Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-15165

In Du missed calling getAttributesProvider

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      HDFS-12130 changed the behavior of DU command.

      It merged both check permission and computation in to a single step.

      During this change, when it is required to getInodeAttributes, it just used inode.getAttributes(). But when attribute provider class is configured, we should call attribute provider configured object to get InodeAttributes and use the returned InodeAttributes during checkPermission. 

      So, if we see after HDFS-12130, code is changed as below. 

       

      byte[][] localComponents = {inode.getLocalNameBytes()}; 
      INodeAttributes[] iNodeAttr = {inode.getSnapshotINode(snapshotId)};
      enforcer.checkPermission(
       fsOwner, supergroup, callerUgi,
       iNodeAttr, // single inode attr in the array
       new INode[]{inode}, // single inode in the array
       localComponents, snapshotId,
       null, -1, // this will skip checkTraverse() because
       // not checking ancestor here
       false, null, null,
       access, // the target access to be checked against the inode
       null, // passing null sub access avoids checking children
       false);
      

       

      If we observe 2nd line it is missing the check if attribute provider class is configured use that to get InodeAttributeProvider. Because of this when hdfs path is managed by sentry, and InodeAttributeProvider class is configured with SentryINodeAttributeProvider, it does not get SentryInodeAttributeProvider object and not using AclFeature from that if any Acl’s are set. This has caused the issue of AccessControlException when du command is run against hdfs path managed by Sentry.

       

      [root@gg-620-1 ~]# hdfs dfs -du /dev/edl/sc/consumer/lpfg/str/edf/abc/
      du: Permission denied: user=systest, access=READ_EXECUTE, inode="/dev/edl/sc/consumer/lpfg/str/lpfg_wrk/PRISMA_TO_ICERTIS_OUTBOUND_RM_MASTER/_impala_insert_staging":impala:hive:drwxrwx--x

        Attachments

        1. example-test.patch
          4 kB
          Stephen O'Donnell
        2. HDFS-15165.00.patch
          1 kB
          Bharat Viswanadham
        3. HDFS-15165.01.patch
          6 kB
          Bharat Viswanadham

          Issue Links

            Activity

              People

              • Assignee:
                bharat Bharat Viswanadham
                Reporter:
                bharat Bharat Viswanadham
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: