[ https://issues.apache.org/jira/browse/HDFS-15051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994154#comment-16994154 ]
Xiaoqiao He commented on HDFS-15051: ------------------------------------ Thanks [~elgoiri] for offering the design consideration, However it seems that goals is not met in current implementation, and there are still security vulnerabilities, I mean MountTableEntry operation privilege. Consider the following case, when one mount entry attribution as following, it seems that any user such as `anonymous` could update it use command as `bin/hdfs dfsrouteradmin -update /user nameservice /user2 -owner hdfs -group hadoop -mode 700` since permission checker of #RouterAdminServer only rely on the information(user,group,mode) which supply from client. Please correct me if something i missed. {code:java} /user nameservice /user hdfs hadoop rwxr-xr-x {code} So, I propose we could enhance privilege control and avoid malicious updates, even revoke update MountTableEntry privilege to super user only. > RBF: Propose to revoke WRITE MountTableEntry privilege to super user only > ------------------------------------------------------------------------- > > Key: HDFS-15051 > URL: https://issues.apache.org/jira/browse/HDFS-15051 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: rbf > Reporter: Xiaoqiao He > Assignee: Xiaoqiao He > Priority: Major > Attachments: HDFS-15051.001.patch > > > The current permission checker of #MountTableStoreImpl is not very restrict. > In some case, any user could add/update/remove MountTableEntry without the > expected permission checking. > The following code segment try to check permission when operate > MountTableEntry, however mountTable object is from Client/RouterAdmin > {{MountTable mountTable = request.getEntry();}}, and user could pass any mode > which could bypass the permission checker. > {code:java} > public void checkPermission(MountTable mountTable, FsAction access) > throws AccessControlException { > if (isSuperUser()) { > return; > } > FsPermission mode = mountTable.getMode(); > if (getUser().equals(mountTable.getOwnerName()) > && mode.getUserAction().implies(access)) { > return; > } > if (isMemberOfGroup(mountTable.getGroupName()) > && mode.getGroupAction().implies(access)) { > return; > } > if (!getUser().equals(mountTable.getOwnerName()) > && !isMemberOfGroup(mountTable.getGroupName()) > && mode.getOtherAction().implies(access)) { > return; > } > throw new AccessControlException( > "Permission denied while accessing mount table " > + mountTable.getSourcePath() > + ": user " + getUser() + " does not have " + access.toString() > + " permissions."); > } > {code} > I just propose revoke WRITE MountTableEntry privilege to super user only. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org