[
https://issues.apache.org/jira/browse/HDDS-7454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640412#comment-17640412
]
Sumit Agrawal commented on HDDS-7454:
-------------------------------------
[~pifta]
As discussed,
*For non-secure env* with raw/malicious client, below are cases
1) Writing to new DN will cause addition of container, can cause data loss -
Raised JIRA: HDDS-7552
2) Writing new block to DN having container, causes additional blocks and
consuming space
Impact: additional space consumption
Note: no way to control in current design as OM and DN do not have any
sync, may need solution in future including Recon which can have OM, SMC and DN
information and mapping.
3) Writing with unknown container to DN causing addition of container - Already
handled using HDDS-3241
*For Secure env* as current bug, need opinion if required to be handled based
on impact,
# Authorization of pipeline / DNs: Currently its not present as part of this
bug. Its suggested to add as part of block token.
Pros:
* Avoid writing to DN for which its is not intended, and avoid malicious
impact of data loss, space consumption
Cons:
* Need have code for adding pipeline in token generation, passing and
validation at DNs
* Code will be complex, EC have different way of sync, inducing complexity and
failure points
*Security Impact if this is not handled:*
* SCM need validate new container using ICR which is Async, and need atleast 2
heart beat to notify DN to avoid writting (30+ seconds).
* During this time, client can add a lot of block data during that time
* Exploitation is easy, but client should be authorized to get block write
permission
Based on this, need opinion if this Authorization needs to handle or not based
on the impact.
cc: [~NeilJoshi]
> OM to DN token verification should include Pipeline
> ---------------------------------------------------
>
> Key: HDDS-7454
> URL: https://issues.apache.org/jira/browse/HDDS-7454
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Sumit Agrawal
> Assignee: Sumit Agrawal
> Priority: Minor
> Labels: pull-request-available
>
> Client will request for block information to be used to write data, In this
> process,
> - OM call allocateBlock to SCM, SCM will provide block information, pipeline
> and related DN
> - OM also create token (when security enabled) with block information
> - Client will pass this information to DN
> - DN will verify token for block information and start write block
> Here, pipeline information is not verified for which request is created. As
> security, this also needs to be verified.
> Pipeline and DN mapping is shared to DN which Pipeline command from SCM to
> DNs, CreatePipelineCommand
> Impact (If client is not trustable):
> 1. Client can forward request with token to different DN with different
> pipeline information.
> So DN since do not have information about SMC mapping of container to
> pipeline, that DN can start operating over that.
> Having pipeline in token verification, it will ensure,
> - block write is done with correct pipeline (DNs)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
