Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-8037

CheckAccess in WebHDFS silently accepts malformed FsActions parameters

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Reviewed

    Description

      WebHDFS's CHECKACCESS operation accepts a parameter called fsaction, which represents the type(s) of access to check for.

      According to the documentation, and also the source code, the domain of fsaction is the set of strings matched by the regex "[rwx-]{3}". This domain is wider than the set of valid FsAction objects, because it doesn't guarantee sensible ordering of access types. For example, the strings "rxw" and "--r" are valid fsaction parameter values, but don't correspond to valid FsAction instances.

      The result is that WebHDFS silently accepts fsaction parameter values which don't match any valid FsAction instance, but doesn't actually perform any permissions checking in this case.

      For example, here's a CHECKACCESS call where we request "rw-" access on a file which we only have permission to read and execute. It raises an exception, as it should.

      curl -i -X GET "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-x"
      
      HTTP/1.1 403 Forbidden
      Content-Type: application/json
      
      {
        "RemoteException": {
          "exception": "AccessControlException",
          "javaClassName": "org.apache.hadoop.security.AccessControlException",
          "message": "Permission denied: user=nobody, access=READ_WRITE, inode=\"\/myfile\":root:supergroup:drwxr-xr-x"
        }
      }
      

      But if we instead request "r-w" access, the call appears to succeed:

      curl -i -X GET "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-w"
      
      HTTP/1.1 200 OK
      Content-Length: 0
      

      As I see it, the fix would be to change the regex pattern in FsActionParam to something like "[r-][w-][x-]".

      Attachments

        1. HDFS-8037.001.patch
          1 kB
          Walter Su
        2. HDFS-8037.002.patch
          2 kB
          Walter Su
        3. HDFS-8037.003.patch
          3 kB
          Walter Su

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            walter.k.su Walter Su
            jake-low Jake Low
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment