-
Hadoop Security via Kerberosrohit sarewar 2013-02-27, 17:14
Hi
I am trying to learn how Kerberos can be implemented in Hadoop.
I have gone through this doc
https://issues.apache.org/jira/browse/HADOOP-4487
I have also gone through Basic Kerberos stuff (http://web.mit.edu/kerberos/,
https://www.youtube.com/watch?v=KD2Q-2ToloE)
1) The apache doc uses the word "Token" whereas the general doc over the
internet uses the term "Ticket".
Are Token and Ticket same ?
2) The apache doc also "DataNodes do not enforce any access control on
accesses to its data blocks.
This makes it possible for an unauthorized client to read a data block
as
long as she can supply its block ID. It’s also possible for anyone to
write
arbitrary data blocks to DataNodes."
My thoughts on this:-
*I can fetch the block Id from file path using the command:-*
hadoop@Studio-1555:/opt/hadoop/hadoop-1.0.2/bin$ ./hadoop fsck
/hadoop/mapred/system/jobtracker.info -files -blocks
FSCK started by hadoop from /127.0.0.1 for path /hadoop/mapred/system/
jobtracker.info at Mon Jul 09 06:57:14 EDT 2012
/hadoop/mapred/system/jobtracker.info 4 bytes, 1 block(s): OK
0. blk_-9148080207111019586_1001 len=4 repl=1
As I was authorized to access this file jobtracker.info, I was able to find
its blockID using the above command.
I think that if I add some offset to this block ID and write to that
datanode.
*
How can I explicitly mention the blockID while writing a file to HDFS.(What
is the command ?)*
Any other way to write arbitrary data blocks to DataNodes ?
Please tell me if my approach is wrong ?
I am trying to learn how Kerberos can be implemented in Hadoop.
I have gone through this doc
https://issues.apache.org/jira/browse/HADOOP-4487
I have also gone through Basic Kerberos stuff (http://web.mit.edu/kerberos/,
https://www.youtube.com/watch?v=KD2Q-2ToloE)
1) The apache doc uses the word "Token" whereas the general doc over the
internet uses the term "Ticket".
Are Token and Ticket same ?
2) The apache doc also "DataNodes do not enforce any access control on
accesses to its data blocks.
This makes it possible for an unauthorized client to read a data block
as
long as she can supply its block ID. It’s also possible for anyone to
write
arbitrary data blocks to DataNodes."
My thoughts on this:-
*I can fetch the block Id from file path using the command:-*
hadoop@Studio-1555:/opt/hadoop/hadoop-1.0.2/bin$ ./hadoop fsck
/hadoop/mapred/system/jobtracker.info -files -blocks
FSCK started by hadoop from /127.0.0.1 for path /hadoop/mapred/system/
jobtracker.info at Mon Jul 09 06:57:14 EDT 2012
/hadoop/mapred/system/jobtracker.info 4 bytes, 1 block(s): OK
0. blk_-9148080207111019586_1001 len=4 repl=1
As I was authorized to access this file jobtracker.info, I was able to find
its blockID using the above command.
I think that if I add some offset to this block ID and write to that
datanode.
*
How can I explicitly mention the blockID while writing a file to HDFS.(What
is the command ?)*
Any other way to write arbitrary data blocks to DataNodes ?
Please tell me if my approach is wrong ?
