[HDFS-11924] FSPermissionChecker.checkTraverse doesn't pass FsAction access properly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Invalid
Affects Version/s: 2.8.0
Fix Version/s: None
Component/s: security
Labels:
- hdfs
- hdfspermission

Target Version/s:

2.8.2
Flags:

Patch

Description

In 2.7.1, during file access check, the AccessControlEnforcer is called with the access parameter filled with FsAction values.

A thread dump in this case:

	FSPermissionChecker.checkPermission(INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction, boolean) line: 189	
	FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction, boolean) line: 1698	
	FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction) line: 1682	
	FSDirectory.checkPathAccess(FSPermissionChecker, INodesInPath, FsAction) line: 1656	
	FSNamesystem.appendFileInternal(FSPermissionChecker, INodesInPath, String, String, boolean, boolean) line: 2668	
	FSNamesystem.appendFileInt(String, String, String, boolean, boolean) line: 2985	
	FSNamesystem.appendFile(String, String, String, EnumSet<CreateFlag>, boolean) line: 2952	
	NameNodeRpcServer.append(String, String, EnumSetWritable<CreateFlag>) line: 653	
	ClientNamenodeProtocolServerSideTranslatorPB.append(RpcController, ClientNamenodeProtocolProtos$AppendRequestProto) line: 421	
	ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(Descriptors$MethodDescriptor, RpcController, Message) line: not available	
	ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(RPC$Server, String, Writable, long) line: 616	
	ProtobufRpcEngine$Server(RPC$Server).call(RPC$RpcKind, String, Writable, long) line: 969	
	Server$Handler$1.run() line: 2049	
	Server$Handler$1.run() line: 2045	
	AccessController.doPrivileged(PrivilegedExceptionAction<T>, AccessControlContext) line: not available [native method]	
	Subject.doAs(Subject, PrivilegedExceptionAction<T>) line: 422	
	UserGroupInformation.doAs(PrivilegedExceptionAction<T>) line: 1657

However, in 2.8.0 this value is changed to null, because in FSPermissionChecker.checkTraverse(FSPermissionChecker pc, INodesInPath iip, boolean resolveLink) couldn't pass the required information, so it's simply use 'null'.

This is a regression between 2.7.1 and 2.8.0, because external AccessControlEnforcer couldn't work properly