> On Nov. 21, 2017, 4 p.m., Colm O hEigeartaigh wrote: > > You could put some spaces into "for (int i=0;i<pathSegments.length;i++) {" > > There's also an indentation issue on line 201 of RangerHdfsAuthorizerTest. > > Other spacing issue here "ancestorIndex,plugin" > > > > > for (FsAction action : Arrays.asList(FsAction.EXECUTE, FsAction.READ, > > > FsAction.WRITE)) { > > > > I think the FsAction.EXECUTE is not necessary here, as we are checking > > EXECUTE already in "traverseOnlyCheck".
The trick is, that there are different inodes used for the checks: final AuthzStatus status = isAccessAllowed(nodeToCheck, nodeAttribs, FsAction.EXECUTE, user, groups, plugin, auditHandler); if (status == AuthzStatus.NOT_DETERMINED) { return isAnyAccessAllowed(inode, inode, user, groups, plugin, auditHandler); } First, we use 'nodeToCheck', which can be a parent or ancestor node, and in the loop, we use 'inode' which refers to the actual file. - Zsombor ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61062/#review191583 ----------------------------------------------------------- On Nov. 21, 2017, 4:34 p.m., Zsombor Gegesy wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61062/ > ----------------------------------------------------------- > > (Updated Nov. 21, 2017, 4:34 p.m.) > > > Review request for ranger. > > > Bugs: RANGER-1707 > https://issues.apache.org/jira/browse/RANGER-1707 > > > Repository: ranger > > > Description > ------- > > Fix hdfs traverse check, which problem was hidden before hdfs 2.8.0, where > the traverse checks are called > before reading and writing files, so if a policy is just about reading > /tmp/somedir/somefile > it means, that traverse should be allowed to get to that file. Adding > more tests to highlight the issue > > > Diffs > ----- > > hdfs-agent/pom.xml 9f6206013 > > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > af4d9b5c2 > > hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/61062/diff/2/ > > > Testing > ------- > > Tested locally > https://travis-ci.org/gzsombor/ranger/builds/256331500 > > > Thanks, > > Zsombor Gegesy > >