[jira] [Commented] (HADOOP-11322) key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT

Fri, 21 Nov 2014 01:53:12 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14220731#comment-14220731
 ] 

Dian Fu commented on HADOOP-11322:
----------------------------------

Thanks [~hitliuyi] for review. 
{quote}
And in current code, it doesn't affect functionality, since in KMSACLs 
implementation, hasAccessToKey will check the opType too....
{quote}
Actually it will affect functionality. Let's image such an scenario: For key 
testKey1, we don't configure any ACL policy for testKey1 and only create a 
default key policy for operation GENERATE_EEK, such as 
{code}
<property>
    <name>default.key.acl.GENERATE_EEK</name>
    <value>*</value>
 </property>
{code}
Then for operation GENERATE_EEK of key testKey1, 
KeyAuthorizationKeyProvider.checkAccess will fail and threw an exception as 
acls.isACLPresent(aclName, opType) return false. This will skip the check in 
acls.hasAccessToKey(aclName, ugi, opType). Actually in the above scenario, 
checkAccess should return true as we didn't configure ACL for testKey1 and the 
default key ACL of operation GENERATE_EEK is allowAll. 
The scenario described above is unusual, but it does exist. 

> key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual 
> KeyOpType is not MANAGEMENT 
> -----------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11322
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11322
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Dian Fu
>            Assignee: Dian Fu
>         Attachments: HADOOP-11322.patch
>
>
> In the method checkAccess of class KeyAuthorizationKeyProvider, there is 
> following code:
> {code}
> private void checkAccess(String aclName, UserGroupInformation ugi,
>       KeyOpType opType) throws AuthorizationException {
>     Preconditions.checkNotNull(aclName, "Key ACL name cannot be null");
>     Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
>     if (acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) &&
>         (acls.hasAccessToKey(aclName, ugi, opType)
>             || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL))) {
>       return;
>     }
> ...
> }
> {code}
> Seems that {code}
> acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) {code}
> should be replaced with {code}
> acls.isACLPresent(aclName, opType) {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to