[
https://issues.apache.org/jira/browse/HDDS-8573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17720786#comment-17720786
]
Mohammad Arafat Khan commented on HDDS-8573:
--------------------------------------------
It was suggested by [~pifta]
Together with this, we should also check the file system level protection on
OM, SCM, and Recon metadata as well, and restrict it where necessary.
I tend to think that we should make this configurable wherever it is feasible,
and defaults should be 700 for the process owner user (hdfs), similarly as we
do for HDFS via the {_}dfs{_}.{_}datanode{_}.{_}data{_}.{_}dir{_}.{_}perm{_}
property.
Currently the permissions are opening stuff up for everyone who has access to
the host, the aim is not to secure it fully on its own, but at least we should
make sure that a privileged access is needed to access the metadata we store
for services. OM's RocksDb, and block data files are certainly critical, but
the rest of it should as well be having limited access on the local filesystem.
> Verify default setting for DN root dir to restrict non-admin access
> -------------------------------------------------------------------
>
> Key: HDDS-8573
> URL: https://issues.apache.org/jira/browse/HDDS-8573
> Project: Apache Ozone
> Issue Type: Bug
> Components: OM, Ozone Datanode, Ozone Recon, SCM
> Reporter: Mohammad Arafat Khan
> Priority: Blocker
>
> The permissions to the DN storage dirs should be 750 or tighter, to restrict
> non-root users from reading user data.
> This came up during the bootcamp where the DNs directories are configured
> with 755 by default. We may need to change the default in CDP.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
