----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/64228/#review192459 -----------------------------------------------------------
LGTM. Zsombor? - Colm O hEigeartaigh On Nov. 30, 2017, 10:38 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/64228/ > ----------------------------------------------------------- > > (Updated Nov. 30, 2017, 10:38 p.m.) > > > Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan > Neethiraj, Ramesh Mani, and Velmurugan Periasamy. > > > Bugs: RANGER-1707 > https://issues.apache.org/jira/browse/RANGER-1707 > > > Repository: ranger > > > Description > ------- > > Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked > for access to /a/b/c.txt, it only checks that if there are a policy which > grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if > there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, > which would mean, that the path is accessible to the user. > This hasn't noticed by the current unit tests, because HDFS before 2.8.0 > doesn't called the traversal check before reading or writing a file, however > it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform > a mandatory traversal check. > > This patch is based on the patch submitted for review > (https://reviews.apache.org/r/61062/) with following modifications. > 1. If traversal check (check for EXECUTE on the parent/ancestor if resource > is a file) does not fail with explicit DENY by Ranger Authorizer, then it is > presumed to have succeeded without any further checks and no audit record > created. If it fails with DENY, then the authorization fails and an audit > record is created. > 2. Test policies in hdfs-policies.json and test cases > (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case. > > > Diffs > ----- > > hdfs-agent/pom.xml 87ba777 > > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > af4d9b5 > > hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java > PRE-CREATION > hdfs-agent/src/test/resources/hdfs-policies.json 056231f > > > Diff: https://reviews.apache.org/r/64228/diff/1/ > > > Testing > ------- > > Unit tested with HDFS versions 2.7.1 and 3.0.0. > > > Thanks, > > Abhay Kulkarni > >
