[jira] [Commented] (RANGER-1108) Ranger hdfs plugin authentication issue when user mkdir

Mon, 18 Jul 2016 01:28:05 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15381886#comment-15381886
 ] 

Dongying Jiao commented on RANGER-1108:
---------------------------------------

After roughly read code, it seems:
To mkdir, it need two times authentication, one is checkTraverse(), the other 
is checkAncestorAccess().
checkTraverse() need execute right, checkAncestorAccess() need write right, 
these checks use RangerAccessControlEnforcer. 
If native hdfs give "x" right, ranger give "w" right, for checkTraverse() 
native hdfs allow, for checkAncestorAccess() ranger allow, so this operation is 
successful.
If native hdfs give "w" right, ranger give "x" right, for checkTraverse() 
ranger allow, but for checkAncestorAccess(), ranger deny, then use native hdfs 
to check again. But for native hdfs to checkAncestorAccess(), it will first 
call native hdfs checkTraverse() which need "x" right, so the check are also 
failed.

I am not sure if this is a problem, but it seems this is not reasonable if the 
two behaviors are not the same. 


> Ranger hdfs plugin authentication issue when user mkdir 
> --------------------------------------------------------
>
>                 Key: RANGER-1108
>                 URL: https://issues.apache.org/jira/browse/RANGER-1108
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.5.2
>            Reporter: Dongying Jiao
>
> 1. Create a user named "ranger_test", create hdfs dir /user/ranger_test.
> 2. Ranger give this user only write right to this dir, native hdfs give this 
> user only execute right to this dir, user is allowed to mkdir under  
> /user/ranger_test.
> "hadoop fs -mkdir /user/ranger_test/temp1" success.
> 3. On the contrary, Ranger give this user only execute right to this dir, 
> native hdfs give this user only write right to this dir, user is not allowed 
> to mkdir under  /user/ranger_test.
> "hadoop fs -mkdir /user/ranger_test/temp1" failed.
> I think the behavior should be the same for above two scenario.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to