[jira] [Updated] (HADOOP-15969) ABFS: getNamespaceEnabled can fail blocking user access thru ACLs

Mon, 03 Dec 2018 16:19:24 -0800 


     [ 
https://issues.apache.org/jira/browse/HADOOP-15969?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Marquardt updated HADOOP-15969:
--------------------------------------
    Description: 
The Get Filesystem Properties operation requires Read permission to the 
Filesystem.  Read permission to the Filesystem can only be granted thru RBAC, 
Shared Key, or SAS.  This prevents giving low privilege users access to 
specific files or directories within the filesystem.  An administrator should 
be able to set an ACL on a file granting read permission to a user, without 
giving them read permission to the entire Filesystem.

Fortunately there is another way to determine if HNS is enabled.  The Get Path 
Access Control (getAclStatus) operation only requires traversal access, and for 
the root folder / all authenticated users have traversal access.

> ABFS: getNamespaceEnabled can fail blocking user access thru ACLs
> -----------------------------------------------------------------
>
>                 Key: HADOOP-15969
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15969
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>    Affects Versions: 3.2.0
>            Reporter: Da Zhou
>            Assignee: Da Zhou
>            Priority: Major
>
> The Get Filesystem Properties operation requires Read permission to the 
> Filesystem.  Read permission to the Filesystem can only be granted thru RBAC, 
> Shared Key, or SAS.  This prevents giving low privilege users access to 
> specific files or directories within the filesystem.  An administrator should 
> be able to set an ACL on a file granting read permission to a user, without 
> giving them read permission to the entire Filesystem.
> Fortunately there is another way to determine if HNS is enabled.  The Get 
> Path Access Control (getAclStatus) operation only requires traversal access, 
> and for the root folder / all authenticated users have traversal access.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to