[
https://issues.apache.org/jira/browse/HDFS-11655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015270#comment-16015270
]
Weiwei Yang commented on HDFS-11655:
------------------------------------
Submitted a patch to check user privilege in SCM client RPC module
{{StorageContainerLocationProtocolServerSideTranslatorPB}}, which only allows
client RPC calls from scm super user (user who starts scm service). Tested on
CLI, if run SCM CLI with a different user, it will get following error
{noformat}
[yangww@ozone1 hadoop-3.0.0-alpha3-SNAPSHOT]$ ./bin/hdfs scm -container -info
20170519c1
Error executing
command:org.apache.hadoop.ipc.RemoteException(java.lang.IllegalAccessException):
Access denied for user yangww. Superuser privilege is required.
at
org.apache.hadoop.ozone.protocolPB.StorageContainerLocationProtocolServerSideTranslatorPB.checkSuperUserPrivilege(StorageContainerLocationProtocolServerSideTranslatorPB.java:264)
at
org.apache.hadoop.ozone.protocolPB.StorageContainerLocationProtocolServerSideTranslatorPB.getContainer(StorageContainerLocationProtocolServerSideTranslatorPB.java:159)
at
org.apache.hadoop.ozone.protocol.proto.StorageContainerLocationProtocolProtos$StorageContainerLocationProtocolService$2.callBlockingMethod(StorageContainerLocationProtocolProtos.java:12230)
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:522)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:991)
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:867)
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:813)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1965)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2659)
{noformat}
Please kindly review.
> Ozone: CLI: Guarantees user runs SCM commands has appropriate permission
> ------------------------------------------------------------------------
>
> Key: HDFS-11655
> URL: https://issues.apache.org/jira/browse/HDFS-11655
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Affects Versions: HDFS-7240
> Reporter: Weiwei Yang
> Assignee: Weiwei Yang
> Labels: command-line, security
> Attachments: HDFS-11655-HDFS-7240.001.patch
>
>
> We need to add a permission check module for ozone command line utilities, to
> make sure users run commands with proper privileges. For now, commands in
> [design doc|
> https://issues.apache.org/jira/secure/attachment/12861478/storage-container-manager-cli-v002.pdf]
> all require admin privilege.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
