[ https://issues.apache.org/jira/browse/HDFS-17436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17829732#comment-17829732 ]
ASF GitHub Bot commented on HDFS-17436: --------------------------------------- ZanderXu merged PR #6651: URL: https://github.com/apache/hadoop/pull/6651 > checkPermission should not ignore original AccessControlException > ------------------------------------------------------------------ > > Key: HDFS-17436 > URL: https://issues.apache.org/jira/browse/HDFS-17436 > Project: Hadoop HDFS > Issue Type: Improvement > Components: namenode > Affects Versions: 3.3.0, 3.3.6 > Reporter: Xiaobao Wu > Priority: Minor > Labels: patch, pull-request-available > Fix For: 3.3.0 > > Attachments: > HDFS-17436__Supplement_log_information_for_AccessControlException.patch > > > In the environment where the *Ranger-HDFS* plugin is enabled, I look at the > log information of *AccessControlException* caused by the *du.* I find that > the printed log information is not accurate, because the original > AccessControlException is ignored by checkPermission, which is not conducive > to judging the real situation of the AccessControlException . At least part > of the original log information should be printed. > Later, the *inode* information prompted by the original > AccessControlException log information makes me realize that the Ranger-HDFS > plug-in in the current environment is not incorporated into RANGER-2297. > Because the current log prints the inode information is not the ”inode > information“ *passed* to the authorizers. At this time if certain external > authorizers *does not adjust its authentication logic* according to > HDFS-12130 , it is more difficult to locate the real situation of the > problem.So I think it is necessary to prompt this part of the log information. > AccessControlException information currently printed: > {code:java} > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): > Permission denied: user=test,access=READ_EXECUTE, > inode="/warehouse/tablespace/managed/hive/test.db/stu/dt=2024-01-17":hive:hadoop:drwxrwx--- > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:226){code} > The original AccessControlException information printed: > {code:java} > org.apache.hadoop.security.AccessControlException: Permission denied: > user=test,access=READ_EXECUTE, inode="dt=2024-01-17":hive:hadoop:drwxrwx--- > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:400) > {code} > From the comparison results of the above log information, it can be seen that > the inode information and the exception stack printed by the log are not > accurate. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org