Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-11924

FSPermissionChecker.checkTraverse doesn't pass FsAction access properly

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 2.8.0
    • Fix Version/s: None
    • Component/s: security
    • Target Version/s:
    • Flags:
      Patch

      Description

      In 2.7.1, during file access check, the AccessControlEnforcer is called with the access parameter filled with FsAction values.

      A thread dump in this case:

      	FSPermissionChecker.checkPermission(INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction, boolean) line: 189	
	FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction, boolean) line: 1698	
	FSDirectory.checkPermission(FSPermissionChecker, INodesInPath, boolean, FsAction, FsAction, FsAction, FsAction) line: 1682	
	FSDirectory.checkPathAccess(FSPermissionChecker, INodesInPath, FsAction) line: 1656	
	FSNamesystem.appendFileInternal(FSPermissionChecker, INodesInPath, String, String, boolean, boolean) line: 2668	
	FSNamesystem.appendFileInt(String, String, String, boolean, boolean) line: 2985	
	FSNamesystem.appendFile(String, String, String, EnumSet<CreateFlag>, boolean) line: 2952	
	NameNodeRpcServer.append(String, String, EnumSetWritable<CreateFlag>) line: 653	
	ClientNamenodeProtocolServerSideTranslatorPB.append(RpcController, ClientNamenodeProtocolProtos$AppendRequestProto) line: 421	
	ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(Descriptors$MethodDescriptor, RpcController, Message) line: not available	
	ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(RPC$Server, String, Writable, long) line: 616	
	ProtobufRpcEngine$Server(RPC$Server).call(RPC$RpcKind, String, Writable, long) line: 969	
	Server$Handler$1.run() line: 2049	
	Server$Handler$1.run() line: 2045	
	AccessController.doPrivileged(PrivilegedExceptionAction<T>, AccessControlContext) line: not available [native method]	
	Subject.doAs(Subject, PrivilegedExceptionAction<T>) line: 422	
	UserGroupInformation.doAs(PrivilegedExceptionAction<T>) line: 1657

      However, in 2.8.0 this value is changed to null, because in FSPermissionChecker.checkTraverse(FSPermissionChecker pc, INodesInPath iip, boolean resolveLink) couldn't pass the required information, so it's simply use 'null'.

      This is a regression between 2.7.1 and 2.8.0, because external AccessControlEnforcer couldn't work properly

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              zsombor Zsombor Gegesy
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: