone kindly let me know whether any work is happening in this regard. If not, I would like to add a patch which might be useful for many.
Thanks Pallavi -----Original Message----- From: Palleti, Pallavi [mailto:pallavi.pall...@corp.aol.com] Sent: Friday, July 31, 2009 12:20 PM To: common-dev@hadoop.apache.org Subject: Remote access to cluster with superuser privileges from untrusted IPs Hi all, We are using hadoop-0.18.2 in our cluster and figured out that there is a security flaw in current hadoop code as it don't check the authentication of user. This would let any person to access cluster as super user once the details like super user name and the configuration details are known. I tried to solve this issue by allowing super user access only from some specified IP Range. This would at least block remote super user access from untrusted IP Addresses. I have modified the code accordingly in Server.java code. I would like to add it as a patch so that it can be useful for others. However, when I looked at the trunk code, I could see that there is some work related to it is happening but am not sure. Especially, there is some code at Server.java which throws PrivilegedActionException for untrusted user I believe. Can someone kindly clarify if it is written for the same purpose? If not, kindly suggest the version I should use to create a patch so that it can be useful for many. Thanks Pallavi
