Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-8037

CheckAccess in WebHDFS silently accepts malformed FsActions parameters



    • Reviewed


      WebHDFS's CHECKACCESS operation accepts a parameter called fsaction, which represents the type(s) of access to check for.

      According to the documentation, and also the source code, the domain of fsaction is the set of strings matched by the regex "[rwx-]{3}". This domain is wider than the set of valid FsAction objects, because it doesn't guarantee sensible ordering of access types. For example, the strings "rxw" and "--r" are valid fsaction parameter values, but don't correspond to valid FsAction instances.

      The result is that WebHDFS silently accepts fsaction parameter values which don't match any valid FsAction instance, but doesn't actually perform any permissions checking in this case.

      For example, here's a CHECKACCESS call where we request "rw-" access on a file which we only have permission to read and execute. It raises an exception, as it should.

      curl -i -X GET "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-x"
      HTTP/1.1 403 Forbidden
      Content-Type: application/json
        "RemoteException": {
          "exception": "AccessControlException",
          "javaClassName": "org.apache.hadoop.security.AccessControlException",
          "message": "Permission denied: user=nobody, access=READ_WRITE, inode=\"\/myfile\":root:supergroup:drwxr-xr-x"

      But if we instead request "r-w" access, the call appears to succeed:

      curl -i -X GET "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-w"
      HTTP/1.1 200 OK
      Content-Length: 0

      As I see it, the fix would be to change the regex pattern in FsActionParam to something like "[r-][w-][x-]".


        1. HDFS-8037.001.patch
          1 kB
          Walter Su
        2. HDFS-8037.002.patch
          2 kB
          Walter Su
        3. HDFS-8037.003.patch
          3 kB
          Walter Su



            walter.k.su Walter Su
            jake-low Jake Low
            0 Vote for this issue
            6 Start watching this issue