[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HDFS-11069: -- Fix Version/s: 2.8.0 2.9.0 > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HDFS-11069: -- Resolution: Fixed Hadoop Flags: Reviewed Fix Version/s: 3.0.0-alpha2 2.7.4 Status: Resolved (was: Patch Available) > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Fix For: 2.7.4, 3.0.0-alpha2 > > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HDFS-11069: -- Attachment: HDFS-11069.patch > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HDFS-11069: -- Status: Patch Available (was: Open) > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > Attachments: HDFS-11069.patch > > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HDFS-11069: -- Description: The current implementation of {{checkSuperuserPrivilege()}} allows the datanode user from any node to be recognized as a super user. If one datanode is compromised, the intruder can issue {{shutdownDatanode()}}, {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other datanodes. Although this does not expose stored data, it can cause service disruptions. This needs to be tightened to allow only the local datanode user. was: The current implementation of {{checkSuperuserPrivilege()}} allows the datanode user from any node to be recognized as a super user. If one datanode is compromised, the intruder can issue {{shutdownDatanode()}}, {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other datanodes. This needs to be tightened to allow only the local datanode user. > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee >Assignee: Kihwal Lee > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. Although this does not expose stored data, it can cause service > disruptions. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[ https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HDFS-11069: -- Issue Type: Improvement (was: Bug) > Tighten the authorization of datanode RPC > - > > Key: HDFS-11069 > URL: https://issues.apache.org/jira/browse/HDFS-11069 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, security >Reporter: Kihwal Lee > > The current implementation of {{checkSuperuserPrivilege()}} allows the > datanode user from any node to be recognized as a super user. If one > datanode is compromised, the intruder can issue {{shutdownDatanode()}}, > {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other > datanodes. > This needs to be tightened to allow only the local datanode user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org