[jira] [Commented] (HADOOP-15969) ABFS: getNamespaceEnabled can fail blocking user access thru ACLs

Mon, 03 Dec 2018 17:01:06 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16708035#comment-16708035
 ] 

Thomas Marquardt commented on HADOOP-15969:
-------------------------------------------

Thanks for the patch!  Some comments:

1) AzureBlobFileSystemStore.java L182 - perhaps we should use 
AbfsHttpConstants.FORWARD_SLASH + AbfsHttpConstants.ROOT_PATH instead of "//" 
as that will make it easier to find usage of root folder in the source code.  
Also, eventually we can clean this up and use a single /.  For now we have to 
use double // because of a bug in the service.

2) Can we add test cases for the cases where it returns 200, 400, 403, and 404? 
 A 200 means HNS is enabled, 400 means HNS is disabled, 403 means forbidden but 
should give a useful error message, and 404 means the filesystem does not exist.

 

> ABFS: getNamespaceEnabled can fail blocking user access thru ACLs
> -----------------------------------------------------------------
>
>                 Key: HADOOP-15969
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15969
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>    Affects Versions: 3.2.0
>            Reporter: Da Zhou
>            Assignee: Da Zhou
>            Priority: Major
>         Attachments: HADOOP-15969-001.patch
>
>
> The Get Filesystem Properties operation requires Read permission to the 
> Filesystem.  Read permission to the Filesystem can only be granted thru RBAC, 
> Shared Key, or SAS.  This prevents giving low privilege users access to 
> specific files or directories within the filesystem.  An administrator should 
> be able to set an ACL on a file granting read permission to a user, without 
> giving them read permission to the entire Filesystem.
> Fortunately there is another way to determine if HNS is enabled.  The Get 
> Path Access Control (getAclStatus) operation only requires traversal access, 
> and for the root folder / all authenticated users have traversal access.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to