Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Not A Problem
-
2.7.4
-
None
-
None
Description
Steps to reproduce the issue.
As 'hdfs' superuser
– Create a folder (/hdptest/test) with 700 permissions and ( /hdptest/test/mydir) with 755.
--HDFS Ranger policy is defined with RWX for user "test" on /hdptest/test/ recursively.
--Allow snapshot on the directory /hdptest/test/mydir:
#su - test [test@node1 ~]$ hdfs dfs -ls /hdptest/test/mydir [test@node1 ~]$ hdfs dfs -mkdir /hdptest/test/mydir/test [test@node1 ~]$ hdfs dfs -put /etc/passwd /hdptest/test/mydir/test [test@node1 ~]$ hdfs lsSnapshottableDir drwxr-xr-x 0 test hdfs 0 2018-01-25 14:22 1 65536 /hdptest/test/mydir
-->Create Snapshot
[test@node1 ~]$ hdfs dfs -createSnapshot /hdptest/test/mydir Created snapshot /hdptest/test/mydir/.snapshot/s20180125-135430.953
-->Verifying that snapshot directory has the current files from directory and verify the file is accessible .snapshot path:
[test@node1 ~]$ hdfs dfs -ls -R /hdptest/test/mydir/.snapshot/s20180125-135430.953 drwxr-xr-x - test hdfs 0 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test -rw-r--r-- 3 test hdfs 3227 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd [test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail livytest:x:1015:496::/home/livytest:/bin/bash ehdpzepp:x:1016:496::/home/ehdpzepp:/bin/bash zepptest:x:1017:496::/home/zepptest:/bin/bash
-->Remove the file from main directory and verified that file is still accessible:
[test@node1 ~]$ hdfs dfs -rm /hdptest/test/mydir/test/passwd
18/01/25 13:55:06 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test/passwd' to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test/passwd
[test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail
livytest:x:1015:496::/home/livytest:/bin/bash
-->Remove the parent directory of the file which was deleted, now accessing the same file under .snapshot dir fails with permission denied error
[test@node1 ~]$ hdfs dfs -rm -r /hdptest/test/mydir/test 18/01/25 13:55:25 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test' to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test1516888525269 [test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail cat: Permission denied: user=test, access=EXECUTE, inode="/hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd":hdfs:hdfs:drwxr-x---
Ranger policies are not honored in this case for .snapshot directories/files after main directory is deleted under snapshotable directory.
Workaround is to provide execute permission at HDFS level for the parent folder
#su - hdfs #hdfs dfs -chmod 701 /hdptest/test
Attachments
Issue Links
- relates to
-
RANGER-2183 Use INodeAttribute information to authorize HDFS access
- Resolved