[jira] [Commented] (HDFS-11655) Ozone: CLI: Guarantees user runs SCM commands has appropriate permission

Wed, 24 May 2017 10:17:23 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-11655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16023261#comment-16023261
 ] 

Weiwei Yang commented on HDFS-11655:
------------------------------------

Hi [~xyao]

I agree with your comment. I just submitted v3 patch which has following changes

# Added {{OZONE_ADMINISTRATORS}} in {{OzoneConfigKeys}}. This property 
determines the administrators of ozone cluster. If ozone components are started 
by different users, these users must be added into the value of this property. 
By default, it is not set which assumes user starts the daemon is the super 
user.
# {{StorageContainerManager}} loads the admin user from 
{{OZONE_ADMINISTRATORS}}, plus the user who launches SCM. These users are SCM 
administrators, SCM allows remote calls that is from one of the administrators. 
Otherwise the remote call will be rejected with access denied error.
# Added a test case in {{TestStorageContainerManager}} to test permission check 
logic in {{StorageContainerLocationProtocol}}, this is the API currently 
protected by admin accesses because they are exposed to {{SCMCLI}}. It tests 
both default and non-default configuration.

Please let me know this makes sense to you.
Thank you.

> Ozone: CLI: Guarantees user runs SCM commands has appropriate permission
> ------------------------------------------------------------------------
>
>                 Key: HDFS-11655
>                 URL: https://issues.apache.org/jira/browse/HDFS-11655
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>    Affects Versions: HDFS-7240
>            Reporter: Weiwei Yang
>            Assignee: Weiwei Yang
>              Labels: command-line, security
>         Attachments: HDFS-11655-HDFS-7240.001.patch, 
> HDFS-11655-HDFS-7240.002.patch, HDFS-11655-HDFS-7240.003.patch
>
>
> We need to add a permission check module for ozone command line utilities, to 
> make sure users run commands with proper privileges. For now, commands in 
> [design doc| 
> https://issues.apache.org/jira/secure/attachment/12861478/storage-container-manager-cli-v002.pdf]
>  all require admin privilege.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to