[jira] [Commented] (HDFS-17436) checkPermission should not ignore original AccessControlException

Thu, 21 Mar 2024 20:23:21 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-17436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17829732#comment-17829732
 ] 

ASF GitHub Bot commented on HDFS-17436:
---------------------------------------

ZanderXu merged PR #6651:
URL: https://github.com/apache/hadoop/pull/6651




> checkPermission should not ignore original AccessControlException 
> ------------------------------------------------------------------
>
>                 Key: HDFS-17436
>                 URL: https://issues.apache.org/jira/browse/HDFS-17436
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: namenode
>    Affects Versions: 3.3.0, 3.3.6
>            Reporter: Xiaobao Wu
>            Priority: Minor
>              Labels: patch, pull-request-available
>             Fix For: 3.3.0
>
>         Attachments: 
> HDFS-17436__Supplement_log_information_for_AccessControlException.patch
>
>
> In the environment where the *Ranger-HDFS* plugin is enabled, I look at the 
> log information of *AccessControlException* caused by the *du.* I find that 
> the printed log information is not accurate, because the original 
> AccessControlException is ignored by checkPermission, which is not conducive 
> to judging the real situation of the  AccessControlException . At least part 
> of the original log information should be printed.
> Later, the *inode* information prompted by the original 
> AccessControlException log information makes me realize that the Ranger-HDFS 
> plug-in in the current environment is not incorporated into RANGER-2297.
> Because the current log prints the inode information is not the ”inode 
> information“ *passed* to the authorizers. At this time if certain external 
> authorizers *does not adjust its authentication logic* according to 
> HDFS-12130 , it is more difficult to locate the real situation of the 
> problem.So I think it is necessary to prompt this part of the log information.
> AccessControlException information currently printed:
> {code:java}
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
>  Permission denied: user=test,access=READ_EXECUTE, 
> inode="/warehouse/tablespace/managed/hive/test.db/stu/dt=2024-01-17":hive:hadoop:drwxrwx---
>     at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:226){code}
>  The original AccessControlException information printed:
> {code:java}
> org.apache.hadoop.security.AccessControlException: Permission denied: 
> user=test,access=READ_EXECUTE, inode="dt=2024-01-17":hive:hadoop:drwxrwx---
>     at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:400)
>  {code}
> From the comparison results of the above log information, it can be seen that 
> the inode information and the exception stack printed by the log are not 
> accurate.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to