hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14845) Azure wasb: getFileStatus not making any auth checks
Date Thu, 05 Oct 2017 14:05:01 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16192917#comment-16192917

Steve Loughran commented on HADOOP-14845:

OK, testing on trunk and all is well; I was caught out by the fact that these tests are skipped
in branch-2 unless you enable auth in your test azure-auth-keys.xml file. It seems to me that
the tests could actually turn on auth rather than skip; they just need to make sure that a
new FS instance is created just for this test suite.

which means: the branch-2 tests are broken as the merge was incomplete.

Anyway, I've applied patch 004 to runk & rerunning {{ITestNativeAzureFSAuth*}} as well
as {{TestNativeAzureFileSystemAuthorization}}: all is well

+1 for trunk, committing as is, and about to build a patch for branch-2 which fixes the test

> Azure wasb: getFileStatus not making any auth checks
> ----------------------------------------------------
>                 Key: HADOOP-14845
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14845
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure, security
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Sivaguru Sankaridurg
>            Assignee: Sivaguru Sankaridurg
>              Labels: azure, fs, secure, wasb
>             Fix For: 2.9.0
>         Attachments: HADOOP-14845.001.patch, HADOOP-14845.002.patch, HADOOP-14845.003.patch,
HADOOP-14845.004.patch, HADOOP-14845-branch-2-001.patch.txt, HADOOP-14845-branch-2-002.patch,
> The HDFS spec requires only traverse checks for any file accessed via getFileStatus ...
and since WASB does not support traverse checks, removing this call effectively removed all
protections for the getFileStatus call. The reasoning at that time was that doing a performAuthCheck
was the wrong thing to do, since it was going against the spec....and that the correct fix
to the getFileStatus issue was to implement traverse checks rather than go against the spec
by calling performAuthCheck. The side-effects of such a change were not fully clear at that
time, but the thinking was that it was safer to remain true to the spec, as far as possible.
> The reasoning remains correct even today. But in view of the security hole introduced
by this change (that anyone can load up any other user's data in hive), and keeping in mind
that WASB does not intend to implement traverse checks, we propose a compromise.
> We propose (re)introducing a read-access check to getFileStatus(), that would check the
existing ancestor for read-access whenever invoked. Although not perfect (in that it is a
departure from the spec), we believe that it is a good compromise between having no checks
at all; and implementing full-blown traverse checks.
> For scenarios that deal with intermediate folders like mkdirs, the call would check for
read access against an existing ancestor (when invoked from shell) for intermediate non-existent
folders – {{ mkdirs /foo/bar, where only "/" exists, would result in read-checks against
"/" for "/","/foo" and "/foo/bar" }}. This can be thought of, as being a close-enough substitute
for the traverse checks that hdfs does.
> For other scenarios that don't deal with non-existent intermediate folders – like read,
delete etc, the check will happen against the parent. Once again, we can think of the read-check
against the parent as a substitute for the traverse check, which can be customized for various
users with ranger policies.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message