[
https://issues.apache.org/jira/browse/HDFS-15973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17322588#comment-17322588
]
zhuobin zheng commented on HDFS-15973:
--------------------------------------
We should do access check in proxyUser privileged. Otherwise, we unable to pass
the authentication with namenode.
{code:java}
// code placeholder
if(UserGroupInformation.isSecurityEnabled()) {
UserGroupInformation proxyUser =
UserGroupInformation.createProxyUser(RouterRpcServer.getRemoteUser().getShortUserName(),
routerUser);
proxyUser.doAs(new PrivilegedExceptionAction<Object>() {
@Override public Object run() throws Exception {
Path srcPath = new Path("hdfs://" + srcLoc.getNameserviceId() +
remoteSrc);
srcPath.getFileSystem(conf).access(srcPath.getParent(), FsAction.WRITE);
// check dst path permission.
Path dstPath = new Path("hdfs://" + dstLoc.getNameserviceId() +
remoteDst);
dstPath.getFileSystem(conf).access(dstPath.getParent(), FsAction.WRITE);
}
});
}
{code}
> RBF: Add permission check before doting router federation rename.
> -----------------------------------------------------------------
>
> Key: HDFS-15973
> URL: https://issues.apache.org/jira/browse/HDFS-15973
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Reporter: Jinglun
> Assignee: Jinglun
> Priority: Major
> Attachments: HDFS-15973.001.patch, HDFS-15973.002.patch,
> HDFS-15973.003.patch
>
>
> The router federation rename is lack of permission check. It is a security
> issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
