Return-Path: <common-issues-return-142587-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 617DB200D18
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 11 Oct 2017 20:52:06 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 5FFA3160BE3; Wed, 11 Oct 2017 18:52:06 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id A78C91609BB
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 11 Oct 2017 20:52:05 +0200 (CEST)
Received: (qmail 54279 invoked by uid 500); 11 Oct 2017 18:52:04 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 54267 invoked by uid 99); 11 Oct 2017 18:52:04 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Oct 2017 18:52:04 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D131A1A0EFA
	for <common-issues@hadoop.apache.org>; Wed, 11 Oct 2017 18:52:03 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id QuO7kDrjICRk for <common-issues@hadoop.apache.org>;
	Wed, 11 Oct 2017 18:52:02 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 862F55FE18
	for <common-issues@hadoop.apache.org>; Wed, 11 Oct 2017 18:52:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 4A6F5E00DF
	for <common-issues@hadoop.apache.org>; Wed, 11 Oct 2017 18:52:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 6AA68253A1
	for <common-issues@hadoop.apache.org>; Wed, 11 Oct 2017 18:52:00 +0000 (UTC)
Date: Wed, 11 Oct 2017 18:52:00 +0000 (UTC)
From: "Steve Loughran (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.13107466.1507284839000.31198.1507747920434@Atlassian.JIRA>
In-Reply-To: <JIRA.13107466.1507284839000@Atlassian.JIRA>
References: <JIRA.13107466.1507284839000@Atlassian.JIRA> <JIRA.13107466.1507284839132@jira-lw-us.apache.org>
Subject: [jira] [Commented] (HADOOP-14935) Azure: POSIX permissions are
 taking effect in access() method even when authorization is enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 11 Oct 2017 18:52:06 -0000


    [ https://issues.apache.org/jira/browse/HADOOP-14935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16200755#comment-16200755 ] 

Steve Loughran commented on HADOOP-14935:
-----------------------------------------

Patch 003: patch 002 with some test tuning.

I'm happy with the production code, just getting those tests right in terms of coverage.


This is what I'v done the new test cases (But leaving the others ones alone) 

* used {{recursiveDelete}} as the delete operation in teardown, instead of {{allowRecursiveDelete; delete}}.
* stripped off the {{ContractTestUtils.}} prefix to the static methods from that class, as they are all imported now

This is what the new rename tests do.

+added more negative permissions tests; pulled out the probe into its own assert, with an error string generated if the tests actually work


TODO

* I want the tests to always check the get status auth path, which should be done by enabling the option in {{createConfiguration()}} the way we are now doing with the security settings. Otherwise this patch adds a new codepath which doesn't get tested in the unit tests unless/until someone looks at the code and remembers to do this. Having it turned on all the time should simplify the {{addAuthRuleGetFileStatus}} methods and give better coverage.
* testAccessWhenPermissionsMatch should be split into three separate. 
* I'm afraid you'll have to patch the new testRename tests to set up their permissions


Testing: Azure ireland. Everything worked, which makes me think that without the filestatus security enable, the tests aren't exploring the new checks (otherwise the new rename tests would fail, wouldn't they?)

[~snayak]: if you can pick up patch 002 & see what you can do about the todo list, we should be good to go in.

> Azure: POSIX permissions are taking effect in access() method even when authorization is enabled
> ------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14935
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14935
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>    Affects Versions: 2.9.0
>            Reporter: Santhosh G Nayak
>            Assignee: Santhosh G Nayak
>         Attachments: HADOOP-14935-003.patch, HADOOP-14935.1.patch, HADOOP-14935.2.patch
>
>
> FileSystem implementation class for azure i.e. {{NativeAzureFileSystem}} does not override {{access(path,mode)}} method and uses the default implementation from the base class. This base implementaion uses the POSIX permissions to check if the requested user has access to given path or not even when authorization is enabled, which is incorrect.
> {{NativeAzureFileSystem.access()}} in authorization enabled mode should use the authorization mechanism provided instead of relying on the POSIX permission ons. So the proposal is to override {{FileSystem.access()}} method in {{NativeAzureFileSystem}} such that it honors the authorization mechanism configured in authorization enabled mode and falls back to POSIX permissions otherwise.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org