[
https://issues.apache.org/jira/browse/HADOOP-19109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiaobao Wu updated HADOOP-19109:
--------------------------------
Description:
In the environment where the *Ranger-HDFS* plugin is enabled, I look at the log
information of *AccessControlException* caused by the *du.* I find that the
printed log information is not accurate, because the original
AccessControlException is ignored by checkPermission, which is not conducive to
judging the real situation of the AccessControlException . At least part of
the original log information should be printed.
AccessControlException information currently printed:
{code:java}
org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
Permission denied: user=test,access=READ_EXECUTE,
inode="/warehouse/tablespace/managed/hive/test.db/stu/dt=2024-01-17":hive:hadoop:drwxrwx---
at
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:226){code}
The original AccessControlException information printed:
{code:java}
org.apache.hadoop.security.AccessControlException: Permission denied:
user=test,access=READ_EXECUTE, inode="dt=2024-01-17":hive:hadoop:drwxrwx---
at
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:400)
{code}
>From the comparison results of the above log information, it can be seen that
>the inode information and the exception stack printed by the log are not
>accurate.
Later, the *inode* information prompted by the original AccessControlException
log information makes me realize that the Ranger-HDFS plug-in in the current
environment is not incorporated into RANGER-2297, so I think it is necessary to
prompt this part of the log information.
was:
In the environment where the *Ranger-HDFS* plugin is enabled, I look at the log
information of *AccessControlException* caused by the *du.* I find that the
printed log information is not accurate, because the original
AccessControlException is ignored by checkPermission, which is not conducive to
judging the real situation of the AccessControlException . At least part of
the original log information should be printed.
AccessControlException information currently printed:
{code:java}
org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
Permission denied: user=test,access=READ_EXECUTE,
inode="/warehouse/tablespace/managed/hive/test.db/stu/dt=2024-01-17":hive:hadoop:drwxrwx---
at
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:226){code}
The original AccessControlException information printed:
{code:java}
org.apache.hadoop.security.AccessControlException: Permission denied:
user=test,access=READ_EXECUTE, inode="dt=2024-01-17":hive:hadoop:drwxrwx---
at
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:400)
{code}
>From the comparison results of the above log information, it can be seen that
>the inode information and the exception stack printed by the log are not
>accurate.
Later, the *inode* information prompted by the original AccessControlException
log information makes me realize that the Ranger-HDFS plug-in in the current
environment is not incorporated into RANGER-2297, so I think it is necessary to
prompt this part of the log information.
> checkPermission should not ignore original AccessControlException
> ------------------------------------------------------------------
>
> Key: HADOOP-19109
> URL: https://issues.apache.org/jira/browse/HADOOP-19109
> Project: Hadoop Common
> Issue Type: Improvement
> Components: hdfs-client
> Affects Versions: 3.3.0
> Reporter: Xiaobao Wu
> Priority: Minor
>
> In the environment where the *Ranger-HDFS* plugin is enabled, I look at the
> log information of *AccessControlException* caused by the *du.* I find that
> the printed log information is not accurate, because the original
> AccessControlException is ignored by checkPermission, which is not conducive
> to judging the real situation of the AccessControlException . At least part
> of the original log information should be printed.
> AccessControlException information currently printed:
> {code:java}
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
> Permission denied: user=test,access=READ_EXECUTE,
> inode="/warehouse/tablespace/managed/hive/test.db/stu/dt=2024-01-17":hive:hadoop:drwxrwx---
> at
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:226){code}
> The original AccessControlException information printed:
> {code:java}
> org.apache.hadoop.security.AccessControlException: Permission denied:
> user=test,access=READ_EXECUTE, inode="dt=2024-01-17":hive:hadoop:drwxrwx---
> at
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:400)
> {code}
> From the comparison results of the above log information, it can be seen that
> the inode information and the exception stack printed by the log are not
> accurate.
> Later, the *inode* information prompted by the original
> AccessControlException log information makes me realize that the Ranger-HDFS
> plug-in in the current environment is not incorporated into RANGER-2297, so I
> think it is necessary to prompt this part of the log information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
