hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Marquardt (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15969) ABFS: getNamespaceEnabled can fail blocking user access thru ACLs
Date Tue, 04 Dec 2018 01:00:58 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16708035#comment-16708035
] 

Thomas Marquardt commented on HADOOP-15969:
-------------------------------------------

Thanks for the patch!  Some comments:

1) AzureBlobFileSystemStore.java L182 - perhaps we should use AbfsHttpConstants.FORWARD_SLASH
+ AbfsHttpConstants.ROOT_PATH instead of "//" as that will make it easier to find usage of
root folder in the source code.  Also, eventually we can clean this up and use a single /. 
For now we have to use double // because of a bug in the service.

2) Can we add test cases for the cases where it returns 200, 400, 403, and 404?  A 200 means
HNS is enabled, 400 means HNS is disabled, 403 means forbidden but should give a useful error
message, and 404 means the filesystem does not exist.

 

> ABFS: getNamespaceEnabled can fail blocking user access thru ACLs
> -----------------------------------------------------------------
>
>                 Key: HADOOP-15969
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15969
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>    Affects Versions: 3.2.0
>            Reporter: Da Zhou
>            Assignee: Da Zhou
>            Priority: Major
>         Attachments: HADOOP-15969-001.patch
>
>
> The Get Filesystem Properties operation requires Read permission to the Filesystem. 
Read permission to the Filesystem can only be granted thru RBAC, Shared Key, or SAS.  This
prevents giving low privilege users access to specific files or directories within the filesystem. 
An administrator should be able to set an ACL on a file granting read permission to a user,
without giving them read permission to the entire Filesystem.
> Fortunately there is another way to determine if HNS is enabled.  The Get Path Access
Control (getAclStatus) operation only requires traversal access, and for the root folder /
all authenticated users have traversal access.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message