[
https://issues.apache.org/jira/browse/HDFS-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14534970#comment-14534970
]
Hudson commented on HDFS-8037:
------------------------------
SUCCESS: Integrated in Hadoop-Mapreduce-trunk-Java8 #189 (See
[https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/189/])
HDFS-8037. CheckAccess in WebHDFS silently accepts malformed FsActions
parameters. Contributed by Walter Su. (wheat9: rev
4d9f9e546ff9d8de75d08bf17d038c7d1ed3bc11)
* hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
* hadoop-hdfs-project/hadoop-hdfs/src/site/markdown/WebHDFS.md
*
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/resources/TestParam.java
*
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java
> CheckAccess in WebHDFS silently accepts malformed FsActions parameters
> ----------------------------------------------------------------------
>
> Key: HDFS-8037
> URL: https://issues.apache.org/jira/browse/HDFS-8037
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 2.6.0
> Reporter: Jake Low
> Assignee: Walter Su
> Priority: Minor
> Labels: easyfix, newbie
> Fix For: 2.8.0
>
> Attachments: HDFS-8037.001.patch, HDFS-8037.002.patch,
> HDFS-8037.003.patch
>
>
> WebHDFS's {{CHECKACCESS}} operation accepts a parameter called {{fsaction}},
> which represents the type(s) of access to check for.
> According to the documentation, and also the source code, the domain of
> {{fsaction}} is the set of strings matched by the regex {{"\[rwx-\]{3\}"}}.
> This domain is wider than the set of valid {{FsAction}} objects, because it
> doesn't guarantee sensible ordering of access types. For example, the strings
> {{"rxw"}} and {{"--r"}} are valid {{fsaction}} parameter values, but don't
> correspond to valid {{FsAction}} instances.
> The result is that WebHDFS silently accepts {{fsaction}} parameter values
> which don't match any valid {{FsAction}} instance, but doesn't actually
> perform any permissions checking in this case.
> For example, here's a {{CHECKACCESS}} call where we request {{"rw-"}} access
> on a file which we only have permission to read and execute. It raises an
> exception, as it should.
> {code:none}
> curl -i -X GET
> "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-x";
> HTTP/1.1 403 Forbidden
> Content-Type: application/json
> {
> "RemoteException": {
> "exception": "AccessControlException",
> "javaClassName": "org.apache.hadoop.security.AccessControlException",
> "message": "Permission denied: user=nobody, access=READ_WRITE,
> inode=\"\/myfile\":root:supergroup:drwxr-xr-x"
> }
> }
> {code}
> But if we instead request {{"r-w"}} access, the call appears to succeed:
> {code:none}
> curl -i -X GET
> "http://localhost:50070/webhdfs/v1/myfile?op=CHECKACCESS&user.name=nobody&fsaction=r-w";
> HTTP/1.1 200 OK
> Content-Length: 0
> {code}
> As I see it, the fix would be to change the regex pattern in
> {{FsActionParam}} to something like {{"\[r-\]\[w-\]\[x-\]"}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
