Thank you, Aaron T. Myers. I am so sorry for the late comments. The patch looks good, and it adds a nice feature. Given we don't have NFS kerberos supported yet, this feature adds additional security to the NFS gateway. I have a few comments.
1. Nfs3.java: the configuration setting is not taken. This can be fixed as part of the config cleanup in
HDFS-6056 since it's a trivial change.
+ Configuration conf = new Configuration();
+ boolean allowInsecurePorts = conf.getBoolean(
+ final Nfs3 nfsServer = new Nfs3(new Configuration(), registrationSocket,
2. Port monitoring is the feature name with traditional NFS server and we may want to make the config property (along with related variable allowInsecurePorts) something as dfs.nfs.port.monitoring. Even though traditional NFS has two port monitoring for NFS server and mountd, I think one config property is good enough for both of them in our NFS gateway.
3 . According to RFC2623 (http://www.rfc-editor.org/rfc/rfc2623.txt):
Whether port monitoring is enabled or not, NFS servers SHOULD NOT reject NFS requests to the NULL procedure (procedure number 0). See subsection 2.3.1, "NULL procedure" for a complete explanation.
I do notice that NFS clients (most time) send mount NULL and nfs NULL from no privileged port. If we deny that call in mountd or nfs server, the client can't mount the export even as user root.
4. it would be nice to have the user guide updated too.
HDFS-6439 to track the change for 2,3,4 and I will post more comments there.