Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-11053

Unnecessary superuser check in versionRequest()

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.7.4, 3.0.0-alpha2
    • namenode, security
    • None
    • Reviewed

    Description

      The versionRequest() call does not return any sensitive information. It is mainly used for sanity checks. The presence of checkSuperuserPrivilege() forces users to run datanode as a hdfs superuser.

      In secure setup, a keytab obtained from a compromised datanode can allow the intruder to gain hdfs superuser privilege. We should allow datanodes to be run as non-hdfs-superuser by removing checkSuperuserPrivilege() from versionRequest().

      Attachments

        1. HDFS-11053.patch
          0.8 kB
          Kihwal Lee

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. HDFS-11069 Tighten the authorization of datanode RPC

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              kihwal Kihwal Lee
              kihwal Kihwal Lee
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: