RANGER-482: HDFS plugin updated to check for traverse access (EXECUTE) when no-access is specified
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/afe001bb Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/afe001bb Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/afe001bb Branch: refs/heads/tag-policy Commit: afe001bb7c734d10cca1f9189241f1bdecae7de1 Parents: 154c490 Author: Madhan Neethiraj <[email protected]> Authored: Tue May 19 12:50:24 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue May 19 12:51:11 2015 -0700 ---------------------------------------------------------------------- .../hadoop/RangerHdfsAuthorizer.java | 36 ++++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/afe001bb/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index 1599074..5b115b2 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -213,6 +213,25 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { INode parent = inodes.length > 1 ? inodes[inodes.length - 2] : null; INode inode = inodes[inodes.length - 1]; + boolean noAccessToCheck = access == null && parentAccess == null && ancestorAccess == null && subAccess == null; + + if(noAccessToCheck) { // check for traverse (EXECUTE) access on the path (if path is a directory) or its parent (if path is a file) + INode node = null; + INodeAttributes nodeAttribs = null; + + if(inode != null && inode.isDirectory()) { + node = inode; + nodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null; + } else if(parent != null) { + node = parent; + nodeAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null; + } + + if(node != null) { + accessGranted = isAccessAllowed(node, nodeAttribs, FsAction.EXECUTE, user, groups, fsOwner, superGroup, plugin, null); + } + } + // checkStickyBit if (accessGranted && parentAccess != null && parentAccess.implies(FsAction.WRITE) && parent != null && inode != null) { if (parent.getFsPermission() != null && parent.getFsPermission().getStickyBit()) { @@ -222,21 +241,10 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { } // checkAncestorAccess - if(accessGranted && ancestor != null) { - FsAction accessToCheck = ancestorAccess; - RangerHdfsAuditHandler auditHandlerToUse = auditHandler; - - // if ancestorAccess is not specified and none of other access is specified, then check for traverse access (EXECUTE) to the ancestor - if(ancestorAccess == null && access == null && parentAccess == null && subAccess == null) { - accessToCheck = FsAction.EXECUTE; - auditHandlerToUse = null; // don't audit this access - } + if(accessGranted && ancestorAccess != null && ancestor != null) { + INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null; - if(accessToCheck != null) { - INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null; - - accessGranted = isAccessAllowed(ancestor, ancestorAttribs, accessToCheck, user, groups, fsOwner, superGroup, plugin, auditHandlerToUse); - } + accessGranted = isAccessAllowed(ancestor, ancestorAttribs, ancestorAccess, user, groups, fsOwner, superGroup, plugin, auditHandler); } // checkParentAccess
