lujiefsi opened a new pull request #2966:
URL: https://github.com/apache/hadoop/pull/2966
I have some doubt when i configurate secure HDFS. I know we have Service
Level Authorization for protocols like NamenodeProtocol,DatanodeProtocol and
so on.
But i do not find such Authorization for JournalProtocol after reading the
code in HDFSPolicyProvider. And if we have, how can i configurate such
Authorization?
Besides even NamenodeProtocol has Service Level Authorization, its methods
still have Permission check. Take startCheckpoint in NameNodeRpcServer who
implemented NamenodeProtocol for example:
public NamenodeCommand startCheckpoint(NamenodeRegistration registration)
throws IOException {
String operationName = "startCheckpoint";
checkNNStartup();
namesystem.checkSuperuserPrivilege(operationName);
......
I found that the methods in BackupNodeRpcServer who implemented
JournalProtocol lack of such Permission check. See below:
public void startLogSegment(JournalInfo journalInfo, long epoch,
long txid) throws IOException {
namesystem.checkOperation(OperationCategory.JOURNAL);
verifyJournalRequest(journalInfo);
getBNImage().namenodeStartedLogSegment(txid);
}
@Override
public void journal(JournalInfo journalInfo, long epoch, long firstTxId,
int numTxns, byte[] records) throws IOException {
namesystem.checkOperation(OperationCategory.JOURNAL);
verifyJournalRequest(journalInfo);
getBNImage().journal(firstTxId, numTxns, records);
}
Do we need add Permission check for them?
Please point out my mistakes if i am wrong or miss something.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
