Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11322

key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.7.0
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      In the method checkAccess of class KeyAuthorizationKeyProvider, there is following code:

      private void checkAccess(String aclName, UserGroupInformation ugi,
            KeyOpType opType) throws AuthorizationException {
          Preconditions.checkNotNull(aclName, "Key ACL name cannot be null");
          Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
          if (acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) &&
              (acls.hasAccessToKey(aclName, ugi, opType)
                  || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL))) {
            return;
          }
      ...
      }
      

      Seems that

      acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) 

      should be replaced with

      acls.isACLPresent(aclName, opType) 

        Attachments

        1. HADOOP-11322.patch.2
          4 kB
          Dian Fu
        2. HADOOP-11322.patch
          1 kB
          Dian Fu

          Activity

            People

            • Assignee:
              dian.fu Dian Fu
              Reporter:
              dian.fu Dian Fu
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: