[
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13838369#comment-13838369
]
Adam Faris commented on HDFS-5569:
----------------------------------
Hi Colin, I'm not sure you understand what IP Spoofing does. It's done for
multiple reasons but essentially a host on network "B" pretends to be on
network "A" by tricking the routers between networks "A" and "B" into thinking
it's traffic comes from network "A". This involves creating specially crafted
TCP packet payloads and is much more involved then setting the IP on your local
laptop. http://en.wikipedia.org/wiki/IP_address_spoofing The point that
Travis Thompson is making is that simply setting the IP address to a 10.x.x.x
on a 192.x.x.x network, will result in the phoney address being ignored by the
local router as it doesn't include the specially crafted TCP packets. If your
concern is an admin is only going to block 192.x.x.2 - 192.x.x.50 and then let
192.x.x.51-192.x.x.254 have access then this would be a WebHDFS configuration
error and not a problem with the security implementation. Using source and
destination IP's is one of the criteria used by iptables for forwarding
packets. If it's good enough for iptables it should be good enough for this
JIRA. :)
Haohui Mai: Regarding Knox, it's charter is how to standardize deploying a
secure hadoop cluster. If the hooks are missing from the API, they first need
to get added to the API before being implemented by Knox. This is why I've
opened this JIRA to request that updates be made to the WebHDFS API which will
support what networks WebHDFS will transfer data.
> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
> Key: HDFS-5569
> URL: https://issues.apache.org/jira/browse/HDFS-5569
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: webhdfs
> Reporter: Adam Faris
> Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using
> WebHDFS. Obviously we can use firewalls to block ports, but this can be
> complicated and problematic to maintain. Additionally, because all the jetty
> servlets run inside the same container, blocking access to jetty to prevent
> WebHDFS transfers also blocks the other servlets running inside that same
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS. This is already
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow
> list modeled after. Thanks.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
