[ https://issues.apache.org/jira/browse/HDFS-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13625861#comment-13625861 ]
Daryn Sharp commented on HDFS-4671: ----------------------------------- I can see the argument for this change, but the user can sidestep the authorization by setting the env HADOOP_USER_NAME=hdfs so I'm not sure there's much value. > DFSAdmin fetchImage should require superuser privilege even when security is > not enabled > ---------------------------------------------------------------------------------------- > > Key: HDFS-4671 > URL: https://issues.apache.org/jira/browse/HDFS-4671 > Project: Hadoop HDFS > Issue Type: Bug > Affects Versions: 2.0.3-alpha > Reporter: Stephen Chu > > When security is not enabled, non-superusers can fetch the fsimage. This is > problematic because the non-superusers can then process the fsimage for > contents the user should not have access to. > For example, schu is not a superuser and does not have access to > hdfs://user/hdfs/. However, schu can still fetch the fsimage and run the > OfflineImageViewer on the fsimage to examine the contents of > hdfs://user/hdfs/. > {code} > [schu@hdfs-vanilla-1 images]$ hadoop fs -ls /user/hdfs > ls: Permission denied: user=schu, access=READ_EXECUTE, > inode="/user/hdfs":hdfs:supergroup:drwx------ > [schu@hdfs-vanilla-1 images]$ hdfs dfsadmin -fetchImage ~/images/ > 13/04/08 12:45:20 INFO namenode.TransferFsImage: Opening connection to > http://hdfs-vanilla-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest > 13/04/08 12:45:21 INFO namenode.TransferFsImage: Transfer took 0.91s at 91.61 > KB/s > [schu@hdfs-vanilla-1 images]$ hdfs oiv -i > ~/images/fsimage_0000000000000947148 -o ~/images/oiv.out > {code} > When kerberos authentication is enabled, superuser privilege is enforced: > {code} > [testuser@hdfs-secure-1 ~]$ hdfs dfsadmin -fetchImage ~/images/ > 13/04/08 12:48:23 INFO namenode.TransferFsImage: Opening connection to > http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest > 13/04/08 12:48:23 ERROR security.UserGroupInformation: > PriviledgedActionException as:testu...@ent.cloudera.com (auth:KERBEROS) > cause:org.apache.hadoop.hdfs.server.namenode.TransferFsImage$HttpGetFailedException: > Image transfer servlet at > http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest > failed with status code 403 > Response message: > Only Namenode, Secondary Namenode, and administrators may access this servlet > fetchImage: Image transfer servlet at > http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest > failed with status code 403 > Response message: > Only Namenode, Secondary Namenode, and administrators may access this servlet > [testuser@hdfs-secure-1 ~]$ > {code} > We should still enforce checking privileges when kerberos authentication is > disabled. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira