[
https://issues.apache.org/jira/browse/HDFS-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14531085#comment-14531085
]
Hadoop QA commented on HDFS-8037:
---------------------------------
\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch | 17m 38s | Pre-patch trunk compilation is
healthy. |
| {color:green}+1{color} | @author | 0m 0s | The patch does not contain any
@author tags. |
| {color:green}+1{color} | tests included | 0m 0s | The patch appears to
include 1 new or modified test files. |
| {color:green}+1{color} | javac | 7m 30s | There were no new javac warning
messages. |
| {color:green}+1{color} | javadoc | 9m 40s | There were no new javadoc
warning messages. |
| {color:green}+1{color} | release audit | 0m 23s | The applied patch does
not increase the total number of release audit warnings. |
| {color:green}+1{color} | site | 2m 56s | Site still builds. |
| {color:red}-1{color} | checkstyle | 2m 22s | The applied patch generated 2
new checkstyle issues (total was 361, now 361). |
| {color:green}+1{color} | whitespace | 0m 0s | The patch has no lines that
end in whitespace. |
| {color:green}+1{color} | install | 1m 32s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse | 0m 33s | The patch built with
eclipse:eclipse. |
| {color:green}+1{color} | findbugs | 3m 43s | The patch does not introduce
any new Findbugs (version 2.0.3) warnings. |
| {color:green}+1{color} | native | 3m 14s | Pre-build of native portion |
| {color:red}-1{color} | hdfs tests | 192m 3s | Tests failed in hadoop-hdfs. |
| {color:green}+1{color} | hdfs tests | 0m 16s | Tests passed in
hadoop-hdfs-client. |
| | | 242m 12s | |
\\
\\
|| Reason || Tests ||
| Failed unit tests | hadoop.hdfs.server.namenode.ha.TestRetryCacheWithHA |
| | hadoop.hdfs.server.namenode.TestFileTruncate |
| | hadoop.tracing.TestTraceAdmin |
| Timed out tests |
org.apache.hadoop.hdfs.server.blockmanagement.TestDatanodeManager |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12730825/HDFS-8037.003.patch |
| Optional Tests | javadoc javac unit findbugs checkstyle site |
| git revision | trunk / a583a40 |
| checkstyle |
https://builds.apache.org/job/PreCommit-HDFS-Build/10832/artifact/patchprocess/diffcheckstylehadoop-hdfs.txt
|
| hadoop-hdfs test log |
https://builds.apache.org/job/PreCommit-HDFS-Build/10832/artifact/patchprocess/testrun_hadoop-hdfs.txt
|
| hadoop-hdfs-client test log |
https://builds.apache.org/job/PreCommit-HDFS-Build/10832/artifact/patchprocess/testrun_hadoop-hdfs-client.txt
|
| Test Results |
https://builds.apache.org/job/PreCommit-HDFS-Build/10832/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf900.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output |
https://builds.apache.org/job/PreCommit-HDFS-Build/10832/console |
This message was automatically generated.
> WebHDFS: CheckAccess silently accepts certain malformed FsActions
> -----------------------------------------------------------------
>
> Key: HDFS-8037
> URL: https://issues.apache.org/jira/browse/HDFS-8037
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 2.6.0
> Reporter: Jake Low
> Assignee: Walter Su
> Priority: Minor
> Labels: BB2015-05-TBR, easyfix, newbie
> Attachments: HDFS-8037.001.patch, HDFS-8037.002.patch,
> HDFS-8037.003.patch
>
>
> WebHDFS's {{CHECKACCESS}} operation accepts a parameter called {{fsaction}},
> which represents the type(s) of access to check for.
> According to the documentation, and also the source code, the domain of
> {{fsaction}} is the set of strings matched by the regex {{"\[rwx-\]{3\}"}}.
> This domain is wider than the set of valid {{FsAction}} objects, because it
> doesn't guarantee sensible ordering of access types. For example, the strings
> {{"rxw"}} and {{"--r"}} are valid {{fsaction}} parameter values, but don't
> correspond to valid {{FsAction}} instances.
> The result is that WebHDFS silently accepts {{fsaction}} parameter values
> which don't match any valid {{FsAction}} instance, but doesn't actually
> perform any permissions checking in this case.
> For example, here's a {{CHECKACCESS}} call where we request {{"rw-"}} access
> on a file which we only have permission to read and execute. It raises an
> exception, as it should.
> {code:none}
> curl -i -X GET
> "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-x";
> HTTP/1.1 403 Forbidden
> Content-Type: application/json
> {
> "RemoteException": {
> "exception": "AccessControlException",
> "javaClassName": "org.apache.hadoop.security.AccessControlException",
> "message": "Permission denied: user=nobody, access=READ_WRITE,
> inode=\"\/myfile\":root:supergroup:drwxr-xr-x"
> }
> }
> {code}
> But if we instead request {{"r-w"}} access, the call appears to succeed:
> {code:none}
> curl -i -X GET
> "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-w";
> HTTP/1.1 200 OK
> Content-Length: 0
> {code}
> As I see it, the fix would be to change the regex pattern in
> {{FsActionParam}} to something like {{"\[r-\]\[w-\]\[x-\]"}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
