hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HDFS-5923) Do not persist the ACL bit in the FsPermission
Date Wed, 12 Feb 2014 22:58:21 GMT

     [ https://issues.apache.org/jira/browse/HDFS-5923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chris Nauroth resolved HDFS-5923.
---------------------------------

       Resolution: Fixed
    Fix Version/s: HDFS ACLs (HDFS-4685)
     Hadoop Flags: Reviewed

+1 for the patch.  Thanks for addressing the feedback.

In addition to the automated tests, I manually tested upgrading a NameNode with edits from
a trunk build to a HDFS-4685 build.  The latest patch loaded the existing {{OP_ADD}} and {{OP_MKDIR}}
ops with no problem.

I've committed this to the HDFS-4685 branch.

> Do not persist the ACL bit in the FsPermission
> ----------------------------------------------
>
>                 Key: HDFS-5923
>                 URL: https://issues.apache.org/jira/browse/HDFS-5923
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: hdfs-client, namenode, security
>    Affects Versions: HDFS ACLs (HDFS-4685)
>            Reporter: Haohui Mai
>            Assignee: Haohui Mai
>             Fix For: HDFS ACLs (HDFS-4685)
>
>         Attachments: HDFS-5923.000.patch, HDFS-5923.001.patch, HDFS-5923.002.patch, HDFS-5923.003.patch,
HDFS-5923.004.patch
>
>
> The current implementation persists and ACL bit in FSImage and editlogs. Moreover, the
security decisions also depend on whether the bit is set.
> The problem here is that we have to maintain the implicit invariant, which is the ACL
bit is set if and only if the the inode has AclFeature. The invariant has to be maintained
everywhere otherwise it can lead to a security vulnerability. In the worst case, an attacker
can toggle the bit and bypass the ACL checks.
> The jira proposes to treat the ACL bit as a transient bit. The bit should not be persisted
onto the disk, neither it should affect any security decisions.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message