[jira] [Commented] (HADOOP-12549) Extend HDFS-7456 default generically to all pattern lookups

Tue, 21 Jul 2020 00:20:59 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-12549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17161805#comment-17161805
 ] 

Daryn Sharp commented on HADOOP-12549:
--------------------------------------

 
{quote}In HDFS-7546 we added a hdfs-default.xml property to bring back the 
regular behaviour of trusting all principals (as was the case before 
HADOOP-9789).
{quote}
The default was never to trust all principals.  HDFS-7546 was a bad change that 
purported to support cross-realm.  We've used cross-realm trust w/o problems 
for as long as I've worked on hadoop.
{quote}I don't have full context on this but I'm pretty sure this change will 
be controversial.
{quote}
The pattern was added to augment the annotation-based principal restrictions.  
Let's say you have nn-ha1.domain and nn-ha2.domain fronted by nn.domain (IP 
failover setup).  The client expands the default annotation of hdfs/_HOST to 
hdfs/nn.domain causing it to reject the backend hdfs/nn-ha\{1,2}.domain 
principals.  The _optional_ pattern allows whitelisting those backend 
principals.

Non-negotiable -1.  A wildcard default is an incompatible regression that 
breaks, by shorting out, annotation based principal restrictions.  Clients will 
authenticate to any service principal.  The motivation appears to be using an 
empty configuration.  The solution is add a resource that contains security 
settings.

 

 

> Extend HDFS-7456 default generically to all pattern lookups
> -----------------------------------------------------------
>
>                 Key: HADOOP-12549
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12549
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: ipc, security
>    Affects Versions: 2.7.1
>            Reporter: Harsh J
>            Priority: Minor
>         Attachments: HADOOP-12549.002.patch, HADOOP-12549.patch
>
>
> In HDFS-7546 we added a hdfs-default.xml property to bring back the regular 
> behaviour of trusting all principals (as was the case before HADOOP-9789). 
> However, the change only targeted HDFS users and also only those that used 
> the default-loading mechanism of Configuration class (i.e. not {{new 
> Configuration(false)}} users).
> I'd like to propose adding the same default to the generic RPC client code 
> also, so the default affects all form of clients equally.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to