Dian Fu created HADOOP-11322: -------------------------------- Summary: key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT Key: HADOOP-11322 URL: https://issues.apache.org/jira/browse/HADOOP-11322 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Dian Fu Assignee: Dian Fu
In the method checkAccess of class KeyAuthorizationKeyProvider, there is following code: {code} private void checkAccess(String aclName, UserGroupInformation ugi, KeyOpType opType) throws AuthorizationException { Preconditions.checkNotNull(aclName, "Key ACL name cannot be null"); Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null"); if (acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) && (acls.hasAccessToKey(aclName, ugi, opType) || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL))) { return; } ... } {code} Seems that {code} acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) {code} should be replaced with {code} acls.isACLPresent(aclName, opType) {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)