Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-13205

Incorrect path is passed to checkPermission during authorization of file under a snapshot (specifically under a subdir) after original subdir is deleted

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 2.7.4
    • None
    • snapshots
    • None

    Description

      Steps to reproduce the issue.

      As 'hdfs' superuser
      – Create a folder (/hdptest/test) with 700 permissions and ( /hdptest/test/mydir) with 755.

      --HDFS Ranger policy is defined  with RWX for user "test" on /hdptest/test/ recursively.

       --Allow snapshot on the directory  /hdptest/test/mydir: 

      #su - test
      [test@node1 ~]$ hdfs dfs -ls /hdptest/test/mydir
      [test@node1 ~]$ hdfs dfs -mkdir /hdptest/test/mydir/test
      [test@node1 ~]$ hdfs dfs -put /etc/passwd /hdptest/test/mydir/test
      [test@node1 ~]$ hdfs lsSnapshottableDir
      drwxr-xr-x 0 test hdfs 0 2018-01-25 14:22 1 65536 /hdptest/test/mydir
       
      

       

      -->Create Snapshot  

      [test@node1 ~]$ hdfs dfs -createSnapshot /hdptest/test/mydir
      Created snapshot /hdptest/test/mydir/.snapshot/s20180125-135430.953
      

       -->Verifying that snapshot directory has the current files from directory and verify the file is accessible  .snapshot path:  

      [test@node1 ~]$ hdfs dfs -ls -R /hdptest/test/mydir/.snapshot/s20180125-135430.953
      drwxr-xr-x   - test hdfs          0 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test
      -rw-r--r--   3 test hdfs       3227 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd
      [test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail
      livytest:x:1015:496::/home/livytest:/bin/bash
      ehdpzepp:x:1016:496::/home/ehdpzepp:/bin/bash
      zepptest:x:1017:496::/home/zepptest:/bin/bash
      

       -->Remove the file from main directory and verified that file is still accessible:

      [test@node1 ~]$ hdfs dfs -rm /hdptest/test/mydir/test/passwd
      18/01/25 13:55:06 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test/passwd' to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test/passwd
      [test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail
      livytest:x:1015:496::/home/livytest:/bin/bash
      

       -->Remove the parent directory of the file which was deleted, now accessing the same file under .snapshot dir fails with permission denied error

      [test@node1 ~]$ hdfs dfs -rm -r /hdptest/test/mydir/test
      18/01/25 13:55:25 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test' to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test1516888525269
      [test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail
      cat: Permission denied: user=test, access=EXECUTE, inode="/hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd":hdfs:hdfs:drwxr-x---
       
      

       Ranger policies are not honored in this case for .snapshot directories/files after main directory is deleted under snapshotable directory.

       Workaround is to provide execute permission at HDFS level for the parent folder 

      #su - hdfs
      #hdfs dfs -chmod 701 /hdptest/test
      

      Attachments

        Issue Links

          Activity

            People

              shashikant Shashikant Banerjee
              rguruvannagari Raghavender Rao Guruvannagari
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: