Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4C150179CE for ; Sun, 12 Oct 2014 03:36:35 +0000 (UTC) Received: (qmail 67754 invoked by uid 500); 12 Oct 2014 03:36:35 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 67705 invoked by uid 500); 12 Oct 2014 03:36:34 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 67685 invoked by uid 99); 12 Oct 2014 03:36:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Oct 2014 03:36:34 +0000 Date: Sun, 12 Oct 2014 03:36:34 +0000 (UTC) From: "Enis Soztutar (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-12053) SecurityBulkLoadEndPoint set 777 permission on input data files MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-12053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168500#comment-14168500 ] Enis Soztutar commented on HBASE-12053: --------------------------------------- I'm +1 for this patch, but would be more comfortable if we can get another review. cc [~andrew.purtell@gmail.com], [~toffer]. > SecurityBulkLoadEndPoint set 777 permission on input data files > ---------------------------------------------------------------- > > Key: HBASE-12053 > URL: https://issues.apache.org/jira/browse/HBASE-12053 > Project: HBase > Issue Type: Bug > Reporter: Jeffrey Zhong > Assignee: Jeffrey Zhong > Fix For: 2.0.0, 0.98.8, 0.99.1 > > Attachments: HBASE-12053.patch > > > We have code in SecureBulkLoadEndpoint#secureBulkLoadHFiles > {code} > LOG.trace("Setting permission for: " + p); > fs.setPermission(p, PERM_ALL_ACCESS); > {code} > This is against the point we use staging folder for secure bulk load. Currently we create a hidden staging folder which has ALL_ACCESS permission and we use "doAs" to move input files into staging folder. Therefore, we should not set 777 permission on the original input data files but files in staging folder after move. > This may comprise security setting especially when there is an error & we move the file with 777 permission back. -- This message was sent by Atlassian JIRA (v6.3.4#6332)