Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-17436

checkPermission should not ignore original AccessControlException

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Reviewed

    Description

      In the environment where the Ranger-HDFS plugin is enabled, I look at the log information of AccessControlException caused by the du. I find that the printed log information is not accurate, because the original AccessControlException is ignored by checkPermission, which is not conducive to judging the real situation of the  AccessControlException . At least part of the original log information should be printed.

      Later, the inode information prompted by the original AccessControlException log information makes me realize that the Ranger-HDFS plug-in in the current environment is not incorporated into RANGER-2297.

      Because the current log prints the inode information is not the ”inode information“ passed to the authorizers. At this time if certain external authorizers does not adjust its authentication logic according to HDFS-12130 , it is more difficult to locate the real situation of the problem.So I think it is necessary to prompt this part of the log information.

      AccessControlException information currently printed:

      org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): Permission denied: user=test,access=READ_EXECUTE, inode="/warehouse/tablespace/managed/hive/test.db/stu/dt=2024-01-17":hive:hadoop:drwxrwx---
          at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:226)

       The original AccessControlException information printed:

      org.apache.hadoop.security.AccessControlException: Permission denied: user=test,access=READ_EXECUTE, inode="dt=2024-01-17":hive:hadoop:drwxrwx---
          at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:400) 

      From the comparison results of the above log information, it can be seen that the inode information and the exception stack printed by the log are not accurate.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            wuxiaobao Xiaobao Wu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment