[jira] [Commented] (HDFS-5569) WebHDFS should support a deny/allow list for data access

Wed, 04 Dec 2013 08:54:58 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839067#comment-13839067
 ] 

Colin Patrick McCabe commented on HDFS-5569:
--------------------------------------------

You say that there are flaws in my statements, but it seems like you pretty 
much agree with all of them.  It's just that you have a different 
interpretation.  You think it's fine to dump the configuration complexity of 
needing to put forbidden IPs on different subnets, configuring routers to block 
source routes, and securing physical network jacks on to the sysadmin.  I 
respectfully disagree.

Incidentally, it is not true that IP spoofing is impossible to do with TCP.  
Kevin Mitnick famously used TCP sequence number guessing plus IP spoofing to 
attack Tsutomu Shimomura.  See 
http://www.networkcomputing.com/unixworld/security/001.txt.html

I never said anything about whether Kerberos was authentication or 
authorization.  I simply said that it is a lot easier to keep someone from 
getting a Kerberos TGT than it is to stop them from plugging into the wall in a 
lot of contexts.  Surely we can agree on that?

Yes, there are a lot of ways to cache DNS.  Those caches also create a lot of 
problems in production when things change.

Maybe some other folks can speak up too, but I don't see a use case.

> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
>                 Key: HDFS-5569
>                 URL: https://issues.apache.org/jira/browse/HDFS-5569
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: webhdfs
>            Reporter: Adam Faris
>              Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using 
> WebHDFS.  Obviously we can use firewalls to block ports, but this can be 
> complicated and problematic to maintain.  Additionally, because all the jetty 
> servlets run inside the same container, blocking access to jetty to prevent 
> WebHDFS transfers also blocks the other servlets running inside that same 
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS.  This is already 
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow 
> list modeled after.   Thanks.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to