hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11337) KeyAuthorizationKeyProvider access checks need to be done atomically
Date Tue, 02 Dec 2014 15:28:18 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14231628#comment-14231628
] 

Hudson commented on HADOOP-11337:
---------------------------------

SUCCESS: Integrated in Hadoop-Mapreduce-trunk-Java8 #23 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/23/])
HADOOP-11337. KeyAuthorizationKeyProvider access checks need to be done atomically. Contributed
by Dian Fu. (wang: rev 9fa29902575ac3774bf3728e7bcde7f3eefb1d4c)
* hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
* hadoop-common-project/hadoop-common/CHANGES.txt


> KeyAuthorizationKeyProvider access checks need to be done atomically
> --------------------------------------------------------------------
>
>                 Key: HADOOP-11337
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11337
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Dian Fu
>            Assignee: Dian Fu
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-11337.patch
>
>
> In {{KeyAuthorizationKeyProvider#getMetadata}}, if firstly call {{KeyAuthorizationKeyProvider#doAccessCheck}}
to check if client has the permission to do this operation. However, if the metadata is null
when {{KeyAuthorizationKeyProvider#doAccessCheck}} is called and becomes not null after {{KeyAuthorizationKeyProvider#doAccessCheck}}
called, key based ACL check will be skipped. The {{getMetadata}} operation should be atomic.
> {code}
>   public Metadata getMetadata(String name) throws IOException {
>     doAccessCheck(name, KeyOpType.READ);
>     return provider.getMetadata(name);
>   }
>   private void doAccessCheck(String keyName, KeyOpType opType) throws
>       IOException {
>     Metadata metadata = provider.getMetadata(keyName);
>     if (metadata != null) {
>       String aclName = metadata.getAttributes().get(KEY_ACL_NAME);
>       checkAccess((aclName == null) ? keyName : aclName, getUser(), opType);
>     }
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message