[
https://issues.apache.org/jira/browse/HDFS-8736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14626713#comment-14626713
]
Steve Loughran commented on HDFS-8736:
--------------------------------------
You will also need to guard against untrusted code trying to open a network
port and talking to hadoop direct, and doing the same for webhdfs. Given a
socket and sufficient code, I can talk to an HDFS filesystem.
There is a well defined way to stop untrusted code talking to HDFS, it is
called Kerberos. Yes, we all hate it. Yes, we all fear it, Yes, none of us
understand it properly. But we know that it does lock things down so that not
only are untrusted applications forbidden access, the caller gets the specific
rights associated with the identity of the user making the operation.
(There's also a little detail of that patch still being un-applicable, but
that's a detail here).
As I stated on the related MR JIRA, file an uber-JIRA where the whole aspect of
running Hadoop (client?) in a sandbox can be discussed, rather than piece by
piece patches which will probably get rejected on a case-by-case basis.
> ability to deny access to HDFS filesystems
> ------------------------------------------
>
> Key: HDFS-8736
> URL: https://issues.apache.org/jira/browse/HDFS-8736
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.5.0
> Reporter: Purvesh Patel
> Priority: Minor
> Labels: security
> Attachments: HDFS-8736-1.patch
>
>
> In order to run in a secure context, ability to deny access to different
> filesystems(specifically the local file system) to non-trusted code this
> patch adds a new SecurityPermission class(AccessFileSystemPermission) and
> checks the permission in FileSystem#get before returning a cached file system
> or creating a new one. Please see attached patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
