[jira] [Commented] (HDFS-13194) CachePool permissions incorrectly checked

Tue, 27 Feb 2018 18:46:54 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379691#comment-16379691
 ] 

Hudson commented on HDFS-13194:
-------------------------------

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #13733 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/13733/])
HDFS-13194. CachePool permissions incorrectly checked. Contributed by (yqlin: 
rev a9c14b11193adeaa31389578f4cb90fa79cad8c3)
* (edit) 
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
* (edit) 
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java


> CachePool permissions incorrectly checked
> -----------------------------------------
>
>                 Key: HDFS-13194
>                 URL: https://issues.apache.org/jira/browse/HDFS-13194
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Yiqun Lin
>            Assignee: Jianfei Jiang
>            Priority: Major
>             Fix For: 3.1.0, 2.10.0, 3.2.0
>
>         Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>       throws AccessControlException {
>     FsPermission mode = pool.getMode();
>     if (isSuperUser()) {
>       return;
>     }
>     if (getUser().equals(pool.getOwnerName())
>         && mode.getUserAction().implies(access)) {
>       return;
>     }
>     if (isMemberOfGroup(pool.getGroupName())
>         && mode.getGroupAction().implies(access)) {
>       return;
>     }
>     // Following line seems incorrect,
>     // we should ensure current user is not belong the pool's owner or pool's 
> group.
>     if (mode.getOtherAction().implies(access)) {
>       return;
>     }
>     throw new AccessControlException("Permission denied while accessing pool "
>         + pool.getPoolName() + ": user " + getUser() + " does not have "
>         + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, 
> permission mode:------rwx(007)), then one user which named "test" or whose 
> group is "test-group" can both access this pool. But actually this is not 
> allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
>     if (!getUser().equals(pool.getOwnerName())
>         && !isMemberOfGroup(pool.getGroupName())
>         && mode.getOtherAction().implies(access)) {
>       return;
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to