VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments



      The HDFS spec requires only traverse checks for any file accessed via getFileStatus ... and since WASB does not support traverse checks, removing this call effectively removed all protections for the getFileStatus call. The reasoning at that time was that doing a performAuthCheck was the wrong thing to do, since it was going against the spec....and that the correct fix to the getFileStatus issue was to implement traverse checks rather than go against the spec by calling performAuthCheck. The side-effects of such a change were not fully clear at that time, but the thinking was that it was safer to remain true to the spec, as far as possible.
      The reasoning remains correct even today. But in view of the security hole introduced by this change (that anyone can load up any other user's data in hive), and keeping in mind that WASB does not intend to implement traverse checks, we propose a compromise.
      We propose (re)introducing a read-access check to getFileStatus(), that would check the existing ancestor for read-access whenever invoked. Although not perfect (in that it is a departure from the spec), we believe that it is a good compromise between having no checks at all; and implementing full-blown traverse checks.
      For scenarios that deal with intermediate folders like mkdirs, the call would check for read access against an existing ancestor (when invoked from shell) for intermediate non-existent folders – {{ mkdirs /foo/bar, where only "/" exists, would result in read-checks against "/" for "/","/foo" and "/foo/bar" }}. This can be thought of, as being a close-enough substitute for the traverse checks that hdfs does.
      For other scenarios that don't deal with non-existent intermediate folders – like read, delete etc, the check will happen against the parent. Once again, we can think of the read-check against the parent as a substitute for the traverse check, which can be customized for various users with ranger policies.


        1. HADOOP-14845.001.patch
          23 kB
          Sivaguru Sankaridurg
        2. HADOOP-14845.002.patch
          22 kB
          Sivaguru Sankaridurg
        3. HADOOP-14845.003.patch
          22 kB
          Sivaguru Sankaridurg
        4. HADOOP-14845-branch-2-001.patch.txt
          22 kB
          Sivaguru Sankaridurg
        5. HADOOP-14845-branch-2-002.patch
          22 kB
          Sivaguru Sankaridurg
        6. HADOOP-14845-branch-2-003.patch
          24 kB
          Sivaguru Sankaridurg
        7. HADOOP-14845.004.patch
          32 kB
          Sivaguru Sankaridurg
        8. HADOOP-14845-branch-2-005.patch
          21 kB
          Steve Loughran



            • Assignee:
     Sivaguru Sankaridurg
     Sivaguru Sankaridurg


              • Created:

                Issue deployment