> On Nov. 21, 2017, 4 p.m., Colm O hEigeartaigh wrote:
> > You could put some spaces into "for (int i=0;i<pathSegments.length;i++) {"
> > There's also an indentation issue on line 201 of RangerHdfsAuthorizerTest.
> > Other spacing issue here "ancestorIndex,plugin"
> >
> > > for (FsAction action : Arrays.asList(FsAction.EXECUTE, FsAction.READ,
> > > FsAction.WRITE)) {
> >
> > I think the FsAction.EXECUTE is not necessary here, as we are checking
> > EXECUTE already in "traverseOnlyCheck".
>
> Zsombor Gegesy wrote:
> The trick is, that there are different inodes used for the checks:
>
> final AuthzStatus status = isAccessAllowed(nodeToCheck, nodeAttribs,
> FsAction.EXECUTE, user, groups, plugin, auditHandler);
> if (status == AuthzStatus.NOT_DETERMINED) {
> return isAnyAccessAllowed(inode, inode, user, groups, plugin,
> auditHandler);
> }
>
> First, we use 'nodeToCheck', which can be a parent or ancestor node, and
> in the loop, we use 'inode' which refers to the actual file.
>
> Colm O hEigeartaigh wrote:
> OK understood thanks. The indentation issue is still there, now on line
> 224 of RangerHdfsAuthorizerTest (single tab character indent)
Thanks, I've fixed that too.
- Zsombor
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61062/#review191583
-----------------------------------------------------------
On Nov. 22, 2017, 12:39 p.m., Zsombor Gegesy wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61062/
> -----------------------------------------------------------
>
> (Updated Nov. 22, 2017, 12:39 p.m.)
>
>
> Review request for ranger.
>
>
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Fix hdfs traverse check, which problem was hidden before hdfs 2.8.0, where
> the traverse checks are called
> before reading and writing files, so if a policy is just about reading
> /tmp/somedir/somefile
> it means, that traverse should be allowed to get to that file. Adding
> more tests to highlight the issue
>
>
> Diffs
> -----
>
> hdfs-agent/pom.xml 9f6206013
>
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
> af4d9b5c2
>
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
> PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/61062/diff/3/
>
>
> Testing
> -------
>
> Tested locally
> https://travis-ci.org/gzsombor/ranger/builds/256331500
>
>
> Thanks,
>
> Zsombor Gegesy
>
>
