Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Invalid
-
Affects Version/s: 2.8.0
-
Fix Version/s: None
-
Component/s: security
-
Labels:
-
Target Version/s:
-
Flags:Patch
Description
In 2.7.1, during file access check, the AccessControlEnforcer is called with the access parameter filled with FsAction values.
A thread dump in this case:
FSPermissionChecker.checkPermission(INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction, boolean) line: 189 FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction, boolean) line: 1698 FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction) line: 1682 FSDirectory.checkPathAccess(FSPermissionChecker, INodesInPath, FsAction) line: 1656 FSNamesystem.appendFileInternal(FSPermissionChecker, INodesInPath, String, String, boolean, boolean) line: 2668 FSNamesystem.appendFileInt(String, String, String, boolean, boolean) line: 2985 FSNamesystem.appendFile(String, String, String, EnumSet<CreateFlag>, boolean) line: 2952 NameNodeRpcServer.append(String, String, EnumSetWritable<CreateFlag>) line: 653 ClientNamenodeProtocolServerSideTranslatorPB.append(RpcController, ClientNamenodeProtocolProtos$AppendRequestProto) line: 421 ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(Descriptors$MethodDescriptor, RpcController, Message) line: not available ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(RPC$Server, String, Writable, long) line: 616 ProtobufRpcEngine$Server(RPC$Server).call(RPC$RpcKind, String, Writable, long) line: 969 Server$Handler$1.run() line: 2049 Server$Handler$1.run() line: 2045 AccessController.doPrivileged(PrivilegedExceptionAction<T>, AccessControlContext) line: not available [native method] Subject.doAs(Subject, PrivilegedExceptionAction<T>) line: 422 UserGroupInformation.doAs(PrivilegedExceptionAction<T>) line: 1657
However, in 2.8.0 this value is changed to null, because in FSPermissionChecker.checkTraverse(FSPermissionChecker pc, INodesInPath iip, boolean resolveLink) couldn't pass the required information, so it's simply use 'null'.
This is a regression between 2.7.1 and 2.8.0, because external AccessControlEnforcer couldn't work properly
