ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly
Date Tue, 05 Dec 2017 23:45:11 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/
-----------------------------------------------------------

(Updated Dec. 5, 2017, 11:45 p.m.)


Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan Neethiraj, Ramesh Mani,
and Velmurugan Periasamy.


Changes
-------

Addressed review comments


Bugs: RANGER-1707
    https://issues.apache.org/jira/browse/RANGER-1707


Repository: ranger


Description
-------

Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for access to
/a/b/c.txt, it only checks that if there are a policy which grants EXEC to /a/b, but if it
there aren't any, then it doesn't check, if there is a policy which grants READ, WRITE or
EXEC to /a/b/c.txt explicitly, which would mean, that the path is accessible to the user.
This hasn't noticed by the current unit tests, because HDFS before 2.8.0 doesn't called the
traversal check before reading or writing a file, however it will cause problem with 2.8.0,
where FSDirectory.resolvePath will perform a mandatory traversal check.

This patch is based on the patch submitted for review (https://reviews.apache.org/r/61062/)
with following modifications.
1. If traversal check (check for EXECUTE on the parent/ancestor if resource is a file) does
not fail with explicit DENY by Ranger Authorizer, then it is presumed to have succeeded without
any further checks and no audit record created. If it fails with DENY, then the authorization
fails and an audit record is created.
2. Test policies in hdfs-policies.json and test cases (RangerHdfsAuthorizerTest) are modified
to test for explicit DENY case.


Diffs (updated)
-----

  hdfs-agent/pom.xml 87ba777 
  hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
af4d9b5 
  hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java 75d73aa

  hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java PRE-CREATION

  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json PRE-CREATION 
  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json PRE-CREATION 


Diff: https://reviews.apache.org/r/64228/diff/3/

Changes: https://reviews.apache.org/r/64228/diff/2-3/


Testing
-------

Unit tested with HDFS versions 2.7.1 and 3.0.0.


Thanks,

Abhay Kulkarni


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message