[
https://issues.apache.org/jira/browse/HDFS-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13625861#comment-13625861
]
Daryn Sharp commented on HDFS-4671:
-----------------------------------
I can see the argument for this change, but the user can sidestep the
authorization by setting the env HADOOP_USER_NAME=hdfs so I'm not sure there's
much value.
> DFSAdmin fetchImage should require superuser privilege even when security is
> not enabled
> ----------------------------------------------------------------------------------------
>
> Key: HDFS-4671
> URL: https://issues.apache.org/jira/browse/HDFS-4671
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.0.3-alpha
> Reporter: Stephen Chu
>
> When security is not enabled, non-superusers can fetch the fsimage. This is
> problematic because the non-superusers can then process the fsimage for
> contents the user should not have access to.
> For example, schu is not a superuser and does not have access to
> hdfs://user/hdfs/. However, schu can still fetch the fsimage and run the
> OfflineImageViewer on the fsimage to examine the contents of
> hdfs://user/hdfs/.
> {code}
> [schu@hdfs-vanilla-1 images]$ hadoop fs -ls /user/hdfs
> ls: Permission denied: user=schu, access=READ_EXECUTE,
> inode="/user/hdfs":hdfs:supergroup:drwx------
> [schu@hdfs-vanilla-1 images]$ hdfs dfsadmin -fetchImage ~/images/
> 13/04/08 12:45:20 INFO namenode.TransferFsImage: Opening connection to
> http://hdfs-vanilla-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
> 13/04/08 12:45:21 INFO namenode.TransferFsImage: Transfer took 0.91s at 91.61
> KB/s
> [schu@hdfs-vanilla-1 images]$ hdfs oiv -i
> ~/images/fsimage_0000000000000947148 -o ~/images/oiv.out
> {code}
> When kerberos authentication is enabled, superuser privilege is enforced:
> {code}
> [testuser@hdfs-secure-1 ~]$ hdfs dfsadmin -fetchImage ~/images/
> 13/04/08 12:48:23 INFO namenode.TransferFsImage: Opening connection to
> http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
> 13/04/08 12:48:23 ERROR security.UserGroupInformation:
> PriviledgedActionException as:testu...@ent.cloudera.com (auth:KERBEROS)
> cause:org.apache.hadoop.hdfs.server.namenode.TransferFsImage$HttpGetFailedException:
> Image transfer servlet at
> http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
> failed with status code 403
> Response message:
> Only Namenode, Secondary Namenode, and administrators may access this servlet
> fetchImage: Image transfer servlet at
> http://hdfs-secure-1.ent.cloudera.com:50070/getimage?getimage=1&txid=latest
> failed with status code 403
> Response message:
> Only Namenode, Secondary Namenode, and administrators may access this servlet
> [testuser@hdfs-secure-1 ~]$
> {code}
> We should still enforce checking privileges when kerberos authentication is
> disabled.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
