[jira] [Updated] (RANGER-1992) Ranger HDFS PermissionCheck logic issue

Wed, 21 Mar 2018 02:43:11 -0700 

     [ 
https://issues.apache.org/jira/browse/RANGER-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

chuanjie.duan updated RANGER-1992:
----------------------------------
    Summary: Ranger HDFS PermissionCheck logic issue  (was: Ranger Read Wrong 
INode Information)

> Ranger HDFS PermissionCheck logic issue
> ---------------------------------------
>
>                 Key: RANGER-1992
>                 URL: https://issues.apache.org/jira/browse/RANGER-1992
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: chuanjie.duan
>            Priority: Major
>
> user 'cim_beta_db' create directory in user 'dataswap' parent directory as 
> below
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/
> drwxrwx-   --   -    cim_beta_db dataswap          0 2018-02-26 09:49 
> /user/hive/warehouse/dataswap.db/test
> drwxrwx-   --   -    dataswap dataswap         
> /user/hive/warehouse/dataswap.db
> drwxrwx-   -x-    dataswap dataswap         /user/hive/warehouse
>  
> I add hdfs policy,  user 'cim_beta_db'  ‘’execute‘’ permission to path 
> /user/hive/warehouse/dataswap.db 
>  
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/test
> ls: Permission denied: user=cim_beta_db, access=EXECUTE, 
> inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>  
> there are two issue.
>  # exception information should 
> inode="/user/hive/warehouse/dataswap.db":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>  # policy cannot combine use, policy match failed, would check default 
> permission only, even if parent directory give a 'execute' permission
>  
> // checkINodeAccess
>  if(authzStatus == AuthzStatus.ALLOW && access != null && inode != null) {
>  LOG.info("checkINodeAccess");
>  INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? 
> inodeAttrs[inodeAttrs.length - 1] : null;
> authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, 
> plugin, auditHandler);
>  if (authzStatus == AuthzStatus.NOT_DETERMINED) {
>  authzStatus = {color:#FF0000}checkDefaultEnforcer{color}(fsOwner, 
> superGroup, ugi, inodeAttrs, inodes,
>  pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
>  FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
>  isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
>  }
>  }



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to