hadoop安全之hftp
hftp默认是打开的,同意以浏览器的方式訪问和下载文件,以此方式下,能够读取全部文件,留下了安全隐患.測试例如以下
/user/hive/warehouse/cdntest.db/selfreadonly/hosts的上级文件夹selfreadonly的全部者是zhouyang,权限是700,但以xiangtao用户在浏览器中输入下面地址,就能下载.
http://localhost:50070/webhdfs/v1/user/hive/warehouse/cdntest.db/selfreadonly/hosts?op=OPEN&offset=0&length=1024
在hdfs-site.xml中加入下面配置禁用webhdfs
<property> <name>dfs.webhdfs.enabled</name>
<value>false</value>
</property>
禁止webhdfs之后,hftp协议能够继续使用.測试例如以下:
$ hadoop fs -ls hftp://localhost:50070/user/hive/warehouse/cdntest.db/selfreadonly
ls: user=xiangtao, access=READ_EXECUTE, inode="/user/hive/warehouse/cdntest.db/selfreadonly":zhouyang:cdn:drwx------
$ hadoop fs -ls hftp://localhost:50070/user/hive/warehouse/cdntest.db
Found 4 items
drwx------ - zhouyang cdn 0 2015-06-04 10:40 hftp://localhost:50070/user/hive/warehouse/cdntest.db/selfreadonly
drwxrwxr-x - wangjing cdn 0 2015-06-02 18:51 hftp://localhost:50070/user/hive/warehouse/cdntest.db/testp1
drwxrwx--- - cdn cdn 0 2015-06-03 17:37 hftp://localhost:50070/user/hive/warehouse/cdntest.db/testp2
drwxrwxr-x - wangjing cdn 0 2015-06-02 10:17 hftp://localhost:50070/user/hive/warehouse/cdntest.db/wangjing
/user/hive/warehouse/cdntest.db/selfreadonly/hosts的上级文件夹selfreadonly的全部者是zhouyang,权限是700,但以xiangtao用户在浏览器中输入下面地址,就能下载.
http://localhost:50070/webhdfs/v1/user/hive/warehouse/cdntest.db/selfreadonly/hosts? op=OPEN&offset=0&length=1024
禁止webhdfs之后,hftp协议能够继续使用.
$ hadoop fs -ls hftp://localhost:50070/user/hive/warehouse/cdntest.db/selfreadonly
ls: user=xiangtao, access=READ_EXECUTE, inode="/user/hive/warehouse/cdntest.db/selfreadonly":zhouyang:cdn:drwx------
$ hadoop fs -ls hftp://localhost:50070/user/hive/warehouse/cdntest.db
Found 4 items
drwx------ - zhouyang cdn 0 2015-06-04 10:40 hftp://localhost:50070/user/hive/warehouse/cdntest.db/selfreadonly
drwxrwxr-x - wangjing cdn 0 2015-06-02 18:51 hftp://localhost:50070/user/hive/warehouse/cdntest.db/testp1
drwxrwx--- - cdn cdn 0 2015-06-03 17:37 hftp://localhost:50070/user/hive/warehouse/cdntest.db/testp2
drwxrwxr-x - wangjing cdn 0 2015-06-02 10:17 hftp://localhost:50070/user/hive/warehouse/cdntest.db/wangjing
页:
[1]