> On Nov. 22, 2017, 2:35 p.m., Colm O hEigeartaigh wrote: > > Ship It! > > Abhay Kulkarni wrote: > All, > > Can we please hold on pushing this patch? I am waiting for input from > HDFS committers to ensure that this new HDFS authorization (Traverse > checking) call sequence is what is intendeded. Thanks!
HDFS dev team responded as follows. "It looks like it is indeed a change of behaviour between 2.7 and 3.0. More specifically, HDFS-10997 introduced a change to FSDirectory#resolvePath, that when a file is accessed, this call will traversely ancestors, leading to an extra checkPermission() call. We don't plan to address this currently because this behavior sounds correct to me." Accordingly, I have updated the patch with some modifications, and posted another review (https://reviews.apache.org/r/64228). Please review and comment. Thanks! - Abhay ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61062/#review191736 ----------------------------------------------------------- On Nov. 22, 2017, 12:39 p.m., Zsombor Gegesy wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61062/ > ----------------------------------------------------------- > > (Updated Nov. 22, 2017, 12:39 p.m.) > > > Review request for ranger. > > > Bugs: RANGER-1707 > https://issues.apache.org/jira/browse/RANGER-1707 > > > Repository: ranger > > > Description > ------- > > Fix hdfs traverse check, which problem was hidden before hdfs 2.8.0, where > the traverse checks are called > before reading and writing files, so if a policy is just about reading > /tmp/somedir/somefile > it means, that traverse should be allowed to get to that file. Adding > more tests to highlight the issue > > > Diffs > ----- > > hdfs-agent/pom.xml 9f6206013 > > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > af4d9b5c2 > > hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/61062/diff/3/ > > > Testing > ------- > > Tested locally > https://travis-ci.org/gzsombor/ranger/builds/256331500 > > > Thanks, > > Zsombor Gegesy > >