hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raghavender Rao Guruvannagari (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-13205) Incorrect path is passed to checkPermission during authorization of file under a snapshot (specifically under a subdir) after original subdir is deleted
Date Wed, 28 Feb 2018 14:48:00 GMT
Raghavender Rao Guruvannagari created HDFS-13205:
----------------------------------------------------

             Summary: Incorrect path is passed to checkPermission during authorization of
file under a snapshot (specifically under a subdir) after original subdir is deleted
                 Key: HDFS-13205
                 URL: https://issues.apache.org/jira/browse/HDFS-13205
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: hdfs
    Affects Versions: 2.7.4
            Reporter: Raghavender Rao Guruvannagari


Steps to reproduce the issue.

+As 'hdfs' superuser+ 
-- Create a folder (/hdptest/test) with 700 permissions and ( /hdptest/test/mydir) with 755.

--HDFS Ranger policy is defined  with RWX for user "test" on /hdptest/test/ recursively.

 --Allow snapshot on the directory  /hdptest/test/mydir:

 
{code:java}
#su - test
[test@node1 ~]$ hdfs dfs -ls /hdptest/test/mydir
[test@node1 ~]$ hdfs dfs -mkdir /hdptest/test/mydir/test
[test@node1 ~]$ hdfs dfs -put /etc/passwd /hdptest/test/mydir/test
[test@node1 ~]$ hdfs lsSnapshottableDir
drwxr-xr-x 0 test hdfs 0 2018-01-25 14:22 1 65536 /hdptest/test/mydir
 
{code}
 

-->Create Snapshot :

 

 
{code:java}
[test@node1 ~]$ hdfs dfs -createSnapshot /hdptest/test/mydir
Created snapshot /hdptest/test/mydir/.snapshot/s20180125-135430.953
{code}
 

 

-->Verifying that snapshot directory has the current files from directory and verify the
file is accessible  .snapshot path:

 

 
{code:java}
[test@node1 ~]$ hdfs dfs -ls -R /hdptest/test/mydir/.snapshot/s20180125-135430.953
drwxr-xr-x   - test hdfs          0 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test
-rw-r--r--   3 test hdfs       3227 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd
[test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd
| tail
livytest:x:1015:496::/home/livytest:/bin/bash
ehdpzepp:x:1016:496::/home/ehdpzepp:/bin/bash
zepptest:x:1017:496::/home/zepptest:/bin/bash
{code}
 

 

-->Remove the file from main directory and verified that file is still accessible:

 

 
{code:java}
[test@node1 ~]$ hdfs dfs -rm /hdptest/test/mydir/test/passwd
18/01/25 13:55:06 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test/passwd'
to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test/passwd
[test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd
| tail
livytest:x:1015:496::/home/livytest:/bin/bash
{code}
 

 

-->Remove the parent directory of the file which was deleted, now accessing the same file
under .snapshot dir fails with permission denied error

 

 
{code:java}
[test@node1 ~]$ hdfs dfs -rm -r /hdptest/test/mydir/test
18/01/25 13:55:25 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test'
to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test1516888525269
[test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd
| tail
cat: Permission denied: user=test, access=EXECUTE, inode="/hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd":hdfs:hdfs:drwxr-x---
 
{code}
 

Ranger policies are not honored in this case for .snapshot directories/files after main directory
is deleted under snapshotable directory.

 

Workaround is to provide execute permission at HDFS level for the parent folder

 
{code:java}
#su - hdfs
#hdfs dfs -chmod 701 /hdptest/test
{code}
 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org


Mime
View raw message