hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [hadoop] lujiefsi opened a new pull request #2966: HDFS-16004.startLogSegment and journal in BackupNode lack Permission …
Date Fri, 30 Apr 2021 03:32:59 GMT

lujiefsi opened a new pull request #2966:
URL: https://github.com/apache/hadoop/pull/2966


   I have some doubt when i configurate secure HDFS.  I know we have Service Level Authorization
 for protocols like NamenodeProtocol,DatanodeProtocol and so on.
   But i do not find such Authorization   for JournalProtocol after reading the code in HDFSPolicyProvider.
 And if we have, how can i configurate such Authorization?
    
   Besides  even NamenodeProtocol has Service Level Authorization, its methods still have
Permission check. Take startCheckpoint in NameNodeRpcServer who implemented NamenodeProtocol
 for example:
    
   public NamenodeCommand startCheckpoint(NamenodeRegistration registration)
         throws IOException {
       String operationName = "startCheckpoint";
       checkNNStartup();
       namesystem.checkSuperuserPrivilege(operationName);
   ......
    
   I found that the methods in  BackupNodeRpcServer who implemented JournalProtocol  lack
of such  Permission check. See below:
    
    
       public void startLogSegment(JournalInfo journalInfo, long epoch,
           long txid) throws IOException {
         namesystem.checkOperation(OperationCategory.JOURNAL);
         verifyJournalRequest(journalInfo);
         getBNImage().namenodeStartedLogSegment(txid);
       }
    
       @Override
       public void journal(JournalInfo journalInfo, long epoch, long firstTxId,
           int numTxns, byte[] records) throws IOException {
         namesystem.checkOperation(OperationCategory.JOURNAL);
         verifyJournalRequest(journalInfo);
         getBNImage().journal(firstTxId, numTxns, records);
       }
    
   Do we need add Permission check for them?
    
   Please point out my mistakes if i am wrong or miss something. 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message