[RANGER-1707] Update RangerHdfsAuthorizer for changes in traverse checks since Hadoop 2.8 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0.0
Fix Version/s: 1.0.0
Component/s: plugins
Labels:
- hdfs-2.8

Flags:

Patch

Description

Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for access to /a/b/c.txt, it only checks that if there are a policy which grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, which would mean, that the path is accessible to the user.
This hasn't noticed by the current unit tests, because HDFS before 2.8.0 doesn't called the traversal check before reading or writing a file, however it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform a mandatory traversal check.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

RANGER-1707-3.patch
22/Nov/17 12:41
19 kB
Zsombor Gegesy
RANGER-1707-2.patch
21/Nov/17 16:38
19 kB
Zsombor Gegesy
0001-RANGER-1707-Fix-hdfs-traverse-check-which-problem-wa.patch
22/Jul/17 10:33
18 kB
Zsombor Gegesy

Issue Links

is duplicated by

RANGER-1894 Fix HDFS tests to work with Hadoop 3.0.0

Resolved

Activity

People

Assignee:: Abhay Kulkarni

Reporter:: Zsombor Gegesy

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Jul/17 09:48

Updated:: 06/Dec/17 01:47

Resolved:: 06/Dec/17 01:47