[
https://issues.apache.org/jira/browse/HDFS-6406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14004055#comment-14004055
]
Brandon Li commented on HDFS-6406:
----------------------------------
Thank you, [~atm]. I am so sorry for the late comments. The patch looks good,
and it adds a nice feature. Given we don't have NFS kerberos supported yet,
this feature adds additional security to the NFS gateway. I have a few
comments.
1. Nfs3.java: the configuration setting is not taken. This can be fixed as part
of the config cleanup in HDFS-6056 since it's a trivial change.
{noformat}
+ Configuration conf = new Configuration();
+ boolean allowInsecurePorts = conf.getBoolean(
+ DFSConfigKeys.DFS_NFS_ALLOW_INSECURE_PORTS_KEY,
+ DFSConfigKeys.DFS_NFS_ALLOW_INSECURE_PORTS_DEFAULT);
+ final Nfs3 nfsServer = new Nfs3(new Configuration(), registrationSocket,
+ allowInsecurePorts);
{noformat}
2. Port monitoring is the feature name with traditional NFS server and we may
want to make the config property (along with related variable
allowInsecurePorts) something as dfs.nfs.port.monitoring. Even though
traditional NFS has two port monitoring for NFS server and mountd, I think one
config property is good enough for both of them in our NFS gateway.
3 . According to RFC2623 (http://www.rfc-editor.org/rfc/rfc2623.txt):
{quote}Whether port monitoring is enabled or not, NFS servers SHOULD NOT reject
NFS requests to the NULL procedure (procedure number 0). See subsection 2.3.1,
"NULL procedure" for a complete explanation. {quote}
I do notice that NFS clients (most time) send mount NULL and nfs NULL from no
privileged port. If we deny that call in mountd or nfs server, the client can't
mount the export even as user root.
4. it would be nice to have the user guide updated too.
Let's use HDFS-6439 to track the change for 2,3,4 and I will post more comments
there.
> Add capability for NFS gateway to reject connections from unprivileged ports
> ----------------------------------------------------------------------------
>
> Key: HDFS-6406
> URL: https://issues.apache.org/jira/browse/HDFS-6406
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: nfs
> Affects Versions: 2.4.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 2.5.0
>
> Attachments: HDFS-6406.patch, HDFS-6406.patch
>
>
> Many NFS servers have the ability to only accept client connections
> originating from privileged ports. It would be nice if the HDFS NFS gateway
> had the same feature.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
