[GitHub] [hadoop] Hexiaoqiao commented on pull request #5561: HDFS-16983. Whether checking path access permissions should be decided by dfs.permissions.enabled in concat operation

[via GitHub]

Hexiaoqiao commented on PR #5561:
URL: https://github.com/apache/hadoop/pull/5561#issuecomment-1562234324

   Try to improve it as following, JFYI.
   
   ```
   diff --git 
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirConcatOp.java
 
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirConcatOp.java
   index ea5ac38aa86..bc6b66af446 100644
   --- 
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirConcatOp.java
   +++ 
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirConcatOp.java
   @@ -121,7 +121,7 @@ private static INodeFile[] verifySrcFiles(FSDirectory 
fsd, String[] srcs,
        for(String src : srcs) {
          final INodesInPath iip = fsd.resolvePath(pc, src, DirOp.WRITE);
          // permission check for srcs
   -      if (pc != null) {
   +      if (pc != null && fsd.isPermissionEnabled()) {
            fsd.checkPathAccess(pc, iip, FsAction.READ); // read the file
            fsd.checkParentAccess(pc, iip, FsAction.WRITE); // for delete
          }
   diff --git 
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestHDFSConcat.java
 
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestHDFSConcat.java
   index 1608a84168d..c08c2adce9f 100644
   --- 
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestHDFSConcat.java
   +++ 
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestHDFSConcat.java
   @@ -27,6 +27,8 @@
    
    import java.io.IOException;
    
   +import org.apache.hadoop.fs.permission.FsPermission;
   +import org.apache.hadoop.security.AccessControlException;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.apache.hadoop.conf.Configuration;
   @@ -564,4 +566,56 @@ public void testConcatOnSameFile() throws Exception {
    
        assertEquals(1, dfs.getContentSummary(new Path(dir)).getFileCount());
      }
   -}
   +
   +  /**
   +   * Test permission of Concat operation.
   +   */
   +  @Test
   +  public void testConcatPermissions() throws IOException {
   +    String testPathDir = "/dir";
   +    Path dir = new Path(testPathDir);
   +    dfs.mkdirs(dir);
   +    dfs.setPermission(dir, new FsPermission((short)0777));
   +
   +    Path dst = new Path(testPathDir, "dst");
   +    Path src = new Path(testPathDir, "src");
   +    DFSTestUtil.createFile(dfs, dst, blockSize, REPL_FACTOR, 1);
   +
   +    // Create a user who is not the owner of the file and try concat 
operation.
   +    final UserGroupInformation user
   +        = UserGroupInformation.createUserForTesting(
   +            "theDoctor", new String[]{"group"});
   +    DistributedFileSystem dfs2 =
   +        (DistributedFileSystem)DFSTestUtil.getFileSystemAs(user, conf);
   +
   +    // Test 1: User is not the owner of the file and has src & dst 
permission.
   +    DFSTestUtil.createFile(dfs, src, blockSize, REPL_FACTOR, 1);
   +    dfs.setPermission(dst, new FsPermission((short)0777));
   +    dfs.setPermission(src, new FsPermission((short)0777));
   +    try {
   +      dfs2.concat(dst, new Path[]{src});
   +    } catch (AccessControlException ace) {
   +      fail("Got unexpected exception.");
   +    }
   +
   +    // Test 2: User is not the owner of the file and has only dst 
permission.
   +    DFSTestUtil.createFile(dfs, src, blockSize, REPL_FACTOR, 1);
   +    dfs.setPermission(dst, new FsPermission((short)0777));
   +    dfs.setPermission(src, new FsPermission((short)0700));
   +    try {
   +      dfs2.concat(dst, new Path[]{src});
   +      fail("Get unexpected exception.");
   +    } catch (AccessControlException ace) {
   +    }
   +
   +    // Test 3: User is not the owner of the file and has only src 
permission.
   +    DFSTestUtil.createFile(dfs, src, blockSize, REPL_FACTOR, 1);
   +    dfs.setPermission(dst, new FsPermission((short)0700));
   +    dfs.setPermission(src, new FsPermission((short)0777));
   +    try {
   +      dfs2.concat(dst, new Path[] {src});
   +      fail("Get unexpected exception.");
   +    } catch (AccessControlException ace) {
   +    }
   +  }
   +}
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org