hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kannapiran Srinivasan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
Date Fri, 06 Oct 2017 11:42:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16194481#comment-16194481
] 

Kannapiran Srinivasan commented on HADOOP-14899:
------------------------------------------------

[~stevel@apache.org] : I have updated the patch with following fixes
* L698: I think it is better to have a separate list defined for chmod allowed users instead
of using a common one for both chown and chmod. Because this gives a flexibility to configure
different set of allowed users for both chmod & chown. I have reverted the code back to
use fs.azure.chown.allowed.userlist for chown.
* L2916: Fixed
* L2980: Fixed
* L7971. chmod & chown should check against the current user not the actualUser. actualUser
is set in the context of impersonation. Earlier logic on setPermission was wrongly checking
the actualUser instead of currentUser. Yes getCurrentUser should not be null during chmod
/ chown calls irrespective of impersonation enabled or not
* L3055. Cached the user lists (chown, chmod & daemon) during the init & enabled set
of helper methods for tests to update them during test runs
* Refactoring is done on the testcases as mentioned in the comment 

Apart from this I have fixed testcases related to setOwner (testSetOwnerThrowsForUnauthorisedUsers,
testSetOwnerFailsForIllegalSetup, testSetOwnerThrowsForUnauthorisedUsers & testSetOwnerSucceedsForAnyUserWhenWildCardIsSpecified)

All the tests have passed in hadoop-azure in both secure and unsecure mode. Tested against
storage account in South India

> Restrict Access to setPermission operation when authorization is enabled in WASB
> --------------------------------------------------------------------------------
>
>                 Key: HADOOP-14899
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14899
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>            Reporter: Kannapiran Srinivasan
>            Assignee: Kannapiran Srinivasan
>              Labels: fs, secure, wasb
>         Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch, HADOOP-14899-003.patch,
HADOOP-14899-004.patch
>
>
> In case of authorization enabled Wasb clusters, we need to restrict setting permissions
on files or folders to owner or list of privileged users.
> Currently in the WASB implementation even when authorization is enabled there is no check
happens while doing setPermission call. In this JIRA we would like to add the check on the
setPermission call in NativeAzureFileSystem implementation so that only owner or the privileged
list of users or daemon users can change the permissions of files/folders



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message