[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376935#comment-16376935
]
Jianfei Jiang edited comment on HDFS-13194 at 2/26/18 2:29 PM:
---------------------------------------------------------------
Disgree with [~hexiaoqiao], the fix still return without exception under the
condition given by [~linyiqun]. What you mentions may be like following.
Separate the determine statements to two {{if}}. However, I prefer the change
in description given by Lin.
{code:java}
public void checkPermission(CachePool pool, FsAction access)
throws AccessControlException {
FsPermission mode = pool.getMode();
if (isSuperUser()) {
return;
} else if (getUser().equals(pool.getOwnerName())) {
if (mode.getUserAction().implies(access)) {
return;
}
} else if (isMemberOfGroup(pool.getGroupName())) {
if (mode.getGroupAction().implies(access)) {
return;
}
} else if (mode.getOtherAction().implies(access)) {
return;
}
throw new AccessControlException("Permission denied while accessing pool "
+ pool.getPoolName() + ": user " + getUser() + " does not have "
+ access.toString() + " permissions.");
}
{code}
was (Author: jiangjianfei):
Disgree with [~hexiaoqiao], the fix still return without exception under the
condition given by [~linyiqun]. What you mentions may be like following.
Separate the determine statements to two \{{if}}.
{code:java}
public void checkPermission(CachePool pool, FsAction access)
throws AccessControlException {
FsPermission mode = pool.getMode();
if (isSuperUser()) {
return;
} else if (getUser().equals(pool.getOwnerName())) {
if (mode.getUserAction().implies(access)) {
return;
}
} else if (isMemberOfGroup(pool.getGroupName())) {
if (mode.getGroupAction().implies(access)) {
return;
}
} else if (mode.getOtherAction().implies(access)) {
return;
}
throw new AccessControlException("Permission denied while accessing pool "
+ pool.getPoolName() + ": user " + getUser() + " does not have "
+ access.toString() + " permissions.");
}
{code}
> CachePool permissions incorrectly checked
> -----------------------------------------
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 3.0.0
> Reporter: Yiqun Lin
> Priority: Major
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:------rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
