[
https://issues.apache.org/jira/browse/HDFS-11924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vinod Kumar Vavilapalli updated HDFS-11924:
-------------------------------------------
Target Version/s: 2.8.2
Fix Version/s: (was: 2.8.1)
Please leave the fix-version field alone for a committer to set it at commit
time. Updating it myself for now.
> FSPermissionChecker.checkTraverse doesn't pass FsAction access properly
> -----------------------------------------------------------------------
>
> Key: HDFS-11924
> URL: https://issues.apache.org/jira/browse/HDFS-11924
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Zsombor Gegesy
> Labels: hdfs, hdfspermission
> Attachments:
> 0001-HDFS-11924-Pass-FsAction-to-the-external-AccessContr.patch
>
>
> In 2.7.1, during file access check, the AccessControlEnforcer is called with
> the access parameter filled with FsAction values.
> A thread dump in this case:
> {code}
> FSPermissionChecker.checkPermission(INodesInPath, boolean, FsAction,
> FsAction, FsAction, FsAction, boolean) line: 189
> FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean,
> FsAction, FsAction, FsAction, FsAction, boolean) line: 1698
> FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean,
> FsAction, FsAction, FsAction, FsAction) line: 1682
> FSDirectory.checkPathAccess(FSPermissionChecker, INodesInPath,
> FsAction) line: 1656
> FSNamesystem.appendFileInternal(FSPermissionChecker, INodesInPath,
> String, String, boolean, boolean) line: 2668
> FSNamesystem.appendFileInt(String, String, String, boolean, boolean)
> line: 2985
> FSNamesystem.appendFile(String, String, String, EnumSet<CreateFlag>,
> boolean) line: 2952
> NameNodeRpcServer.append(String, String, EnumSetWritable<CreateFlag>)
> line: 653
> ClientNamenodeProtocolServerSideTranslatorPB.append(RpcController,
> ClientNamenodeProtocolProtos$AppendRequestProto) line: 421
>
> ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(Descriptors$MethodDescriptor,
> RpcController, Message) line: not available
> ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(RPC$Server, String,
> Writable, long) line: 616
> ProtobufRpcEngine$Server(RPC$Server).call(RPC$RpcKind, String,
> Writable, long) line: 969
> Server$Handler$1.run() line: 2049
> Server$Handler$1.run() line: 2045
> AccessController.doPrivileged(PrivilegedExceptionAction<T>,
> AccessControlContext) line: not available [native method]
> Subject.doAs(Subject, PrivilegedExceptionAction<T>) line: 422
> UserGroupInformation.doAs(PrivilegedExceptionAction<T>) line: 1657
> {code}
> However, in 2.8.0 this value is changed to null, because in
> FSPermissionChecker.checkTraverse(FSPermissionChecker pc, INodesInPath iip,
> boolean resolveLink) couldn't pass the required information, so it's simply
> use 'null'.
> This is a regression between 2.7.1 and 2.8.0, because external
> AccessControlEnforcer couldn't work properly
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
