ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Review Request 61062: RANGER-1707 : fix hdfs traverse check
Date Wed, 22 Nov 2017 12:11:50 GMT


> On Nov. 21, 2017, 4 p.m., Colm O hEigeartaigh wrote:
> > You could put some spaces into "for (int i=0;i<pathSegments.length;i++) {"
> > There's also an indentation issue on line 201 of RangerHdfsAuthorizerTest.
> > Other spacing issue here "ancestorIndex,plugin"
> > 
> > > for (FsAction action : Arrays.asList(FsAction.EXECUTE, FsAction.READ, FsAction.WRITE))
{
> > 
> > I think the FsAction.EXECUTE is not necessary here, as we are checking EXECUTE already
in "traverseOnlyCheck".
> 
> Zsombor Gegesy wrote:
>     The trick is, that there are different inodes used for the checks:
>     
>         final AuthzStatus status = isAccessAllowed(nodeToCheck, nodeAttribs, FsAction.EXECUTE,
user, groups, plugin, auditHandler);
>     	if (status == AuthzStatus.NOT_DETERMINED) {
>     	    return isAnyAccessAllowed(inode, inode, user, groups, plugin, auditHandler);
>     	}
>     
>     First, we use 'nodeToCheck', which can be a parent or ancestor node, and in the loop,
we use 'inode' which refers to the actual file.

OK understood thanks. The indentation issue is still there, now on line 224 of RangerHdfsAuthorizerTest
(single tab character indent)


- Colm


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61062/#review191583
-----------------------------------------------------------


On Nov. 21, 2017, 4:34 p.m., Zsombor Gegesy wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61062/
> -----------------------------------------------------------
> 
> (Updated Nov. 21, 2017, 4:34 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-1707
>     https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Fix hdfs traverse check, which problem was hidden before hdfs 2.8.0, where the traverse
checks are called
>      before reading and writing files, so if a policy is just about reading /tmp/somedir/somefile
>      it means, that traverse should be allowed to get to that file. Adding more tests
to highlight the issue
> 
> 
> Diffs
> -----
> 
>   hdfs-agent/pom.xml 9f6206013 
>   hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
af4d9b5c2 
>   hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/61062/diff/2/
> 
> 
> Testing
> -------
> 
> Tested locally
> https://travis-ci.org/gzsombor/ranger/builds/256331500
> 
> 
> Thanks,
> 
> Zsombor Gegesy
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message