hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From z..@apache.org
Subject [2/2] hadoop git commit: HDFS-10276. HDFS should not expose path info that user has no permission to see. (Yuanbo Liu via Yongjun Zhang)
Date Mon, 12 Sep 2016 20:06:57 GMT
HDFS-10276. HDFS should not expose path info that user has no permission to see. (Yuanbo Liu
via Yongjun Zhang)

(cherry picked from commit 5ea6fd85c7aff6df28b87789f607bb57ee920639)
(cherry picked from commit 3e4c7906c2cf5c3e4c708fc56b670fa788e8cec7)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/e6c162a3
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/e6c162a3
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/e6c162a3

Branch: refs/heads/branch-2.7
Commit: e6c162a39466755d35abed7faf2e00d28166553c
Parents: 97e4b13
Author: Yongjun Zhang <yzhang@cloudera.com>
Authored: Fri May 27 10:02:02 2016 -0700
Committer: Zhe Zhang <zhz@apache.org>
Committed: Mon Sep 12 13:02:56 2016 -0700

----------------------------------------------------------------------
 .../server/namenode/FSPermissionChecker.java    | 24 +++++++++++---------
 .../apache/hadoop/hdfs/TestDFSPermission.java   | 13 +++++++++++
 2 files changed, 26 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/e6c162a3/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
index 00e651d..6b596d6 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
@@ -196,9 +196,9 @@ class FSPermissionChecker implements AccessControlEnforcer {
    * Check whether exception e is due to an ancestor inode's not being
    * directory.
    */
-  private void checkAncestorType(INode[] inodes, int ancestorIndex,
+  private void checkAncestorType(INode[] inodes, int checkedAncestorIndex,
       AccessControlException e) throws AccessControlException {
-    for (int i = 0; i <= ancestorIndex; i++) {
+    for (int i = 0; i <= checkedAncestorIndex; i++) {
       if (inodes[i] == null) {
         break;
       }
@@ -221,11 +221,8 @@ class FSPermissionChecker implements AccessControlEnforcer {
       throws AccessControlException {
     for(; ancestorIndex >= 0 && inodes[ancestorIndex] == null;
         ancestorIndex--);
-    try {
-      checkTraverse(inodeAttrs, path, ancestorIndex);
-    } catch (AccessControlException e) {
-      checkAncestorType(inodes, ancestorIndex, e);
-    }
+
+    checkTraverse(inodeAttrs, inodes, path, ancestorIndex);
 
     final INodeAttributes last = inodeAttrs[inodeAttrs.length - 1];
     if (parentAccess != null && parentAccess.implies(FsAction.WRITE)
@@ -276,10 +273,15 @@ class FSPermissionChecker implements AccessControlEnforcer {
   }
 
   /** Guarded by {@link FSNamesystem#readLock()} */
-  private void checkTraverse(INodeAttributes[] inodes, String path, int last
-      ) throws AccessControlException {
-    for(int j = 0; j <= last; j++) {
-      check(inodes[j], path, FsAction.EXECUTE);
+  private void checkTraverse(INodeAttributes[] inodeAttrs, INode[] inodes,
+      String path, int last) throws AccessControlException {
+    int j = 0;
+    try {
+      for (; j <= last; j++) {
+        check(inodeAttrs[j], path, FsAction.EXECUTE);
+      }
+    } catch (AccessControlException e) {
+      checkAncestorType(inodes, j, e);
     }
   }
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/e6c162a3/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
index 80b2eb4..04771f7 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java
@@ -546,6 +546,19 @@ public class TestDFSPermission {
               + "a directory, when checked on /existing_file/non_existing_name",
           e.getMessage().contains("is not a directory"));
     }
+
+    rootFs.setPermission(p4, new FsPermission("600"));
+    try {
+      fs.exists(nfpath);
+      fail("The exists call should have failed.");
+    } catch (AccessControlException e) {
+      assertTrue("Permission denied messages must carry file path",
+          e.getMessage().contains(fpath.getName()));
+      assertFalse("Permission denied messages should not specify existing_file"
+              + " is not a directory, since the user does not have permission"
+              + " on /p4",
+          e.getMessage().contains("is not a directory"));
+    }
   }
 
   /* Check if namenode performs permission checking correctly


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org


Mime
View raw message