hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Santhosh G Nayak (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14935) Azure: POSIX permissions are taking effect in access() method even when authorization is enabled
Date Wed, 11 Oct 2017 13:09:00 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Santhosh G Nayak updated HADOOP-14935:
    Attachment: HADOOP-14935.2.patch

Thanks [~stevel@apache.org] for initial review.

Attaching v2 patch addressing the review comments. I have tested the patch against {{Azure
South India}} storage endpoint.

This patch includes a new option for getFileStatus"fs.azure.enable.authorization.getfilestatus".
What is this, why is it needed, and why isn't it is own patch?
And, given that HADOOP-14845 only added this code last week, how stable is all of this?

The main motivation for HADOOP-14845 is to workaround the security issue (that anyone can
load up any other user's data in hive). Thinking was that {{READ}} permission can be used
as a replacement to traverse {{EXECUTE}} permission at one level which protects from security
issue. It was just a *compromise* as it is precisely stated in the JIRA. 

Recently, it is discovered that hive has been using {{FileSystem.access()}} method for checking
the access permissions instead of directly using {{getFileStatus()}} on the path. So, implementing
{{NativeAzureFileSyste.access()}} should fix this security issue. Also, using {{READ}} permission
for {{getFileStatus()}} is unintuitive and the number of policies to configure increases without
having any additional benefit. 

Ideally, we should remove the authorization check from {{getFileStatus()}} altogether. But,
we do not know, if any applications use {{getFileStatus()}} instead of {{access()}} method
which could lead to security issue (if any). So, adding {{fs.azure.enable.authorization.getfilestatus}}
configuration property to enable/disable this feature, so that we can quickly fallback to
the compromise proposed in HADOOP-14845.

javadocs to Access to explictly declare that AccessControlException is raised on access control,
FNFE if the file is not present; same as the superclass. Maybe just use the \{@inheritDoc\}
tag to do this.
Removed the javadoc from the derived {{access()}} method, so that it can inherit it from the
base class method.

if it's just formatting changes, let's leave the changes to getFileStatus out: keeps the merge
complexity down.
Configuration property {{fs.azure.enable.authorization.getfilestatus}} to enable/disable the
authorization on {{getFileStatus()}} is added.

{{testAccessFileDoesNotExist}} doesn't reset permissions. It does not matter as {{authorizer}}
is initialized in every test.

Added tests for following scenarios :-
-  To verify that execute isn't validated in {{TestNativeAzureFileSystemAuthorization.testAccessWhenPermissionsMatch()}}.
- To verify that permission on the intermediate directory, when a file is created under a
directory which does not exist and owner policy is enabled.
- To verify if FNFE is raised when {{access()}} is called on file having no permission and
does not exist.
- For all the permission combinations.

Fixed checkstyle related issues as well.

> Azure: POSIX permissions are taking effect in access() method even when authorization
is enabled
> ------------------------------------------------------------------------------------------------
>                 Key: HADOOP-14935
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14935
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>    Affects Versions: 2.9.0
>            Reporter: Santhosh G Nayak
>            Assignee: Santhosh G Nayak
>         Attachments: HADOOP-14935.1.patch, HADOOP-14935.2.patch
> FileSystem implementation class for azure i.e. {{NativeAzureFileSystem}} does not override
{{access(path,mode)}} method and uses the default implementation from the base class. This
base implementaion uses the POSIX permissions to check if the requested user has access to
given path or not even when authorization is enabled, which is incorrect.
> {{NativeAzureFileSystem.access()}} in authorization enabled mode should use the authorization
mechanism provided instead of relying on the POSIX permission ons. So the proposal is to override
{{FileSystem.access()}} method in {{NativeAzureFileSystem}} such that it honors the authorization
mechanism configured in authorization enabled mode and falls back to POSIX permissions otherwise.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message