[
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836715#comment-13836715
]
Alejandro Abdelnur commented on HDFS-5569:
------------------------------------------
I agree with Colin, I don't think going this route is a good idea:
* CONFIGURATION: This would require disseminating the list of valid
hosts/IPs/subnets to all DN in the cluster.
* PERFORMANCE IMPACT: doing allow/deny using hostnames will force the webserver
code ot do a reverse dns lookup on every request.
* EASY TO FAKE:
http://stackoverflow.com/questions/9326138/is-it-possible-to-accurately-determine-the-ip-address-of-a-client-in-java-servle
IMO, the right way of doing this is that the authentication service (Kerberos
or whatever custom thing being used) performs this check when granting the
credentials.
> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
> Key: HDFS-5569
> URL: https://issues.apache.org/jira/browse/HDFS-5569
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: webhdfs
> Reporter: Adam Faris
> Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using
> WebHDFS. Obviously we can use firewalls to block ports, but this can be
> complicated and problematic to maintain. Additionally, because all the jetty
> servlets run inside the same container, blocking access to jetty to prevent
> WebHDFS transfers also blocks the other servlets running inside that same
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS. This is already
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow
> list modeled after. Thanks.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
