Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-14603 Über-JIRA: HDFS RBF stabilization phase II
  3. HDFS-15051

RBF: Impose directory level permissions for Mount entries

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersConvert to IssueMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.4.0
    • rbf
    • None
    • Reviewed

    Description

      The current permission checker of #MountTableStoreImpl is not very restrict. In some case, any user could add/update/remove MountTableEntry without the expected permission checking.
      The following code segment try to check permission when operate MountTableEntry, however mountTable object is from Client/RouterAdmin MountTable mountTable = request.getEntry();, and user could pass any mode which could bypass the permission checker.

        public void checkPermission(MountTable mountTable, FsAction access)
      throws AccessControlException {
    if (isSuperUser()) {
      return;
    }

    FsPermission mode = mountTable.getMode();
    if (getUser().equals(mountTable.getOwnerName())
        && mode.getUserAction().implies(access)) {
      return;
    }

    if (isMemberOfGroup(mountTable.getGroupName())
        && mode.getGroupAction().implies(access)) {
      return;
    }

    if (!getUser().equals(mountTable.getOwnerName())
        && !isMemberOfGroup(mountTable.getGroupName())
        && mode.getOtherAction().implies(access)) {
      return;
    }

    throw new AccessControlException(
        "Permission denied while accessing mount table "
            + mountTable.getSourcePath()
            + ": user " + getUser() + " does not have " + access.toString()
            + " permissions.");
  }

      I just propose revoke WRITE MountTableEntry privilege to super user only.

      Attachments

        1. HDFS-15051.001.patch
          2 kB
          Xiaoqiao He
        2. HDFS-15051.002.patch
          6 kB
          Xiaoqiao He
        3. HDFS-15051.003.patch
          10 kB
          Xiaoqiao He
        4. HDFS-15051.004.patch
          10 kB
          Xiaoqiao He
        5. HDFS-15051.005.patch
          11 kB
          Xiaoqiao He
        6. HDFS-15051.006.patch
          10 kB
          Xiaoqiao He
        7. HDFS-15051.007.patch
          11 kB
          Xiaoqiao He
        8. HDFS-15051.008.patch
          12 kB
          Xiaoqiao He
        9. HDFS-15051.009.patch
          14 kB
          Xiaoqiao He
        10. HDFS-15051.010.patch
          14 kB
          Xiaoqiao He

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            hexiaoqiao Xiaoqiao He Assign to me
            hexiaoqiao Xiaoqiao He
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment