ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhay Kulkarni (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (RANGER-1707) Traverse check in RangerHdfsAuthorizer works incorrectly
Date Sat, 02 Dec 2017 23:21:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-1707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Abhay Kulkarni reassigned RANGER-1707:
--------------------------------------

    Assignee: Abhay Kulkarni  (was: Zsombor Gegesy)

> Traverse check in RangerHdfsAuthorizer works incorrectly
> --------------------------------------------------------
>
>                 Key: RANGER-1707
>                 URL: https://issues.apache.org/jira/browse/RANGER-1707
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 1.0.0
>            Reporter: Zsombor Gegesy
>            Assignee: Abhay Kulkarni
>              Labels: hdfs-2.8
>             Fix For: 1.0.0
>
>         Attachments: 0001-RANGER-1707-Fix-hdfs-traverse-check-which-problem-wa.patch,
RANGER-1707-2.patch, RANGER-1707-3.patch
>
>
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for access
to /a/b/c.txt, it only checks that if there are a policy which grants EXEC to /a/b, but if
it there aren't any, then it doesn't check, if there is a policy which grants READ, WRITE
or EXEC to /a/b/c.txt explicitly, which would mean, that the path is accessible to the user.
>  This hasn't noticed by the current unit tests, because HDFS before 2.8.0 doesn't called
the traversal check before reading or writing a file, however it will cause problem with 2.8.0,
where FSDirectory.resolvePath will perform a mandatory traversal check.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message