[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16147611#comment-16147611 ] Erik Krogen commented on HDFS-11069: Ah, thank you for the context, Kihwal. I am too new for that :) > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16147586#comment-16147586 ] Kihwal Lee commented on HDFS-11069: --- [~xkrogen]. Fixed. Once it was a convention to not include never-been-released lines in the fix version field at the time of closing jira. This no longer is the case. [~jojochuang] In terms of user authorization, a hdfs superuser for one namenode should also be a superuser for the other namenode and datanodes. A datanode user shouldn't be a privileged user and allowing one DN user to have the admin permission on other DNs was giving it more privilege than needed. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16147517#comment-16147517 ] Wei-Chiu Chuang commented on HDFS-11069: Hi [~kihwal], I'm just curious, for security concerns, should NameNode also tighten its RPC authorization as well? Any reason why not? One reason might be the NameNode HA, but I wonder if there are other rationales too. Thanks. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16146182#comment-16146182 ] Erik Krogen commented on HDFS-11069: Hey [~kihwal], it looks like you missed some fix versions (2.8.? and I think probably 2.9) when you committed, can you update them? > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15613018#comment-15613018 ] Hudson commented on HDFS-11069: --- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10708 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/10708/]) HDFS-11069. Tighten the authorization of datanode RPC. Contributed by (kihwal: rev ae48c496dce8d0eae4571fc64e6850d602bae688) * (edit) hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DataNode.java > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15612896#comment-15612896 ] Kihwal Lee commented on HDFS-11069: --- Committed to trunk, branch-2, branch-2.8 and branch-2.7. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15612863#comment-15612863 ] Kihwal Lee commented on HDFS-11069: --- Thanks for the review, Daryn. I've verified it working as expected (allow local, deny remote) on a secure cluster. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15612859#comment-15612859 ] Daryn Sharp commented on HDFS-11069: +1 Good change to reduce privilege escalation. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15612831#comment-15612831 ] Kihwal Lee commented on HDFS-11069: --- {{TestPermission}} is broken by HDFS-10455. The other test passes. {noformat} --- T E S T S --- Running org.apache.hadoop.hdfs.TestFileCorruption Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 17.826 sec - in org.apache.hadoop.hdfs.TestFileCorruption Results : Tests run: 5, Failures: 0, Errors: 0, Skipped: 0 {noformat} > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15612746#comment-15612746 ] Hadoop QA commented on HDFS-11069: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 46s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 44s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 51s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 12s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 41s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 38s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 42s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 42s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 35s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 81m 4s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 25s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 99m 28s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.TestFileCorruption | | | hadoop.security.TestPermission | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:9560f25 | | JIRA Issue | HDFS-11069 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12835615/HDFS-11069.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux eba215e54b61 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / ac35ee9 | | Default Java | 1.8.0_101 | | findbugs | v3.0.0 | | unit | https://builds.apache.org/job/PreCommit-HDFS-Build/17326/artifact/patchprocess/patch-unit-hadoop-hdfs-project_hadoop-hdfs.txt | | Test Results | https://builds.apache.org/job/PreCommit-HDFS-Build/17326/testReport/ | | modules | C: hadoop-hdfs-project/hadoop-hdfs U: hadoop-hdfs-project/hadoop-hdfs | | Console output | https://builds.apache.org/job/PreCommit-HDFS-Build/17326/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement >
[jira] [Commented] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15612304#comment-15612304 ] Kihwal Lee commented on HDFS-11069: --- {code} private void checkSuperuserPrivilege() { ... if (callerUgi.getShortUserName().equals(dnUserName)) { return; } ... {code} Instead of checking only the short name, the full name should be checked. E.g. {{dn_user/datanode01.yourdomain@yourdomain.com}} instead of simply {{dn_user}}. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org