[jira] [Created] (HDFS-4671) DFSAdmin fetchImage should require superuser privilege even when security is not enabled

Mon, 08 Apr 2013 12:51:18 -0700 

Stephen Chu created HDFS-4671:
---------------------------------

             Summary: DFSAdmin fetchImage should require superuser privilege 
even when security is not enabled
                 Key: HDFS-4671
                 URL: https://issues.apache.org/jira/browse/HDFS-4671
             Project: Hadoop HDFS
          Issue Type: Bug
    Affects Versions: 2.0.3-alpha
            Reporter: Stephen Chu


When security is not enabled, non-superusers can fetch the fsimage. This is 
problematic because the non-superusers can then process the fsimage for 
contents the user should not have access to.

For example, schu is not a superuser and does not have access to 
hdfs://user/hdfs/. However, schu can still fetch the fsimage and run the 
OfflineImageViewer on the fsimage to examine the contents of hdfs://user/hdfs/.

{code}
[schu@hdfs-vanilla-1 images]$ hadoop fs -ls /user/hdfs
ls: Permission denied: user=schu, access=READ_EXECUTE, 
inode="/user/hdfs":hdfs:supergroup:drwx------
[schu@hdfs-vanilla-1 images]$ hdfs dfsadmin -fetchImage ~/images/
13/04/08 12:45:20 INFO namenode.TransferFsImage: Opening connection to 
http://hdfs-vanilla-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
13/04/08 12:45:21 INFO namenode.TransferFsImage: Transfer took 0.91s at 91.61 
KB/s
[schu@hdfs-vanilla-1 images]$ hdfs oiv -i ~/images/fsimage_0000000000000947148 
-o ~/images/oiv.out
{code}

When kerberos authentication is enabled, superuser privilege is enforced:
{code}
[testuser@hdfs-secure-1 ~]$ hdfs dfsadmin -fetchImage ~/images/
13/04/08 12:48:23 INFO namenode.TransferFsImage: Opening connection to 
http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
13/04/08 12:48:23 ERROR security.UserGroupInformation: 
PriviledgedActionException as:testu...@ent.cloudera.com (auth:KERBEROS) 
cause:org.apache.hadoop.hdfs.server.namenode.TransferFsImage$HttpGetFailedException:
 Image transfer servlet at 
http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest 
failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet
fetchImage: Image transfer servlet at 
http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest 
failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet
[testuser@hdfs-secure-1 ~]$ 
{code}

We should still enforce checking privileges when kerberos authentication is 
disabled.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to