[
https://issues.apache.org/jira/browse/HDFS-8736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14626463#comment-14626463
]
Purvesh Patel commented on HDFS-8736:
-------------------------------------
There is little confusion on the description of issue. This patch is introduced
to prevent untrusted user code from accessing to HDFS, not the local file
system. It's written in such a way as to potentially enable it to be used to
block access to any type of FileSystem, with the caveat that you'd need to also
guard against users trying to instantiate the file system implementation
directly using other permissions.
Additional permission to prevent users from getting access to instances of the
HDFS FileSystem that were created when the user code was off-stack and that
have pre-cached network connections.
> ability to deny access to HDFS filesystems
> ------------------------------------------
>
> Key: HDFS-8736
> URL: https://issues.apache.org/jira/browse/HDFS-8736
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.5.0
> Reporter: Purvesh Patel
> Priority: Minor
> Labels: security
> Attachments: HDFS-8736-1.patch
>
>
> In order to run in a secure context, ability to deny access to different
> filesystems(specifically the local file system) to non-trusted code this
> patch adds a new SecurityPermission class(AccessFileSystemPermission) and
> checks the permission in FileSystem#get before returning a cached file system
> or creating a new one. Please see attached patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
