Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-8037

CheckAccess in WebHDFS silently accepts malformed FsActions parameters

    Details

    • Hadoop Flags:
      Reviewed

      Description

      WebHDFS's CHECKACCESS operation accepts a parameter called fsaction, which represents the type(s) of access to check for.

      According to the documentation, and also the source code, the domain of fsaction is the set of strings matched by the regex "[rwx-]{3}". This domain is wider than the set of valid FsAction objects, because it doesn't guarantee sensible ordering of access types. For example, the strings "rxw" and "--r" are valid fsaction parameter values, but don't correspond to valid FsAction instances.

      The result is that WebHDFS silently accepts fsaction parameter values which don't match any valid FsAction instance, but doesn't actually perform any permissions checking in this case.

      For example, here's a CHECKACCESS call where we request "rw-" access on a file which we only have permission to read and execute. It raises an exception, as it should.

      curl -i -X GET "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-x"
      
      HTTP/1.1 403 Forbidden
      Content-Type: application/json
      
      {
        "RemoteException": {
          "exception": "AccessControlException",
          "javaClassName": "org.apache.hadoop.security.AccessControlException",
          "message": "Permission denied: user=nobody, access=READ_WRITE, inode=\"\/myfile\":root:supergroup:drwxr-xr-x"
        }
      }
      

      But if we instead request "r-w" access, the call appears to succeed:

      curl -i -X GET "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-w"
      
      HTTP/1.1 200 OK
      Content-Length: 0
      

      As I see it, the fix would be to change the regex pattern in FsActionParam to something like "[r-][w-][x-]".

        Attachments

        1. HDFS-8037.003.patch
          3 kB
          Walter Su
        2. HDFS-8037.002.patch
          2 kB
          Walter Su
        3. HDFS-8037.001.patch
          1 kB
          Walter Su

          Activity

            People

            • Assignee:
              walter.k.su Walter Su
              Reporter:
              jake-low Jake Low
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: