Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11337

KeyAuthorizationKeyProvider access checks need to be done atomically

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.7.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:

      Description

      In KeyAuthorizationKeyProvider#getMetadata, if firstly call KeyAuthorizationKeyProvider#doAccessCheck to check if client has the permission to do this operation. However, if the metadata is null when KeyAuthorizationKeyProvider#doAccessCheck is called and becomes not null after KeyAuthorizationKeyProvider#doAccessCheck called, key based ACL check will be skipped. The getMetadata operation should be atomic.

        public Metadata getMetadata(String name) throws IOException {
          doAccessCheck(name, KeyOpType.READ);
          return provider.getMetadata(name);
        }
      
        private void doAccessCheck(String keyName, KeyOpType opType) throws
            IOException {
          Metadata metadata = provider.getMetadata(keyName);
          if (metadata != null) {
            String aclName = metadata.getAttributes().get(KEY_ACL_NAME);
            checkAccess((aclName == null) ? keyName : aclName, getUser(), opType);
          }
        }
      

        Attachments

        1. HADOOP-11337.patch
          7 kB
          Dian Fu

          Activity

            People

            • Assignee:
              dian.fu Dian Fu
              Reporter:
              dian.fu Dian Fu
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: