hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nandakumar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-12038) Ozone: Non-admin user is unable to run InfoVolume to the volume owned by itself
Date Wed, 04 Oct 2017 08:36:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-12038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16190992#comment-16190992

Nandakumar commented on HDFS-12038:

Thanks [~anu] for the ping, and thanks [~ljain] for taking this up and working on it.

As of KSM's current state we don't have any authorization mechanism in place, i.e we don't
do authorization on any client calls. Authorization of createVolume calls are done in OzoneHandler's
{{VolumeHandler}} (datanode REST server), this is not an ideal place to do it as RPC clients
will bypass this.
We have to authorize all the calls made to KSM in {{KeySpaceManager}}, which can be done in
another jira.

For this issue we should properly set {{client.setUserAuth(userName)}} which is not happening
in first place; If {{-root}} is not specified we are setting UserAuth as null  and HTTP header
{{Authorization}} is not set in the HttpGet request which is causing the issue.
As pointed out by [~cheersyang], we have to remove line 89 
Additionally we can add logic in {{VolumeProcessTemplate#getVolumeInfoResponse}} to check
if the user is admin or owner of the volume, with this we can make sure that unauthorized
user doesn't have access to InfoVolume calls. Still with RPC client anyone can make any calls.

> Ozone: Non-admin user is unable to run InfoVolume to the volume owned by itself
> -------------------------------------------------------------------------------
>                 Key: HDFS-12038
>                 URL: https://issues.apache.org/jira/browse/HDFS-12038
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: ozone
>            Reporter: Weiwei Yang
>            Assignee: Lokesh Jain
>              Labels: OzonePostMerge
>         Attachments: HDFS-12038-HDFS-7240.001.patch
> Reproduce steps
> 1. Create a volume with a non-admin user
> {code}
> hdfs oz -createVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user wwei -root
-quota 2TB
> {code}
> 2. Run infoVolume command to get this volume info
> {noformat}
> hdfs oz -infoVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user wwei
> Command Failed : {"httpCode":400,"shortMessage":"badAuthorization","resource":null,"message":"Missing
authorization or authorization has to be unique.","requestID":"221efb47-72b9-498d-ac19-907257428573","hostName":"ozone1.fyre.ibm.com"}
> {noformat}
> add {{-root}} to run as admin user could bypass this issue 
> {noformat}
> hdfs oz -infoVolume http://ozone1.fyre.ibm.com:9864/volume-wwei-0 -user wwei -root
> {
>   "owner" : {
>     "name" : "wwei"
>   },
>   "quota" : {
>     "unit" : "TB",
>     "size" : 2
>   },
>   "volumeName" : "volume-wwei-0",
>   "createdOn" : null,
>   "createdBy" : "hdfs"
> }
> {noformat}
> expecting: both volume owner and admin should be able to run infoVolume command.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org

View raw message