ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zsombor Gegesy (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1707) Traverse check in RangerHdfsAuthorizer works incorrectly
Date Fri, 13 Oct 2017 16:27:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16203795#comment-16203795
] 

Zsombor Gegesy commented on RANGER-1707:
----------------------------------------

Running the tests with 3.0.0-beta1 show the same, changed behaviour, which is fixed by this
patch. However, there will be other problems preventing a flawless upgrade to 3.0.
I've noticed that this needs hbase 2.0, which has breaking changes for Ranger, and the KMS
part is too in a bad shape. 

> Traverse check in RangerHdfsAuthorizer works incorrectly
> --------------------------------------------------------
>
>                 Key: RANGER-1707
>                 URL: https://issues.apache.org/jira/browse/RANGER-1707
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 1.0.0
>            Reporter: Zsombor Gegesy
>            Assignee: Zsombor Gegesy
>              Labels: hdfs-2.8
>             Fix For: 1.0.0
>
>         Attachments: 0001-RANGER-1707-Fix-hdfs-traverse-check-which-problem-wa.patch
>
>
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for access
to /a/b/c.txt, it only checks that if there are a policy which grants EXEC to /a/b, but if
it there aren't any, then it doesn't check, if there is a policy which grants READ, WRITE
or EXEC to /a/b/c.txt explicitly, which would mean, that the path is accessible to the user.
>  This hasn't noticed by the current unit tests, because HDFS before 2.8.0 doesn't called
the traversal check before reading or writing a file, however it will cause problem with 2.8.0,
where FSDirectory.resolvePath will perform a mandatory traversal check.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message