A lot of security related JIRAs are linked to http://issues.apache.org/jira/browse/HADOOP-4487
thanks, dhruba On Sun, Aug 2, 2009 at 10:36 PM, Palleti, Pallavi < pallavi.pall...@corp.aol.com> wrote: > Thanks Dhruba. I will do that. Also, could you refer me to any > documentation/link regarding any work happening in this regard. I would > be interested in participating/contributing in it. > > Thanks > Pallavi > > -----Original Message----- > From: Dhruba Borthakur [mailto:dhr...@gmail.com] > Sent: Monday, August 03, 2009 10:59 AM > To: common-dev@hadoop.apache.org > Subject: Re: Remote access to cluster with superuser privileges from > untrusted IPs > > Hi Pallavi, > > You are always welcome to post you code as a patch to a JIRA. Even if it > does not get committed to the Hadoop code base, you can always refer > people > to your patch in the JIRA and ask them to use it. > > thanks, > dhruba > > On Sun, Aug 2, 2009 at 8:54 PM, Palleti, Pallavi < > pallavi.pall...@corp.aol.com> wrote: > > > Can someone kindly let me know whether any work is happening in this > > regard. If not, I would like to add a patch which might be useful for > > many. > > > > Thanks > > Pallavi > > > > -----Original Message----- > > From: Palleti, Pallavi [mailto:pallavi.pall...@corp.aol.com] > > Sent: Friday, July 31, 2009 12:20 PM > > To: common-dev@hadoop.apache.org > > Subject: Remote access to cluster with superuser privileges from > > untrusted IPs > > > > Hi all, > > > > > > > > We are using hadoop-0.18.2 in our cluster and figured out that there > is > > a security flaw in current hadoop code as it don't check the > > authentication of user. This would let any person to access cluster as > > super user once the details like super user name and the configuration > > details are known. I tried to solve this issue by allowing super user > > access only from some specified IP Range. This would at least block > > remote super user access from untrusted IP Addresses. > > > > > > > > I have modified the code accordingly in Server.java code. I would like > > to add it as a patch so that it can be useful for others. However, > when > > I looked at the trunk code, I could see that there is some work > related > > to it is happening but am not sure. Especially, there is some code at > > Server.java which throws PrivilegedActionException for untrusted user > I > > believe. Can someone kindly clarify if it is written for the same > > purpose? If not, kindly suggest the version I should use to create a > > patch so that it can be useful for many. > > > > > > > > Thanks > > > > Pallavi > > > > >
