[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[
https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kihwal Lee updated HDFS-11069:
--
Fix Version/s: 2.8.0
2.9.0
> Tighten the authorization of datanode RPC
> -
>
> Key: HDFS-11069
> URL: https://issues.apache.org/jira/browse/HDFS-11069
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: datanode, security
>Reporter: Kihwal Lee
>Assignee: Kihwal Lee
> Fix For: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2
>
> Attachments: HDFS-11069.patch
>
>
> The current implementation of {{checkSuperuserPrivilege()}} allows the
> datanode user from any node to be recognized as a super user. If one
> datanode is compromised, the intruder can issue {{shutdownDatanode()}},
> {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other
> datanodes. Although this does not expose stored data, it can cause service
> disruptions.
> This needs to be tightened to allow only the local datanode user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[
https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kihwal Lee updated HDFS-11069:
--
Resolution: Fixed
Hadoop Flags: Reviewed
Fix Version/s: 3.0.0-alpha2
2.7.4
Status: Resolved (was: Patch Available)
> Tighten the authorization of datanode RPC
> -
>
> Key: HDFS-11069
> URL: https://issues.apache.org/jira/browse/HDFS-11069
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: datanode, security
>Reporter: Kihwal Lee
>Assignee: Kihwal Lee
> Fix For: 2.7.4, 3.0.0-alpha2
>
> Attachments: HDFS-11069.patch
>
>
> The current implementation of {{checkSuperuserPrivilege()}} allows the
> datanode user from any node to be recognized as a super user. If one
> datanode is compromised, the intruder can issue {{shutdownDatanode()}},
> {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other
> datanodes. Although this does not expose stored data, it can cause service
> disruptions.
> This needs to be tightened to allow only the local datanode user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[
https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kihwal Lee updated HDFS-11069:
--
Attachment: HDFS-11069.patch
> Tighten the authorization of datanode RPC
> -
>
> Key: HDFS-11069
> URL: https://issues.apache.org/jira/browse/HDFS-11069
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: datanode, security
>Reporter: Kihwal Lee
>Assignee: Kihwal Lee
> Attachments: HDFS-11069.patch
>
>
> The current implementation of {{checkSuperuserPrivilege()}} allows the
> datanode user from any node to be recognized as a super user. If one
> datanode is compromised, the intruder can issue {{shutdownDatanode()}},
> {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other
> datanodes. Although this does not expose stored data, it can cause service
> disruptions.
> This needs to be tightened to allow only the local datanode user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[
https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kihwal Lee updated HDFS-11069:
--
Status: Patch Available (was: Open)
> Tighten the authorization of datanode RPC
> -
>
> Key: HDFS-11069
> URL: https://issues.apache.org/jira/browse/HDFS-11069
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: datanode, security
>Reporter: Kihwal Lee
>Assignee: Kihwal Lee
> Attachments: HDFS-11069.patch
>
>
> The current implementation of {{checkSuperuserPrivilege()}} allows the
> datanode user from any node to be recognized as a super user. If one
> datanode is compromised, the intruder can issue {{shutdownDatanode()}},
> {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other
> datanodes. Although this does not expose stored data, it can cause service
> disruptions.
> This needs to be tightened to allow only the local datanode user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[
https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kihwal Lee updated HDFS-11069:
--
Description:
The current implementation of {{checkSuperuserPrivilege()}} allows the datanode
user from any node to be recognized as a super user. If one datanode is
compromised, the intruder can issue {{shutdownDatanode()}}, {{evictWriters()}},
{{triggerBlockReport()}}, etc. against all other datanodes. Although this does
not expose stored data, it can cause service disruptions.
This needs to be tightened to allow only the local datanode user.
was:
The current implementation of {{checkSuperuserPrivilege()}} allows the datanode
user from any node to be recognized as a super user. If one datanode is
compromised, the intruder can issue {{shutdownDatanode()}}, {{evictWriters()}},
{{triggerBlockReport()}}, etc. against all other datanodes.
This needs to be tightened to allow only the local datanode user.
> Tighten the authorization of datanode RPC
> -
>
> Key: HDFS-11069
> URL: https://issues.apache.org/jira/browse/HDFS-11069
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: datanode, security
>Reporter: Kihwal Lee
>Assignee: Kihwal Lee
>
> The current implementation of {{checkSuperuserPrivilege()}} allows the
> datanode user from any node to be recognized as a super user. If one
> datanode is compromised, the intruder can issue {{shutdownDatanode()}},
> {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other
> datanodes. Although this does not expose stored data, it can cause service
> disruptions.
> This needs to be tightened to allow only the local datanode user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11069) Tighten the authorization of datanode RPC
[
https://issues.apache.org/jira/browse/HDFS-11069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kihwal Lee updated HDFS-11069:
--
Issue Type: Improvement (was: Bug)
> Tighten the authorization of datanode RPC
> -
>
> Key: HDFS-11069
> URL: https://issues.apache.org/jira/browse/HDFS-11069
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: datanode, security
>Reporter: Kihwal Lee
>
> The current implementation of {{checkSuperuserPrivilege()}} allows the
> datanode user from any node to be recognized as a super user. If one
> datanode is compromised, the intruder can issue {{shutdownDatanode()}},
> {{evictWriters()}}, {{triggerBlockReport()}}, etc. against all other
> datanodes.
> This needs to be tightened to allow only the local datanode user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
