[
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837242#comment-13837242
]
Colin Patrick McCabe commented on HDFS-5569:
--------------------------------------------
It's not difficult to masquerade as a different IP address. You can do it by
typing this command from your command-line:
{code}
sudo /sbin/ipconfig eth0 <new ip address>
{code}
Doing so does not bypass existing controls because Kerberos can't be tricked
just by changing your IP.
bq. Currently WebHDFS only supports Kerberos authentication and does not
support authorization.
That sounds like something we should fix within webhdfs. Maybe someone more
familiar with webhdfs can comment?
> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
> Key: HDFS-5569
> URL: https://issues.apache.org/jira/browse/HDFS-5569
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: webhdfs
> Reporter: Adam Faris
> Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using
> WebHDFS. Obviously we can use firewalls to block ports, but this can be
> complicated and problematic to maintain. Additionally, because all the jetty
> servlets run inside the same container, blocking access to jetty to prevent
> WebHDFS transfers also blocks the other servlets running inside that same
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS. This is already
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow
> list modeled after. Thanks.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
