[
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068528#comment-16068528
]
Varada Hemeswari commented on HADOOP-14581:
-------------------------------------------
I think here you could actually use getStrings() to get the list, and treat an
empty list as the same as an entry "*": all. Why use that method? Existing
regression tests.
*--> I am using * to allow all users and "" to not allow anyone. So they could
not be treated as same. There are no existing tests that regressed due to this.*
needs policy for: * in the string: maybe fail fast for illegal setup?
*--> taken care of, in patch2*
needs policy for "". Right now it probably fails. Should it be a skip.
*--> The failure is intentional. We expect the property to be setup as '*'
default value or with list of users. In case it is setup as "", it translates
to no one is allowed to chown.*
TestNativeAzureFileSystemAuthorization
try a string like "user1,user2 , user3 ,,user4 " to see what happens. I'd
expect the leading/trailing spaces stripped, empty element skipped.
*--> Patch2 tests includes this list*
also try " user1, *" to verify that it gets rejected.
*-->added a test for this in patch 2*
I tested the hadoop-azure module changes on
'vahemeswregion.blob.core.windows.net' storage account
Thanks.
> Restrict setOwner to list of user when security is enabled in wasb
> ------------------------------------------------------------------
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/azure
> Affects Versions: 3.0.0-alpha3
> Reporter: Varada Hemeswari
> Assignee: Varada Hemeswari
> Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581.1.patch, HADOOP-14581.2.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the
> file system.
> When Authorization is enabled, access to some files/folders is given to
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a
> comma seperated list of users who are allowed to perform chown operation when
> authorization is enabled.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
