[jira] [Updated] (HDFS-16004) QJournal lack Permission check.

Sun, 16 May 2021 23:26:06 -0700 


     [ 
https://issues.apache.org/jira/browse/HDFS-16004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated HDFS-16004:
-------------------------
    Summary:  QJournal lack Permission check.  (was: BackupNode and QJournal 
lack Permission check.)

>  QJournal lack Permission check.
> --------------------------------
>
>                 Key: HDFS-16004
>                 URL: https://issues.apache.org/jira/browse/HDFS-16004
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: lujie
>            Assignee: lujie
>            Priority: Critical
>              Labels: pull-request-available
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> I have some doubt when i configurate secure HDFS.  I know we have Service 
> Level Authorization  for protocols like NamenodeProtocol,DatanodeProtocol and 
> so on.
> But i do not find such Authorization   for JournalProtocol after reading the 
> code in HDFSPolicyProvider.  And if we have, how can i configurate such 
> Authorization?
>  
> Besides  even NamenodeProtocol has Service Level Authorization, its methods 
> still have Permission check. Take startCheckpoint in NameNodeRpcServer who 
> implemented NamenodeProtocol  for example:
>  
> _public NamenodeCommand startCheckpoint(NamenodeRegistration registration)_
>       _throws IOException {_
>     _String operationName = "startCheckpoint";_
>     _checkNNStartup();_
>     _{color:#ff6600}namesystem.checkSuperuserPrivilege(operationName);{color}_
> _......_
>  
> I found that the methods in  BackupNodeRpcServer who implemented 
> JournalProtocol  lack of such  Permission check. See below:
>  
>  
>     _public void startLogSegment(JournalInfo journalInfo, long epoch,_
>         _long txid) throws IOException {_
>       _namesystem.checkOperation(OperationCategory.JOURNAL);_
>       _verifyJournalRequest(journalInfo);_
>       _getBNImage().namenodeStartedLogSegment(txid);_
>     _}_
>  
>     _@Override_
>     _public void journal(JournalInfo journalInfo, long epoch, long firstTxId,_
>         _int numTxns, byte[] records) throws IOException {_
>       _namesystem.checkOperation(OperationCategory.JOURNAL);_
>       _verifyJournalRequest(journalInfo);_
>       _getBNImage().journal(firstTxId, numTxns, records);_
>     _}_
>  
> Do we need add Permission check for them?
>  
> Please point out my mistakes if i am wrong or miss something. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to