hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-5923) Do not persist the ACL bit in the FsPermission
Date Tue, 11 Feb 2014 21:59:24 GMT

     [ https://issues.apache.org/jira/browse/HDFS-5923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chris Nauroth updated HDFS-5923:
--------------------------------

     Target Version/s: HDFS ACLs (HDFS-4685)
    Affects Version/s: HDFS ACLs (HDFS-4685)

+1 for the new proposal too.  If a future use case motivates it, we can safely re-introduce
the ACL bit, and it would be backwards-compatible.

> Do not persist the ACL bit in the FsPermission
> ----------------------------------------------
>
>                 Key: HDFS-5923
>                 URL: https://issues.apache.org/jira/browse/HDFS-5923
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: hdfs-client, namenode, security
>    Affects Versions: HDFS ACLs (HDFS-4685)
>            Reporter: Haohui Mai
>            Assignee: Haohui Mai
>         Attachments: HDFS-5923.000.patch
>
>
> The current implementation persists and ACL bit in FSImage and editlogs. Moreover, the
security decisions also depend on whether the bit is set.
> The problem here is that we have to maintain the implicit invariant, which is the ACL
bit is set if and only if the the inode has AclFeature. The invariant has to be maintained
everywhere otherwise it can lead to a security vulnerability. In the worst case, an attacker
can toggle the bit and bypass the ACL checks.
> The jira proposes to treat the ACL bit as a transient bit. The bit should not be persisted
onto the disk, neither it should affect any security decisions.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message