[HDFS-13205] Incorrect path is passed to checkPermission during authorization of file under a snapshot (specifically under a subdir) after original subdir is deleted - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Not A Problem
Affects Version/s: 2.7.4
Fix Version/s: None
Component/s: snapshots
Labels:
None

Description

Steps to reproduce the issue.

As 'hdfs' superuser
– Create a folder (/hdptest/test) with 700 permissions and ( /hdptest/test/mydir) with 755.

--HDFS Ranger policy is defined with RWX for user "test" on /hdptest/test/ recursively.

--Allow snapshot on the directory /hdptest/test/mydir:

#su - test
[test@node1 ~]$ hdfs dfs -ls /hdptest/test/mydir
[test@node1 ~]$ hdfs dfs -mkdir /hdptest/test/mydir/test
[test@node1 ~]$ hdfs dfs -put /etc/passwd /hdptest/test/mydir/test
[test@node1 ~]$ hdfs lsSnapshottableDir
drwxr-xr-x 0 test hdfs 0 2018-01-25 14:22 1 65536 /hdptest/test/mydir

-->Create Snapshot

[test@node1 ~]$ hdfs dfs -createSnapshot /hdptest/test/mydir
Created snapshot /hdptest/test/mydir/.snapshot/s20180125-135430.953

-->Verifying that snapshot directory has the current files from directory and verify the file is accessible .snapshot path:

[test@node1 ~]$ hdfs dfs -ls -R /hdptest/test/mydir/.snapshot/s20180125-135430.953
drwxr-xr-x   - test hdfs          0 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test
-rw-r--r--   3 test hdfs       3227 2018-01-25 13:53 /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd
[test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail
livytest:x:1015:496::/home/livytest:/bin/bash
ehdpzepp:x:1016:496::/home/ehdpzepp:/bin/bash
zepptest:x:1017:496::/home/zepptest:/bin/bash

-->Remove the file from main directory and verified that file is still accessible:

[test@node1 ~]$ hdfs dfs -rm /hdptest/test/mydir/test/passwd
18/01/25 13:55:06 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test/passwd' to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test/passwd
[test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail
livytest:x:1015:496::/home/livytest:/bin/bash

-->Remove the parent directory of the file which was deleted, now accessing the same file under .snapshot dir fails with permission denied error

[test@node1 ~]$ hdfs dfs -rm -r /hdptest/test/mydir/test
18/01/25 13:55:25 INFO fs.TrashPolicyDefault: Moved: 'hdfs://rangerSME/hdptest/test/mydir/test' to trash at: hdfs://rangerSME/user/test/.Trash/Current/hdptest/test/mydir/test1516888525269
[test@node1 ~]$ hdfs dfs -cat /hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd | tail
cat: Permission denied: user=test, access=EXECUTE, inode="/hdptest/test/mydir/.snapshot/s20180125-135430.953/test/passwd":hdfs:hdfs:drwxr-x---

Ranger policies are not honored in this case for .snapshot directories/files after main directory is deleted under snapshotable directory.

Workaround is to provide execute permission at HDFS level for the parent folder

#su - hdfs
#hdfs dfs -chmod 701 /hdptest/test

Attachments

Issue Links

relates to

RANGER-2183 Use INodeAttribute information to authorize HDFS access

Resolved

Activity

People

Assignee:: Shashikant Banerjee

Reporter:: Raghavender Rao Guruvannagari

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/Feb/18 14:47

Updated:: 10/Aug/18 18:54

Resolved:: 10/Aug/18 18:54