Author: atm
Date: Fri May 16 21:25:05 2014
New Revision: 1595352
URL: http://svn.apache.org/r1595352
Log:
HDFS-6406. Add capability for NFS gateway to reject connections from
unprivileged ports. Contributed by Aaron T. Myers.
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/Mountd.java
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/Nfs3.java
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/Mountd.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/Mountd.java?rev=1595352&r1=1595351&r2=1595352&view=diff
==============================================================================
---
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/Mountd.java
(original)
+++
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/Mountd.java
Fri May 16 21:25:05 2014
@@ -32,14 +32,14 @@ import org.apache.hadoop.mount.MountdBas
*/
public class Mountd extends MountdBase {
- public Mountd(Configuration config, DatagramSocket registrationSocket)
- throws IOException {
- super(new RpcProgramMountd(config, registrationSocket));
+ public Mountd(Configuration config, DatagramSocket registrationSocket,
+ boolean allowInsecurePorts) throws IOException {
+ super(new RpcProgramMountd(config, registrationSocket,
allowInsecurePorts));
}
public static void main(String[] args) throws IOException {
Configuration config = new Configuration();
- Mountd mountd = new Mountd(config, null);
+ Mountd mountd = new Mountd(config, null, true);
mountd.start(true);
}
}
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java?rev=1595352&r1=1595351&r2=1595352&view=diff
==============================================================================
---
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java
(original)
+++
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java
Fri May 16 21:25:05 2014
@@ -79,11 +79,11 @@ public class RpcProgramMountd extends Rp
private final NfsExports hostsMatcher;
- public RpcProgramMountd(Configuration config,
- DatagramSocket registrationSocket) throws IOException {
+ public RpcProgramMountd(Configuration config, DatagramSocket
registrationSocket,
+ boolean allowInsecurePorts) throws IOException {
// Note that RPC cache is not enabled
super("mountd", "localhost", config.getInt("nfs3.mountd.port", PORT),
- PROGRAM, VERSION_1, VERSION_3, registrationSocket);
+ PROGRAM, VERSION_1, VERSION_3, registrationSocket, allowInsecurePorts);
exports = new ArrayList<String>();
exports.add(config.get(Nfs3Constant.EXPORT_POINT,
Nfs3Constant.EXPORT_POINT_DEFAULT));
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/Nfs3.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/Nfs3.java?rev=1595352&r1=1595351&r2=1595352&view=diff
==============================================================================
---
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/Nfs3.java
(original)
+++
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/Nfs3.java
Fri May 16 21:25:05 2014
@@ -21,6 +21,7 @@ import java.io.IOException;
import java.net.DatagramSocket;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.hdfs.nfs.mount.Mountd;
import org.apache.hadoop.nfs.nfs3.Nfs3Base;
import org.apache.hadoop.util.StringUtils;
@@ -41,12 +42,13 @@ public class Nfs3 extends Nfs3Base {
}
public Nfs3(Configuration conf) throws IOException {
- this(conf, null);
+ this(conf, null, true);
}
- public Nfs3(Configuration conf, DatagramSocket registrationSocket) throws
IOException {
- super(new RpcProgramNfs3(conf, registrationSocket), conf);
- mountd = new Mountd(conf, registrationSocket);
+ public Nfs3(Configuration conf, DatagramSocket registrationSocket,
+ boolean allowInsecurePorts) throws IOException {
+ super(new RpcProgramNfs3(conf, registrationSocket, allowInsecurePorts),
conf);
+ mountd = new Mountd(conf, registrationSocket, allowInsecurePorts);
}
public Mountd getMountd() {
@@ -61,8 +63,13 @@ public class Nfs3 extends Nfs3Base {
static void startService(String[] args,
DatagramSocket registrationSocket) throws IOException {
- StringUtils.startupShutdownMessage(Nfs3.class, args, LOG);
- final Nfs3 nfsServer = new Nfs3(new Configuration(), registrationSocket);
+ StringUtils.startupShutdownMessage(Nfs3.class, args, LOG);
+ Configuration conf = new Configuration();
+ boolean allowInsecurePorts = conf.getBoolean(
+ DFSConfigKeys.DFS_NFS_ALLOW_INSECURE_PORTS_KEY,
+ DFSConfigKeys.DFS_NFS_ALLOW_INSECURE_PORTS_DEFAULT);
+ final Nfs3 nfsServer = new Nfs3(new Configuration(), registrationSocket,
+ allowInsecurePorts);
nfsServer.startServiceInternal(true);
}
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java?rev=1595352&r1=1595351&r2=1595352&view=diff
==============================================================================
---
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
(original)
+++
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
Fri May 16 21:25:05 2014
@@ -166,11 +166,12 @@ public class RpcProgramNfs3 extends RpcP
private final RpcCallCache rpcCallCache;
- public RpcProgramNfs3(Configuration config, DatagramSocket
registrationSocket)
- throws IOException {
+ public RpcProgramNfs3(Configuration config, DatagramSocket
registrationSocket,
+ boolean allowInsecurePorts) throws IOException {
super("NFS3", "localhost", config.getInt(Nfs3Constant.NFS3_SERVER_PORT,
Nfs3Constant.NFS3_SERVER_PORT_DEFAULT), Nfs3Constant.PROGRAM,
- Nfs3Constant.VERSION, Nfs3Constant.VERSION, registrationSocket);
+ Nfs3Constant.VERSION, Nfs3Constant.VERSION, registrationSocket,
+ allowInsecurePorts);
config.set(FsPermission.UMASK_LABEL, "000");
iug = new IdUserGroup();
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt?rev=1595352&r1=1595351&r2=1595352&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
(original)
+++ hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
Fri May 16 21:25:05 2014
@@ -19,6 +19,9 @@ Release 2.5.0 - UNRELEASED
HDFS-6334. Client failover proxy provider for IP failover based NN HA.
(kihwal)
+ HDFS-6406. Add capability for NFS gateway to reject connections from
+ unprivileged ports. (atm)
+
IMPROVEMENTS
HDFS-6007. Update documentation about short-circuit local reads (iwasakims
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java?rev=1595352&r1=1595351&r2=1595352&view=diff
==============================================================================
---
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
(original)
+++
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
Fri May 16 21:25:05 2014
@@ -635,9 +635,12 @@ public class DFSConfigKeys extends Commo
public static final String DFS_DFSCLIENT_HEDGED_READ_THREADPOOL_SIZE =
"dfs.client.hedged.read.threadpool.size";
- public static final int DEFAULT_DFSCLIENT_HEDGED_READ_THREADPOOL_SIZE = 0;
- public static final String DFS_NFS_KEYTAB_FILE_KEY = "dfs.nfs.keytab.file";
- public static final String DFS_NFS_KERBEROS_PRINCIPAL_KEY =
"dfs.nfs.kerberos.principal";
- public static final String DFS_NFS_REGISTRATION_PORT_KEY =
"dfs.nfs.registration.port";
- public static final int DFS_NFS_REGISTRATION_PORT_DEFAULT = 40; //
Currently unassigned.
+ public static final int DEFAULT_DFSCLIENT_HEDGED_READ_THREADPOOL_SIZE =
0;
+ public static final String DFS_NFS_KEYTAB_FILE_KEY = "dfs.nfs.keytab.file";
+ public static final String DFS_NFS_KERBEROS_PRINCIPAL_KEY =
"dfs.nfs.kerberos.principal";
+ public static final String DFS_NFS_REGISTRATION_PORT_KEY =
"dfs.nfs.registration.port";
+ public static final int DFS_NFS_REGISTRATION_PORT_DEFAULT = 40; //
Currently unassigned.
+ public static final String DFS_NFS_ALLOW_INSECURE_PORTS_KEY =
"dfs.nfs.allow.insecure.ports";
+ public static final boolean DFS_NFS_ALLOW_INSECURE_PORTS_DEFAULT = true;
+
}
Modified:
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml?rev=1595352&r1=1595351&r2=1595352&view=diff
==============================================================================
---
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
(original)
+++
hadoop/common/branches/branch-2/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml
Fri May 16 21:25:05 2014
@@ -1318,6 +1318,17 @@
</property>
<property>
+ <name>dfs.nfs.allow.insecure.ports</name>
+ <value>true</value>
+ <description>
+ When set to false, client connections originating from unprivileged ports
+ (those above 1023) will be rejected. This is to ensure that clients
+ connecting to this NFS Gateway must have had root privilege on the machine
+ where they're connecting from.
+ </description>
+</property>
+
+<property>
<name>dfs.webhdfs.enabled</name>
<value>true</value>
<description>
@@ -1895,4 +1906,4 @@
</description>
</property>
-</configuration>
\ No newline at end of file
+</configuration>
