hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jianfei Jiang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-13194) CachePool permissions incorrectly checked
Date Mon, 26 Feb 2018 14:24:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376935#comment-16376935
] 

Jianfei Jiang commented on HDFS-13194:
--------------------------------------

Disgree with [~hexiaoqiao], the fix still return without exception under the condition given
by [~linyiqun]. What you mentions may be like following. Separate the determine statements
to two \{{if}}.
{code:java}

public void checkPermission(CachePool pool, FsAction access)
    throws AccessControlException {
  FsPermission mode = pool.getMode();
  if (isSuperUser()) {
    return;
  } else if (getUser().equals(pool.getOwnerName())) {
    if (mode.getUserAction().implies(access)) {
      return;
    }
  } else if (isMemberOfGroup(pool.getGroupName())) {
    if (mode.getGroupAction().implies(access)) {
      return;
    }
  } else if (mode.getOtherAction().implies(access)) {
    return;
  }
  throw new AccessControlException("Permission denied while accessing pool "
      + pool.getPoolName() + ": user " + getUser() + " does not have "
      + access.toString() + " permissions.");
}
{code}
 

> CachePool permissions incorrectly checked
> -----------------------------------------
>
>                 Key: HDFS-13194
>                 URL: https://issues.apache.org/jira/browse/HDFS-13194
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Yiqun Lin
>            Priority: Major
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>       throws AccessControlException {
>     FsPermission mode = pool.getMode();
>     if (isSuperUser()) {
>       return;
>     }
>     if (getUser().equals(pool.getOwnerName())
>         && mode.getUserAction().implies(access)) {
>       return;
>     }
>     if (isMemberOfGroup(pool.getGroupName())
>         && mode.getGroupAction().implies(access)) {
>       return;
>     }
>     // Following line seems incorrect,
>     // we should ensure current user is not belong the pool's owner or pool's group.
>     if (mode.getOtherAction().implies(access)) {
>       return;
>     }
>     throw new AccessControlException("Permission denied while accessing pool "
>         + pool.getPoolName() + ": user " + getUser() + " does not have "
>         + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, permission mode:------rwx(007)),
then one user which named "test" or whose group is "test-group" can both access this pool.
But actually this is not allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
>     if (!getUser().equals(pool.getOwnerName())
>         && !isMemberOfGroup(pool.getGroupName())
>         && mode.getOtherAction().implies(access)) {
>       return;
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message