[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked

Mon, 26 Feb 2018 23:35:08 -0800 

     [ 
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jianfei Jiang updated HDFS-13194:
---------------------------------
    Status: Patch Available  (was: In Progress)

Thanks [~linyiqun] for magnanimity  and kindly review. Update the patch.

> CachePool permissions incorrectly checked
> -----------------------------------------
>
>                 Key: HDFS-13194
>                 URL: https://issues.apache.org/jira/browse/HDFS-13194
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Yiqun Lin
>            Assignee: Jianfei Jiang
>            Priority: Major
>         Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>       throws AccessControlException {
>     FsPermission mode = pool.getMode();
>     if (isSuperUser()) {
>       return;
>     }
>     if (getUser().equals(pool.getOwnerName())
>         && mode.getUserAction().implies(access)) {
>       return;
>     }
>     if (isMemberOfGroup(pool.getGroupName())
>         && mode.getGroupAction().implies(access)) {
>       return;
>     }
>     // Following line seems incorrect,
>     // we should ensure current user is not belong the pool's owner or pool's 
> group.
>     if (mode.getOtherAction().implies(access)) {
>       return;
>     }
>     throw new AccessControlException("Permission denied while accessing pool "
>         + pool.getPoolName() + ": user " + getUser() + " does not have "
>         + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, 
> permission mode:------rwx(007)), then one user which named "test" or whose 
> group is "test-group" can both access this pool. But actually this is not 
> allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
>     if (!getUser().equals(pool.getOwnerName())
>         && !isMemberOfGroup(pool.getGroupName())
>         && mode.getOtherAction().implies(access)) {
>       return;
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to