[
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837161#comment-13837161
]
Adam Faris commented on HDFS-5569:
----------------------------------
The two alternatives both have problems, and I'll start with iptables. As
already stated in the description, iptables will either block or expose the
entire jetty container. In short iptables is not smart enough to allow access
to "/browseDirectory.jsp" and block "/webhdfs/v1".
Regarding Kerberos, Kerberos is only authentication and does not handle
authorization. When supported by an application Kerberos will verify who the
user accessing the application is, but it's up to the application to decide if
access should be allowed. Currently WebHDFS only supports Kerberos
authentication and does not support authorization.
For the concerns about faked IPs, the allow/deny list in httpd works against
both IP ranges and hostname matches. If someone were able to masquerade as a
IP within the allowed IP range then they would also be able to bypass iptables.
As it's difficult to masquerade as a different IP and doing so would bypass
existing controls, faked IPs should not be considered a blocker for this
request.
Performance concerns of reverse hostname lookups shouldn't be a concern. A
locally running caching name server would help with lookup response times and
one could always configure the JVM security manager to cache hostname/ip
mappings indefinitely. Both the namenode and jobtracker do reverse lookups and
this isn't a problem for either.
Thanks for taking time to investigate this request and not closing 'wontfix'.
> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
> Key: HDFS-5569
> URL: https://issues.apache.org/jira/browse/HDFS-5569
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: webhdfs
> Reporter: Adam Faris
> Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using
> WebHDFS. Obviously we can use firewalls to block ports, but this can be
> complicated and problematic to maintain. Additionally, because all the jetty
> servlets run inside the same container, blocking access to jetty to prevent
> WebHDFS transfers also blocks the other servlets running inside that same
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS. This is already
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow
> list modeled after. Thanks.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
