[
https://issues.apache.org/jira/browse/HADOOP-14935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Santhosh G Nayak updated HADOOP-14935:
--------------------------------------
Attachment: HADOOP-14935.2.patch
Thanks [[email protected]] for initial review.
Attaching v2 patch addressing the review comments. I have tested the patch
against {{Azure South India}} storage endpoint.
{quote}
This patch includes a new option for
getFileStatus"fs.azure.enable.authorization.getfilestatus". What is this, why
is it needed, and why isn't it is own patch?
And, given that HADOOP-14845 only added this code last week, how stable is all
of this?
{quote}
The main motivation for HADOOP-14845 is to workaround the security issue (that
anyone can load up any other user's data in hive). Thinking was that {{READ}}
permission can be used as a replacement to traverse {{EXECUTE}} permission at
one level which protects from security issue. It was just a *compromise* as it
is precisely stated in the JIRA.
Recently, it is discovered that hive has been using {{FileSystem.access()}}
method for checking the access permissions instead of directly using
{{getFileStatus()}} on the path. So, implementing
{{NativeAzureFileSyste.access()}} should fix this security issue. Also, using
{{READ}} permission for {{getFileStatus()}} is unintuitive and the number of
policies to configure increases without having any additional benefit.
Ideally, we should remove the authorization check from {{getFileStatus()}}
altogether. But, we do not know, if any applications use {{getFileStatus()}}
instead of {{access()}} method which could lead to security issue (if any). So,
adding {{fs.azure.enable.authorization.getfilestatus}} configuration property
to enable/disable this feature, so that we can quickly fallback to the
compromise proposed in HADOOP-14845.
*NativeAzureFileSystems*
{quote}
javadocs to Access to explictly declare that AccessControlException is raised
on access control, FNFE if the file is not present; same as the superclass.
Maybe just use the \{@inheritDoc\}
tag to do this.
{quote}
Removed the javadoc from the derived {{access()}} method, so that it can
inherit it from the base class method.
{quote}
if it's just formatting changes, let's leave the changes to getFileStatus out:
keeps the merge complexity down.
{quote}
Configuration property {{fs.azure.enable.authorization.getfilestatus}} to
enable/disable the authorization on {{getFileStatus()}} is added.
{{testAccessFileDoesNotExist}} doesn't reset permissions. It does not matter as
{{authorizer}} is initialized in every test.
Added tests for following scenarios :-
- To verify that execute isn't validated in
{{TestNativeAzureFileSystemAuthorization.testAccessWhenPermissionsMatch()}}.
- To verify that permission on the intermediate directory, when a file is
created under a directory which does not exist and owner policy is enabled.
- To verify if FNFE is raised when {{access()}} is called on file having no
permission and does not exist.
- For all the permission combinations.
Fixed checkstyle related issues as well.
> Azure: POSIX permissions are taking effect in access() method even when
> authorization is enabled
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-14935
> URL: https://issues.apache.org/jira/browse/HADOOP-14935
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/azure
> Affects Versions: 2.9.0
> Reporter: Santhosh G Nayak
> Assignee: Santhosh G Nayak
> Attachments: HADOOP-14935.1.patch, HADOOP-14935.2.patch
>
>
> FileSystem implementation class for azure i.e. {{NativeAzureFileSystem}} does
> not override {{access(path,mode)}} method and uses the default implementation
> from the base class. This base implementaion uses the POSIX permissions to
> check if the requested user has access to given path or not even when
> authorization is enabled, which is incorrect.
> {{NativeAzureFileSystem.access()}} in authorization enabled mode should use
> the authorization mechanism provided instead of relying on the POSIX
> permission ons. So the proposal is to override {{FileSystem.access()}} method
> in {{NativeAzureFileSystem}} such that it honors the authorization mechanism
> configured in authorization enabled mode and falls back to POSIX permissions
> otherwise.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
