Yiqun Lin created HDFS-13194:
--------------------------------
Summary: CachePool permissions incorrectly checked
Key: HDFS-13194
URL: https://issues.apache.org/jira/browse/HDFS-13194
Project: Hadoop HDFS
Issue Type: Bug
Affects Versions: 3.0.0
Reporter: Yiqun Lin
The permissions of CachePool incorrectly checked. The checking logic:
{code:java}
public void checkPermission(CachePool pool, FsAction access)
throws AccessControlException {
FsPermission mode = pool.getMode();
if (isSuperUser()) {
return;
}
if (getUser().equals(pool.getOwnerName())
&& mode.getUserAction().implies(access)) {
return;
}
if (isMemberOfGroup(pool.getGroupName())
&& mode.getGroupAction().implies(access)) {
return;
}
// Following line seems incorrect,
// we should ensure current user is not belong the pool's owner or pool's
group.
if (mode.getOtherAction().implies(access)) {
return;
}
throw new AccessControlException("Permission denied while accessing pool "
+ pool.getPoolName() + ": user " + getUser() + " does not have "
+ access.toString() + " permissions.");
}
{code}
For example one corner case, a cachepool (owner: test, group,test-group,
permission mode:------rwx(007)), then one user which named "test" or whose
group is "test-group" can both access this pool. But actually this is not
allowed since permission for its owner or group is none.
The behavior of checking other user should be updated like this:
{code:java}
if (!getUser().equals(pool.getOwnerName())
&& !isMemberOfGroup(pool.getGroupName())
&& mode.getOtherAction().implies(access)) {
return;
}
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
