[
https://issues.apache.org/jira/browse/HADOOP-11337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Wang updated HADOOP-11337:
---------------------------------
Summary: KeyAuthorizationKeyProvider access checks need to be done
atomically (was: KeyAuthorizationKeyProvider#getMetadata should be atomic)
> KeyAuthorizationKeyProvider access checks need to be done atomically
> --------------------------------------------------------------------
>
> Key: HADOOP-11337
> URL: https://issues.apache.org/jira/browse/HADOOP-11337
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Dian Fu
> Assignee: Dian Fu
> Attachments: HADOOP-11337.patch
>
>
> In {{KeyAuthorizationKeyProvider#getMetadata}}, if firstly call
> {{KeyAuthorizationKeyProvider#doAccessCheck}} to check if client has the
> permission to do this operation. However, if the metadata is null when
> {{KeyAuthorizationKeyProvider#doAccessCheck}} is called and becomes not null
> after {{KeyAuthorizationKeyProvider#doAccessCheck}} called, key based ACL
> check will be skipped. The {{getMetadata}} operation should be atomic.
> {code}
> public Metadata getMetadata(String name) throws IOException {
> doAccessCheck(name, KeyOpType.READ);
> return provider.getMetadata(name);
> }
> private void doAccessCheck(String keyName, KeyOpType opType) throws
> IOException {
> Metadata metadata = provider.getMetadata(keyName);
> if (metadata != null) {
> String aclName = metadata.getAttributes().get(KEY_ACL_NAME);
> checkAccess((aclName == null) ? keyName : aclName, getUser(), opType);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
