[jira] [Updated] (HADOOP-12799) Allow bypassing file owner check in SecureIOUtils when security is enabled

Fri, 12 Feb 2016 14:39:40 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-12799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary Helmling updated HADOOP-12799:
-----------------------------------
    Attachment: HADOOP-12799.001.patch

Patch adding a config option "security.local.file.owner.check" (true by 
default), which when disabled would bypass the local file owner validation.

> Allow bypassing file owner check in SecureIOUtils when security is enabled
> --------------------------------------------------------------------------
>
>                 Key: HADOOP-12799
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12799
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Gary Helmling
>         Attachments: HADOOP-12799.001.patch
>
>
> When secure authentication is enabled, SecureIOUtils enforces that the local 
> file owner matches the expected (authenticated) user when opening a file for 
> read.  Effectively, this means that: 1) LinuxContainerExecutor must be 
> configured for YARN when Hadoop security is enabled, 2) all users running 
> YARN jobs must be resolvable by the underlying OS.
> While the check in SecureIOUtils.checkStat() protects against possible 
> symlink attacks by malicious local users, preventing it from being disabled 
> makes it impossible to run with a perimeter security model, where all access 
> is strongly authenticated and only a select set of trusted users are allowed 
> to run YARN jobs.  Since it is possible to lock down who is allowed to submit 
> YARN jobs, this lack of flexibility seems unfortunate.
> I'd like to propose adding a configuration option to allow disabling the 
> local file owner check.  It would remain enabled by default, but when 
> disabled would allow running Hadoop with strong authentication, but with 
> relaxed security on YARN using DefaultContainerExecutor for environments 
> where resolving all users from the local OS is impractical.  For these 
> situations, it would of course need to be acceptable to mitigate the 
> additional exposure to local file attacks for YARN containers by controlling 
> which users are allowed to submit YARN jobs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to