Hi Devs,
1. Related to HDDS-7454 <https://issues.apache.org/jira/browse/HDDS-7454>, need opinion if this requires handling or not, based on impact and complexity. Below is given brief and same is present in Jira. 2. Please share opinion ... *For non-secure env* with raw/malicious client, below are cases 1) Writing to new DN will cause addition of container, can cause data loss - Raised JIRA: HDDS-7552 <https://issues.apache.org/jira/browse/HDDS-7552> Will avoid writing / delete the container to the DN. 2) Writing new block to DN having container, causes additional blocks and consuming space Impact: additional space consumption Note: no way to control in current design as OM and DN do not have any sync, may need solution in future including Recon which can have OM, SMC and DN information and mapping. 3) Writing with unknown container to DN causing addition of container - Already handled using HDDS-3241 <https://issues.apache.org/jira/browse/HDDS-3241> *For Secure env* as current bug, need opinion if required to be handled based on impact, 1. Authorization of pipeline / DNs: Currently its not present as part of this bug. Its suggested to be add as part of block token. Pros: - Avoid writing to DN for which its is not intended, and avoid malicious impact of data loss, space consumption as shown above for non-secure env impact. Cons: - Need have code for adding pipeline in token generation, passing and validation at DNs - Code will be complex, EC have different way of sync, inducing complexity and failure points *Security Impact if this is not handled:* - SCM need validate new container using ICR which is Async, and need atleast 2 heart beat to notify DN to avoid writting (30+ seconds). - During this time, client can add a lot of block data during that time - Exploitation is easy, but client should be authorized to get block write permission -- *Sumit Agrawal* | Senior Staff Engineer cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------
