[
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13838066#comment-13838066
]
Adam Faris commented on HDFS-5569:
----------------------------------
Hi Haohui, HDFS file permissions work great for controlling read/write access
but HDFS file permission updates is not what this jira is requesting.
This jira is requesting to update WebHDFS to prevent data access to unapproved
networks. For example we want to allow WebHDFS access within 192.168.0.0/16
networks which is where our hadoop gateways live, but block end users from
downloading or modifying data from their laptops on 172.16.0.0/12. We can't
use iptables because iptables is not smart enough to know the distinguish
between different jsp pages in the same jetty container. If we want to block
access to WebHDFS from particular networks, then WebHDFS needs to be smarter
about accepting remote connections.
> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
> Key: HDFS-5569
> URL: https://issues.apache.org/jira/browse/HDFS-5569
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: webhdfs
> Reporter: Adam Faris
> Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using
> WebHDFS. Obviously we can use firewalls to block ports, but this can be
> complicated and problematic to maintain. Additionally, because all the jetty
> servlets run inside the same container, blocking access to jetty to prevent
> WebHDFS transfers also blocks the other servlets running inside that same
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS. This is already
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow
> list modeled after. Thanks.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
