[jira] [Commented] (HADOOP-12102) Add option to list up allowed hosts that can do any operation as generic ACL.

Wed, 24 Jun 2015 10:55:23 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14599831#comment-14599831
 ] 

Chris Nauroth commented on HADOOP-12102:
----------------------------------------

I think it's a reasonable idea.  A host/IP-based whitelist alone wouldn't be 
sufficient protection, but in combination with Kerberos authentication, it's an 
extra safety net.  Administrators could lock down login to a specific set of 
admin hosts and reduce the likelihood of accidentally running admin commands.

I also agree that it would be nice if the functionality could be implemented in 
Hadoop Common RPC so that all daemons can take advantage of it.  However, there 
might be a challenge with that for the HDFS requirements.  Current 
service-level ACLs are specified at the level of an entire protocol, like 
security.client.protocol.acl.  I don't believe there is a way to specify a 
different ACL per method within a protocol.  Since ClientProtocol includes both 
admin operations and HDFS client operations, this wouldn't be granular enough 
to block just the admin operations, yet still leave the HDFS client operations 
accessible.

If admin was in a separate protocol, then service ACLs would work, but I expect 
that would be a backwards-incompatible change.  Even if the functionality goes 
into Hadoop Common, we still might need some special case logic to implement 
this in HDFS while remaining compatible within 2.x.

> Add option to list up allowed hosts that can do any operation as generic ACL.
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-12102
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12102
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.0
>            Reporter: Kai Sasaki
>            Assignee: Kai Sasaki
>            Priority: Minor
>
> Current NameNode receives all operations through client protocol from any 
> hosts.
> However, some critical operations such as format should be restricted with 
> not only Kerberos authentication but also with host names in order to prevent 
> us from formatting NameNode by mistake. It is better to add option to write 
> some allowed hosts which can do any operations to NameNode.
> Although originally this is about HDFS daemons, this feature should be 
> implemented as one of generic ACL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to