[HDFS-11069] Tighten the authorization of datanode RPC - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2
Component/s: datanode, security
Labels:
None

Target Version/s:

2.7.4
Hadoop Flags:

Reviewed

Description

The current implementation of checkSuperuserPrivilege() allows the datanode user from any node to be recognized as a super user. If one datanode is compromised, the intruder can issue shutdownDatanode(), evictWriters(), triggerBlockReport(), etc. against all other datanodes. Although this does not expose stored data, it can cause service disruptions.

This needs to be tightened to allow only the local datanode user.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HDFS-11069.patch
27/Oct/16 15:57
1 kB
Kihwal Lee

Issue Links

is depended upon by

HDFS-12372 Document the impact of HDFS-11069 (Tighten the authorization of datanode RPC)

Open

is related to

HDFS-11053 Unnecessary superuser check in versionRequest()

Resolved

Activity

People

Assignee:: Kihwal Lee

Reporter:: Kihwal Lee

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 27/Oct/16 15:50

Updated:: 02/Oct/19 17:15

Resolved:: 27/Oct/16 19:24