hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dian Fu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-11337) KeyAuthorizationKeyProvider#doAccessCheck should throw exception if metadata for the specified key is null
Date Wed, 26 Nov 2014 07:40:12 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-11337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dian Fu updated HADOOP-11337:
-----------------------------
    Attachment: HADOOP-11337.patch

Uploading a patch which adds a {{ReadWriteLock}} in {{KeyAuthorizationKeyProvider}}. This
will eliminate the possibility that the ACL check is bypassed.

> KeyAuthorizationKeyProvider#doAccessCheck should throw exception if metadata for the
specified key is null
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11337
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11337
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Dian Fu
>         Attachments: HADOOP-11337.patch
>
>
> In {{KeyAuthorizationKeyProvider#getMetadata}}, if firstly call {{KeyAuthorizationKeyProvider#doAccessCheck}}
to check if client has the permission to do this operation. However, if the metadata is null
when {{KeyAuthorizationKeyProvider#doAccessCheck}} is called and becomes not null after {{KeyAuthorizationKeyProvider#doAccessCheck}}
called, key based ACL check will be skipped. It should throw an exception if metadata is null
in {{KeyAuthorizationKeyProvider#doAccessCheck}}.
> {code}
>   public Metadata getMetadata(String name) throws IOException {
>     doAccessCheck(name, KeyOpType.READ);
>     return provider.getMetadata(name);
>   }
>   private void doAccessCheck(String keyName, KeyOpType opType) throws
>       IOException {
>     Metadata metadata = provider.getMetadata(keyName);
>     if (metadata != null) {
>       String aclName = metadata.getAttributes().get(KEY_ACL_NAME);
>       checkAccess((aclName == null) ? keyName : aclName, getUser(), opType);
>     }
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message