hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14935) Azure: POSIX permissions are taking effect in access() method even when authorization is enabled
Date Wed, 11 Oct 2017 18:52:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16200755#comment-16200755
] 

Steve Loughran commented on HADOOP-14935:
-----------------------------------------

Patch 003: patch 002 with some test tuning.

I'm happy with the production code, just getting those tests right in terms of coverage.


This is what I'v done the new test cases (But leaving the others ones alone) 

* used {{recursiveDelete}} as the delete operation in teardown, instead of {{allowRecursiveDelete;
delete}}.
* stripped off the {{ContractTestUtils.}} prefix to the static methods from that class, as
they are all imported now

This is what the new rename tests do.

+added more negative permissions tests; pulled out the probe into its own assert, with an
error string generated if the tests actually work


TODO

* I want the tests to always check the get status auth path, which should be done by enabling
the option in {{createConfiguration()}} the way we are now doing with the security settings.
Otherwise this patch adds a new codepath which doesn't get tested in the unit tests unless/until
someone looks at the code and remembers to do this. Having it turned on all the time should
simplify the {{addAuthRuleGetFileStatus}} methods and give better coverage.
* testAccessWhenPermissionsMatch should be split into three separate. 
* I'm afraid you'll have to patch the new testRename tests to set up their permissions


Testing: Azure ireland. Everything worked, which makes me think that without the filestatus
security enable, the tests aren't exploring the new checks (otherwise the new rename tests
would fail, wouldn't they?)

[~snayak]: if you can pick up patch 002 & see what you can do about the todo list, we
should be good to go in.

> Azure: POSIX permissions are taking effect in access() method even when authorization
is enabled
> ------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14935
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14935
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>    Affects Versions: 2.9.0
>            Reporter: Santhosh G Nayak
>            Assignee: Santhosh G Nayak
>         Attachments: HADOOP-14935-003.patch, HADOOP-14935.1.patch, HADOOP-14935.2.patch
>
>
> FileSystem implementation class for azure i.e. {{NativeAzureFileSystem}} does not override
{{access(path,mode)}} method and uses the default implementation from the base class. This
base implementaion uses the POSIX permissions to check if the requested user has access to
given path or not even when authorization is enabled, which is incorrect.
> {{NativeAzureFileSystem.access()}} in authorization enabled mode should use the authorization
mechanism provided instead of relying on the POSIX permission ons. So the proposal is to override
{{FileSystem.access()}} method in {{NativeAzureFileSystem}} such that it honors the authorization
mechanism configured in authorization enabled mode and falls back to POSIX permissions otherwise.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message