[
https://issues.apache.org/jira/browse/HDFS-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13195923#comment-13195923
]
Ram Marti commented on HDFS-2856:
---------------------------------
I am not sure this is quite correct.
Let us recall the original issue:
The authenticated data node processes that bind to the port has crashed
- The tasks that have been launched by a malicious user and running on the
data node monitors for the crash, bind to that
port and receive the data and the block access token.
- Till the block token expires (configurable but defaults to 10 hours) can use
that token to access data on other data
nodes.
This may be fixed by what you propose above.But consider the write case. The
client sends the data (unencrypted) and this data is available to the process
listening on that port.
I *think* the only way you can remove this restriction is if you enable
integrity and encryption on the channel.
> Fix block protocol so that Datanodes don't require root or jsvc
> ---------------------------------------------------------------
>
> Key: HDFS-2856
> URL: https://issues.apache.org/jira/browse/HDFS-2856
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: data-node, security
> Reporter: Owen O'Malley
>
> Since we send the block tokens unencrypted to the datanode, we currently
> start the datanode as root using jsvc and get a secure (< 1024) port.
> If we have the datanode generate a nonce and send it on the connection and
> the sends an hmac of the nonce back instead of the block token it won't
> reveal any secrets. Thus, we wouldn't require a secure port and would not
> require root or jsvc.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
