HDFS-13194. CachePool permissions incorrectly checked. Contributed by Jianfei Jiang.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a9c14b11 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a9c14b11 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a9c14b11 Branch: refs/heads/HDFS-7240 Commit: a9c14b11193adeaa31389578f4cb90fa79cad8c3 Parents: d86f301 Author: Yiqun Lin <yq...@apache.org> Authored: Wed Feb 28 10:17:43 2018 +0800 Committer: Yiqun Lin <yq...@apache.org> Committed: Wed Feb 28 10:17:43 2018 +0800 ---------------------------------------------------------------------- .../hdfs/server/namenode/FSPermissionChecker.java | 4 +++- .../hdfs/server/namenode/TestCacheDirectives.java | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a9c14b11/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java index 45876a7..0b284b9 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java @@ -573,7 +573,9 @@ public class FSPermissionChecker implements AccessControlEnforcer { && mode.getGroupAction().implies(access)) { return; } - if (mode.getOtherAction().implies(access)) { + if (!getUser().equals(pool.getOwnerName()) + && !isMemberOfGroup(pool.getGroupName()) + && mode.getOtherAction().implies(access)) { return; } throw new AccessControlException("Permission denied while accessing pool " http://git-wip-us.apache.org/repos/asf/hadoop/blob/a9c14b11/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java index 658e4ca..c58e090 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestCacheDirectives.java @@ -420,6 +420,9 @@ public class TestCacheDirectives { setMode(new FsPermission((short)0777))); proto.addCachePool(new CachePoolInfo("pool4"). setMode(new FsPermission((short)0))); + proto.addCachePool(new CachePoolInfo("pool5"). + setMode(new FsPermission((short)0007)) + .setOwnerName(unprivilegedUser.getShortUserName())); CacheDirectiveInfo alpha = new CacheDirectiveInfo.Builder(). setPath(new Path("/alpha")). @@ -488,6 +491,18 @@ public class TestCacheDirectives { long deltaId = addAsUnprivileged(delta); + try { + addAsUnprivileged(new CacheDirectiveInfo.Builder(). + setPath(new Path("/epsilon")). + setPool("pool5"). + build()); + fail("expected an error when adding to a pool with " + + "mode 007 (no permissions for pool owner)."); + } catch (AccessControlException e) { + GenericTestUtils. + assertExceptionContains("Permission denied while accessing pool", e); + } + // We expect the following to succeed, because DistributedFileSystem // qualifies the path. long relativeId = addAsUnprivileged( --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org