[ https://issues.apache.org/jira/browse/HDFS-15973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17322588#comment-17322588 ]
zhuobin zheng edited comment on HDFS-15973 at 4/16/21, 3:26 AM: ---------------------------------------------------------------- Hi, [~LiJinglun], this is like what happen in HDFS-15923. We should do access check in proxyUser privileged. Otherwise, we unable to pass the authentication with namenode. {code:java} // code placeholder if(UserGroupInformation.isSecurityEnabled()) { UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(RouterRpcServer.getRemoteUser().getShortUserName(), routerUser); proxyUser.doAs(new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { Path srcPath = new Path("hdfs://" + srcLoc.getNameserviceId() + remoteSrc); srcPath.getFileSystem(conf).access(srcPath.getParent(), FsAction.WRITE); // check dst path permission. Path dstPath = new Path("hdfs://" + dstLoc.getNameserviceId() + remoteDst); dstPath.getFileSystem(conf).access(dstPath.getParent(), FsAction.WRITE); } }); } {code} was (Author: zhengzhuobinzzb): We should do access check in proxyUser privileged. Otherwise, we unable to pass the authentication with namenode. {code:java} // code placeholder if(UserGroupInformation.isSecurityEnabled()) { UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(RouterRpcServer.getRemoteUser().getShortUserName(), routerUser); proxyUser.doAs(new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { Path srcPath = new Path("hdfs://" + srcLoc.getNameserviceId() + remoteSrc); srcPath.getFileSystem(conf).access(srcPath.getParent(), FsAction.WRITE); // check dst path permission. Path dstPath = new Path("hdfs://" + dstLoc.getNameserviceId() + remoteDst); dstPath.getFileSystem(conf).access(dstPath.getParent(), FsAction.WRITE); } }); } {code} > RBF: Add permission check before doting router federation rename. > ----------------------------------------------------------------- > > Key: HDFS-15973 > URL: https://issues.apache.org/jira/browse/HDFS-15973 > Project: Hadoop HDFS > Issue Type: Sub-task > Reporter: Jinglun > Assignee: Jinglun > Priority: Major > Attachments: HDFS-15973.001.patch, HDFS-15973.002.patch, > HDFS-15973.003.patch > > > The router federation rename is lack of permission check. It is a security > issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org