[GitHub] [hadoop] omalley opened a new pull request #4081: HDFS-13248: Namenode needs to use the actual client IP when going through RBF proxy.

Thu, 17 Mar 2022 15:04:44 -0700 


omalley opened a new pull request #4081:
URL: https://github.com/apache/hadoop/pull/4081


   The NN makes decisions based on the client machine that control the locality 
of data access.
   Currently that is done by finding the ip address using the rpc connection, 
however in the RBF
   configuration, that will always be one of the router's ip address.
   
   We'd added the client's ip to the caller context in the router, so now the 
NN has the information.
   This patch makes the NN use the caller context information.
   
   From a security point of view, this patch adds a new configuration knob 
(dfs.namenode.ip-proxy-users) on the NN
   that defines the list of users that can set their client ip address. Sites 
should add "hdfs" (or the account that
   runs the routers) to "dfs.namenode.ip-proxy-users" on the NN to enable this 
feature.
   
   Note that the audit log does NOT currently use this information, so the 
client ip in the audit log will be the RBF proxy.
   Sites should turn on caller context logging so that the client ip addresses 
are captured.
   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 
'HADOOP-17799. Your PR title ...'.
   -->
   
   ### Description of PR
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to