Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-1628

AccessControlException should display the full path

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.22.0
    • Fix Version/s: Federation Branch, 0.23.0
    • Component/s: namenode
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Tags:
      ygridqa

      Description

      org.apache.hadoop.security.AccessControlException should display the full path for which the access is denied.

      1. HDFS-1628.patch
        2 kB
        John George
      2. HDFS-1628.patch
        2 kB
        John George
      3. HDFS-1628.patch
        2 kB
        John George

        Issue Links

          Activity

          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk #643 (See https://builds.apache.org/hudson/job/Hadoop-Hdfs-trunk/643/)

          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #643 (See https://builds.apache.org/hudson/job/Hadoop-Hdfs-trunk/643/ )
          Hide
          Tsz Wo Nicholas Sze added a comment -

          Committed also this to Federation Branch.

          Show
          Tsz Wo Nicholas Sze added a comment - Committed also this to Federation Branch.
          Hide
          John George added a comment -

          attached a patch with license box checked

          Show
          John George added a comment - attached a patch with license box checked
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk-Commit #545 (See https://hudson.apache.org/hudson/job/Hadoop-Hdfs-trunk-Commit/545/)
          HDFS-1628. Display full path in AccessControlException. Contributed by John George

          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #545 (See https://hudson.apache.org/hudson/job/Hadoop-Hdfs-trunk-Commit/545/ ) HDFS-1628 . Display full path in AccessControlException. Contributed by John George
          Hide
          Tsz Wo Nicholas Sze added a comment -

          I have committed this. Thanks, John!

          Show
          Tsz Wo Nicholas Sze added a comment - I have committed this. Thanks, John!
          Hide
          Tsz Wo Nicholas Sze added a comment -

          +1 patch looks good.

          Show
          Tsz Wo Nicholas Sze added a comment - +1 patch looks good.
          Hide
          John George added a comment -

          The following manual tests were run to verify the patch

          $ hadoop-common/bin/hadoop fs -get /user/johngeo/dd1 /tmp/a
          get: Permission denied: user=yahoo, access=READ, inode="/user/johngeo/dd1":johngeo:supergroup:rw------

          $ hadoop-common/bin/hadoop fs -cat /user/johngeo/dd1
          cat: Permission denied: user=yahoo, access=READ, inode="/user/johngeo/dd1":johngeo:supergroup:rw------$ bin/hadoop fs -put /bin/sh /aaa/dd1/sdfsdf
          put: Permission denied: user=yahoo, access=WRITE, inode="/":johngeo:supergroup:drwxr-xr-x

          $ bin/hadoop fs -put /bin/sh /aaa/dd1/sdfsdf
          put: Permission denied: user=yahoo, access=WRITE, inode="/aaa":johngeo:supergroup:drwxr-xr-x

          $ bin/hadoop fs -mkdir /aaa/aa
          mkdir: Permission denied: user=yahoo, access=WRITE, inode="/aaa":johngeo:supergroup:drwxr-xr-x

          Show
          John George added a comment - The following manual tests were run to verify the patch $ hadoop-common/bin/hadoop fs -get /user/johngeo/dd1 /tmp/a get: Permission denied: user=yahoo, access=READ, inode="/user/johngeo/dd1":johngeo:supergroup: rw ------ $ hadoop-common/bin/hadoop fs -cat /user/johngeo/dd1 cat: Permission denied: user=yahoo, access=READ, inode="/user/johngeo/dd1":johngeo:supergroup: rw ------$ bin/hadoop fs -put /bin/sh /aaa/dd1/sdfsdf put: Permission denied: user=yahoo, access=WRITE, inode="/":johngeo:supergroup:drwxr-xr-x $ bin/hadoop fs -put /bin/sh /aaa/dd1/sdfsdf put: Permission denied: user=yahoo, access=WRITE, inode="/aaa":johngeo:supergroup:drwxr-xr-x $ bin/hadoop fs -mkdir /aaa/aa mkdir: Permission denied: user=yahoo, access=WRITE, inode="/aaa":johngeo:supergroup:drwxr-xr-x
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12471337/HDFS-1628.patch
          against trunk revision 1071518.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          -1 contrib tests. The patch failed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/172//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/172//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/172//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12471337/HDFS-1628.patch against trunk revision 1071518. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. -1 contrib tests. The patch failed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/172//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/172//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/172//console This message is automatically generated.
          Hide
          John George added a comment -

          The first patch was based off of a wrong "trunk". Attaching another one. The reason there are no tests included is because this is an error message output.

          Show
          John George added a comment - The first patch was based off of a wrong "trunk". Attaching another one. The reason there are no tests included is because this is an error message output.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12471290/HDFS-1628.patch
          against trunk revision 1071518.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these core unit tests:
          org.apache.hadoop.hdfs.server.datanode.TestBlockReport
          org.apache.hadoop.hdfs.TestFileConcurrentReader

          -1 contrib tests. The patch failed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/171//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/171//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/171//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12471290/HDFS-1628.patch against trunk revision 1071518. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these core unit tests: org.apache.hadoop.hdfs.server.datanode.TestBlockReport org.apache.hadoop.hdfs.TestFileConcurrentReader -1 contrib tests. The patch failed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/171//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/171//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HDFS-Build/171//console This message is automatically generated.
          Hide
          Johannes Zillmann added a comment -

          one stacktrace example:

          Caused by: org.apache.hadoop.ipc.RemoteException: org.apache.hadoop.security.AccessControlException: Permission denied: user=jz, access=WRITE, inode="mapred":das:supergroup:rwxr-xr-x
          	at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:199)
          	at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:180)
          	at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:128)
          	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem.java:4924)
          	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAncestorAccess(FSNamesystem.java:4898)
          	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInternal(FSNamesystem.java:1917)
          	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirs(FSNamesystem.java:1886)
          	at org.apache.hadoop.hdfs.server.namenode.NameNode.mkdirs(NameNode.java:709)
          
          Show
          Johannes Zillmann added a comment - one stacktrace example: Caused by: org.apache.hadoop.ipc.RemoteException: org.apache.hadoop.security.AccessControlException: Permission denied: user=jz, access=WRITE, inode="mapred":das:supergroup:rwxr-xr-x at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:199) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:180) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:128) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem.java:4924) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAncestorAccess(FSNamesystem.java:4898) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInternal(FSNamesystem.java:1917) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirs(FSNamesystem.java:1886) at org.apache.hadoop.hdfs.server.namenode.NameNode.mkdirs(NameNode.java:709)
          Hide
          Ramya Sunil added a comment -

          For example, When user 'A' tries to write under user B's home location. It throws the following exception:
          org.apache.hadoop.security.AccessControlException: Permission denied: user=A, access=WRITE, inode="B":B:supergroup:rwxr-xr-x
          Instead, it would be helpful if the exception read:
          org.apache.hadoop.security.AccessControlException: Permission denied: user=A, access=WRITE, inode="/user/B":B:supergroup:drwxr-xr-x
          This is because, if there are many directories with the same name under different paths, it becomes difficult to figure out the exact directory for which the access was denied.
          Also when the permission(in this case rwxr-xr-x) is displayed, it should also show whether it is a directory or not(i.e. it should show drwxr-xr-x). Currently this does not happen. Hence, in cases where the same name is used for a directory and a file , the user is not sure if access is denied to a file or a directory.

          Show
          Ramya Sunil added a comment - For example, When user 'A' tries to write under user B's home location. It throws the following exception: org.apache.hadoop.security.AccessControlException: Permission denied: user=A, access=WRITE, inode="B":B:supergroup:rwxr-xr-x Instead, it would be helpful if the exception read: org.apache.hadoop.security.AccessControlException: Permission denied: user=A, access=WRITE, inode="/user/B":B:supergroup:drwxr-xr-x This is because, if there are many directories with the same name under different paths, it becomes difficult to figure out the exact directory for which the access was denied. Also when the permission(in this case rwxr-xr-x) is displayed, it should also show whether it is a directory or not(i.e. it should show drwxr-xr-x). Currently this does not happen. Hence, in cases where the same name is used for a directory and a file , the user is not sure if access is denied to a file or a directory.

            People

            • Assignee:
              John George
              Reporter:
              Ramya Sunil
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development