[ https://issues.apache.org/jira/browse/HDFS-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14530446#comment-14530446 ]
Walter Su commented on HDFS-8037: --------------------------------- 003 patch add unit test. Please review. > WebHDFS: CheckAccess silently accepts certain malformed FsActions > ----------------------------------------------------------------- > > Key: HDFS-8037 > URL: https://issues.apache.org/jira/browse/HDFS-8037 > Project: Hadoop HDFS > Issue Type: Bug > Components: webhdfs > Affects Versions: 2.6.0 > Reporter: Jake Low > Assignee: Walter Su > Priority: Minor > Labels: BB2015-05-TBR, easyfix, newbie > Attachments: HDFS-8037.001.patch, HDFS-8037.002.patch, > HDFS-8037.003.patch > > > WebHDFS's {{CHECKACCESS}} operation accepts a parameter called {{fsaction}}, > which represents the type(s) of access to check for. > According to the documentation, and also the source code, the domain of > {{fsaction}} is the set of strings matched by the regex {{"\[rwx-\]{3\}"}}. > This domain is wider than the set of valid {{FsAction}} objects, because it > doesn't guarantee sensible ordering of access types. For example, the strings > {{"rxw"}} and {{"--r"}} are valid {{fsaction}} parameter values, but don't > correspond to valid {{FsAction}} instances. > The result is that WebHDFS silently accepts {{fsaction}} parameter values > which don't match any valid {{FsAction}} instance, but doesn't actually > perform any permissions checking in this case. > For example, here's a {{CHECKACCESS}} call where we request {{"rw-"}} access > on a file which we only have permission to read and execute. It raises an > exception, as it should. > {code:none} > curl -i -X GET > "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-x" > HTTP/1.1 403 Forbidden > Content-Type: application/json > { > "RemoteException": { > "exception": "AccessControlException", > "javaClassName": "org.apache.hadoop.security.AccessControlException", > "message": "Permission denied: user=nobody, access=READ_WRITE, > inode=\"\/myfile\":root:supergroup:drwxr-xr-x" > } > } > {code} > But if we instead request {{"r-w"}} access, the call appears to succeed: > {code:none} > curl -i -X GET > "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-w" > HTTP/1.1 200 OK > Content-Length: 0 > {code} > As I see it, the fix would be to change the regex pattern in > {{FsActionParam}} to something like {{"\[r-\]\[w-\]\[x-\]"}}. -- This message was sent by Atlassian JIRA (v6.3.4#6332)