[jira] [Created] (HDFS-11053) Unnecessary superuser check in versionRequest()

Kihwal Lee (JIRA) Tue, 25 Oct 2016 13:32:49 -0700

Kihwal Lee created HDFS-11053:
---------------------------------

             Summary: Unnecessary superuser check in versionRequest()
                 Key: HDFS-11053
                 URL: https://issues.apache.org/jira/browse/HDFS-11053
             Project: Hadoop HDFS
          Issue Type: Bug
            Reporter: Kihwal Lee



The {{versionRequest()}} call does not return any sensitive information.  It is 
mainly used for sanity checks.   The presence of {{checkSuperuserPrivilege()}} 
forces users to run datanode as a hdfs superuser.

In secure setup, a keytab obtained from a compromised datanode can allow the 
intruder to gain hdfs superuser privilege.  We should allow datanodes to be run 
as non-hdfs-superuser by removing {{checkSuperuserPrivilege()}} from 
{{versionRequest()}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org

[jira] [Created] (HDFS-11053) Unnecessary superuser check in versionRequest()

Reply via email to