[
https://issues.apache.org/jira/browse/HDFS-15850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17326442#comment-17326442
]
Stephen O'Donnell commented on HDFS-15850:
------------------------------------------
We should backport this to branch-3.3. I tried to cherry-pick it, but there is
one conflict due to HDFS-15217 not being on branch-3.3 in
FSNameSystem.truncate(...). There are some questions around the performance of
HDFS-15217, so I'd rather not backport it to branch-3.3 at this stage, and it
would be better to fix the conflict.
Then I got a compile error as below as HADOOP-17079 is not backported to
branch-3.3:
{code}
[ERROR]
/Users/sodonnell/source/upstream_hadoop/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/INodeAttributeProvider.java:[425,20]
cannot find symbol
[ERROR] symbol: method getGroupsSet()
[ERROR] location: variable callerUgi of type
org.apache.hadoop.security.UserGroupInformation
{code}
It would be good to backport HADOOP-17079 too, but there are some issues caused
by it, which as still in progress so we cannot backport it either.
I fixed the conflicts and uploaded a branch-3.3 patch for this change. Can you
all please review especially around this areas:
INodeAttributeProvider:
{code}
default void checkSuperUserPermissionWithContext(
AuthorizationContext authzContext)
throws AccessControlException {
UserGroupInformation callerUgi = authzContext.getCallerUgi();
boolean isSuperUser =
callerUgi.getShortUserName().equals(authzContext.getFsOwner()) ||
callerUgi.getGroups().contains(authzContext.getSupergroup()); //
This line changed form getGroupsSet() to getGroups()
if (!isSuperUser) {
throw new AccessControlException("Access denied for user " +
callerUgi.getShortUserName() + ". Superuser privilege is " +
"required for operation " + authzContext.getOperationName());
}
}
{code}
FSNameSystem around the truncate method at line 2233.
> Superuser actions should be reported to external enforcers
> ----------------------------------------------------------
>
> Key: HDFS-15850
> URL: https://issues.apache.org/jira/browse/HDFS-15850
> Project: Hadoop HDFS
> Issue Type: Task
> Components: security
> Affects Versions: 3.3.0
> Reporter: Vivek Ratnavel Subramanian
> Assignee: Vivek Ratnavel Subramanian
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0
>
> Attachments: HDFS-15850.v1.patch, HDFS-15850.v2.patch
>
> Time Spent: 5h 10m
> Remaining Estimate: 0h
>
> Currently, HDFS superuser checks or actions are not reported to external
> enforcers like Ranger and the audit report provided by such external enforces
> are not complete and are missing the superuser actions. To fix this, add a
> new method to "AccessControlEnforcer" for all superuser checks.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
