[jira] [Comment Edited] (HDFS-14234) Limit WebHDFS to specifc user, host, directory triples
[
https://issues.apache.org/jira/browse/HDFS-14234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16757647#comment-16757647
]
Anu Engineer edited comment on HDFS-14234 at 1/31/19 7:22 PM:
--
Hi [~clayb],
Thanks for the patch. It looks pretty good. I think this is a good approach,
especially I like the extension where more filters can be added more easily. I
have code reviewed this as if this a real patch. I have some minor comments.
*DatanodeHttpServer.java:384:*
# nit: Developer Comment? Remove? XXX Clay how do we want to handle this for
generic users?
*HostingRestrictingAuthorization.java*
# Remove unused imports.
# Line 152: Unused variable, overrideConfigs
# Line 160: Clean up some args in the new
# Line 165: Should we make this a WARN instead of debug. If the user wrote a
rule wrong, at least we will see a warn. In the current patch, we ignore it
silently.
# Don't understand the use case, but I am going to assume that
_// Map is {"user": [subnet, path]}_
user is some user in Kerberos/Directory and user can also be group.
*HostRestrictingAuthorizationFilterHandler.java*
# Unused imports.
# Nit: Remove XXX in line 194
# Nit: Line:103 Java Doc is wrong.
*TestHostRestrictingAuthorizationFilter.java*
# Remove Unused Imports.
*TestHostRestrictingAuthorizationFilterHandler.java*
# Remove unused imports.
# This file looks incomplete, care to fix or remove from this patch.
Ps. I have also added you to the contributors group, so you can assign JIRAs to
yourself.
was (Author: anu):
Hi [~clayb],
Thanks for the patch. It looks pretty good. I think this is a good approach,
especially I like the extension where more filters can be added more easily. I
have code reviewed this as if this a real patch. I have some minor comments.
*DatanodeHttpServer.java:384:*
# nit: Developer Comment? Remove? XXX Clay how do we want to handle this for
generic users?
*HostingRestrictingAuthorization.java*
# Remove unused imports.
# Line 152: Unused variable, overrideConfigs
# Line 160: Clean up some args in the new
# Line 165: Should we make this a WARN instead of debug. If the user wrote a
rule wrong, at least we will see a warn. In the current patch, we ignore it
silently.
# Don't understand the use case, but I am going to assume that
_// Map is \{"user": [subnet, path]}_
user is some user in Kerberos/Directory and user can also be group.
*HostRestrictingAuthorizationFilterHandler.java*
# Unused imports.
# Nit: Remove XXX in line 194
# Nit: Line:103 Java Doc is wrong.
*TestHostRestrictingAuthorizationFilter.java*
# Remove Unused Imports.
*TestHostRestrictingAuthorizationFilterHandler.java*
# Remove unused imports.
# This file looks incomplete, care to fix or remove from this patch.
> Limit WebHDFS to specifc user, host, directory triples
> --
>
> Key: HDFS-14234
> URL: https://issues.apache.org/jira/browse/HDFS-14234
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: webhdfs
>Reporter: Clay B.
>Assignee: Anu Engineer
>Priority: Trivial
> Attachments:
> 0001-HDFS-14234.-Limit-WebHDFS-to-specifc-user-host-direc.patch
>
>
> For those who have multiple network zones, it is useful to prevent certain
> zones from downloading data from WebHDFS while still allowing uploads. This
> can enable functionality of HDFS as a dropbox for data - data goes in but can
> not be pulled back out. (Motivation further presented in [StrangeLoop 2018 Of
> Data Dropboxes and Data
> Gloveboxes|https://www.thestrangeloop.com/2018/of-data-dropboxes-and-data-gloveboxes.html]).
> Ideally, one could limit the datanodes from returning data via an
> [{{OPEN}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Open_and_Read_a_File]
> but still allow things such as
> [{{GETFILECHECKSUM}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Get_File_Checksum]
> and
> {{[{{CREATE}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Create_and_Write_to_a_File]}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HDFS-14234) Limit WebHDFS to specifc user, host, directory triples
[
https://issues.apache.org/jira/browse/HDFS-14234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16757647#comment-16757647
]
Anu Engineer edited comment on HDFS-14234 at 1/31/19 7:20 PM:
--
Hi [~clayb],
Thanks for the patch. It looks pretty good. I think this is a good approach,
especially I like the extension where more filters can be added more easily. I
have code reviewed this as if this a real patch. I have some minor comments.
*DatanodeHttpServer.java:384:*
# nit: Developer Comment? Remove? XXX Clay how do we want to handle this for
generic users?
*HostingRestrictingAuthorization.java*
# Remove unused imports.
# Line 152: Unused variable, overrideConfigs
# Line 160: Clean up some args in the new
# Line 165: Should we make this a WARN instead of debug. If the user wrote a
rule wrong, at least we will see a warn. In the current patch, we ignore it
silently.
# Don't understand the use case, but I am going to assume that
_// Map is \{"user": [subnet, path]}_
user is some user in Kerberos/Directory and user can also be group.
*HostRestrictingAuthorizationFilterHandler.java*
# Unused imports.
# Nit: Remove XXX in line 194
# Nit: Line:103 Java Doc is wrong.
*TestHostRestrictingAuthorizationFilter.java*
# Remove Unused Imports.
*TestHostRestrictingAuthorizationFilterHandler.java*
# Remove unused imports.
# This file looks incomplete, care to fix or remove from this patch.
was (Author: anu):
Hi [~clayb],
Thanks for the patch. It looks pretty good. I think this is a good approach,
especially I like the extension where more filters can be added more easily. I
have code reviewed this as if this a real patch. I have some minor comments.
*DatanodeHttpServer.java:384:
*1. nit: Developer Comment? Remove? XXX Clay how do we want to handle this for
generic users?
*HostingRestrictingAuthorization.java*
2. Remove unused imports.
3. Line 152: Unused variable, overrideConfigs
4. Line 160: Clean up some args in the new
5. Line 165: Should we make this a WARN instead of debug. If the user wrote a
rule wrong, at least we will see a warn. In the current patch, we ignore it
silently.
6. Don't understand the use case, but I am going to assume that
"// Map is
{"user": [subnet, path]}
" means that user is some user in Kerberos/Directory and user can also be
groupgit s.
*HostRestrictingAuthorizationFilterHandler.java*
1. Unused imports.
2. Nit: Remove XXX in line 194
3. Line:103 Java Doc is wrong.
*TestHostRestrictingAuthorizationFilter.java*
1. Remove Unused Imports.
*
TestHostRestrictingAuthorizationFilterHandler.java*
1. Remove unused imports.
2. This file looks incomplete, care to fix or remove from this patch.
> Limit WebHDFS to specifc user, host, directory triples
> --
>
> Key: HDFS-14234
> URL: https://issues.apache.org/jira/browse/HDFS-14234
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: webhdfs
>Reporter: Clay B.
>Assignee: Anu Engineer
>Priority: Trivial
> Attachments:
> 0001-HDFS-14234.-Limit-WebHDFS-to-specifc-user-host-direc.patch
>
>
> For those who have multiple network zones, it is useful to prevent certain
> zones from downloading data from WebHDFS while still allowing uploads. This
> can enable functionality of HDFS as a dropbox for data - data goes in but can
> not be pulled back out. (Motivation further presented in [StrangeLoop 2018 Of
> Data Dropboxes and Data
> Gloveboxes|https://www.thestrangeloop.com/2018/of-data-dropboxes-and-data-gloveboxes.html]).
> Ideally, one could limit the datanodes from returning data via an
> [{{OPEN}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Open_and_Read_a_File]
> but still allow things such as
> [{{GETFILECHECKSUM}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Get_File_Checksum]
> and
> {{[{{CREATE}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Create_and_Write_to_a_File]}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HDFS-14234) Limit WebHDFS to specifc user, host, directory triples
[
https://issues.apache.org/jira/browse/HDFS-14234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16755508#comment-16755508
]
Clay B. edited comment on HDFS-14234 at 1/30/19 12:26 AM:
--
This is a work-in-progress needing more tests and is mainly to ensure I am on a
reasonable path others think is sane too.
was (Author: clayb):
This is a work-in-progress trying to get more tests and is mainly to ensure I
am on a reasonable path others think is sane too.
> Limit WebHDFS to specifc user, host, directory triples
> --
>
> Key: HDFS-14234
> URL: https://issues.apache.org/jira/browse/HDFS-14234
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: webhdfs
>Reporter: Clay B.
>Priority: Trivial
> Attachments:
> 0001-HDFS-14234.-Limit-WebHDFS-to-specifc-user-host-direc.patch
>
>
> For those who have multiple network zones, it is useful to prevent certain
> zones from downloading data from WebHDFS while still allowing uploads. This
> can enable functionality of HDFS as a dropbox for data - data goes in but can
> not be pulled back out. (Motivation further presented in [StrangeLoop 2018 Of
> Data Dropboxes and Data
> Gloveboxes|https://www.thestrangeloop.com/2018/of-data-dropboxes-and-data-gloveboxes.html]).
> Ideally, one could limit the datanodes from returning data via an
> [{{OPEN}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Open_and_Read_a_File]
> but still allow things such as
> [{{GETFILECHECKSUM}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Get_File_Checksum]
> and
> {{[{{CREATE}}|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Create_and_Write_to_a_File]}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
