[
https://issues.apache.org/jira/browse/HDFS-13972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813570#comment-16813570
]
Daryn Sharp commented on HDFS-13972:
------------------------------------
I've only skimmed the Jira based on activity. I haven't checked what all is in
the datanode report but I see no reason to expose {{getDatanodeReport}} to
non-superusers. First, it's insanely expensive. Second, why allow a nefarious
user to trivially discover the topology?
What caught my eye though was the references to ugi.
# {{UserGroupInformation.getCurrentUser()}} is not a cheap call. If a cached
ugi is available that is guaranteed to always be the current ugi, I'd recommend
using it.
# RPC calls should _not_ be invoked on behalf of a user as the login user.
Always use the caller's context or it's a slippery slope to privilege
escalation.
> RBF: Support for Delegation Token (WebHDFS)
> -------------------------------------------
>
> Key: HDFS-13972
> URL: https://issues.apache.org/jira/browse/HDFS-13972
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Reporter: Íñigo Goiri
> Assignee: CR Hota
> Priority: Major
> Attachments: HDFS-13972-HDFS-13891.001.patch,
> HDFS-13972-HDFS-13891.002.patch, HDFS-13972-HDFS-13891.003.patch,
> HDFS-13972-HDFS-13891.004.patch, HDFS-13972-HDFS-13891.005.patch,
> HDFS-13972-HDFS-13891.006.patch, HDFS-13972-HDFS-13891.007.patch,
> HDFS-13972-HDFS-13891.008.patch, HDFS-13972-HDFS-13891.009.patch,
> HDFS-13972-HDFS-13891.010.patch, HDFS-13972-HDFS-13891.011.patch,
> TestRouterWebHDFSContractTokens.java
>
>
> HDFS Router should support issuing HDFS delegation tokens through WebHDFS.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
