[
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837260#comment-13837260
]
Travis Thompson commented on HDFS-5569:
---------------------------------------
[~cmccabe] I'm not sure how adding a new IP address would by-pass this? As the
client I can add whatever IP address I want but if it's not routable it won't
work... and the server would be doing filtering on the server side so it would
be based on Source IP... so having a ip/host based filter would be useful.
Also on the Kerberos note, there is NO authorization in Kerberos, only
authentication. Kerberos only tells you who you are, not what you can do, it's
up to the application layer to decide what to do with that information.
> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
> Key: HDFS-5569
> URL: https://issues.apache.org/jira/browse/HDFS-5569
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: webhdfs
> Reporter: Adam Faris
> Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using
> WebHDFS. Obviously we can use firewalls to block ports, but this can be
> complicated and problematic to maintain. Additionally, because all the jetty
> servlets run inside the same container, blocking access to jetty to prevent
> WebHDFS transfers also blocks the other servlets running inside that same
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS. This is already
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow
> list modeled after. Thanks.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
