[ https://issues.apache.org/jira/browse/HADOOP-11322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dian Fu updated HADOOP-11322: ----------------------------- Attachment: HADOOP-11322.patch A quick patch attached. > key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual > KeyOpType is not MANAGEMENT > ----------------------------------------------------------------------------------------------------- > > Key: HADOOP-11322 > URL: https://issues.apache.org/jira/browse/HADOOP-11322 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Dian Fu > Assignee: Dian Fu > Attachments: HADOOP-11322.patch > > > In the method checkAccess of class KeyAuthorizationKeyProvider, there is > following code: > {code} > private void checkAccess(String aclName, UserGroupInformation ugi, > KeyOpType opType) throws AuthorizationException { > Preconditions.checkNotNull(aclName, "Key ACL name cannot be null"); > Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null"); > if (acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) && > (acls.hasAccessToKey(aclName, ugi, opType) > || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL))) { > return; > } > ... > } > {code} > Seems that {code} > acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) {code} > should be replaced with {code} > acls.isACLPresent(aclName, opType) {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)