[ https://issues.apache.org/jira/browse/HDFS-16004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
lujie updated HDFS-16004: ------------------------- Summary: QJournal lack Permission check. (was: BackupNode and QJournal lack Permission check.) > QJournal lack Permission check. > -------------------------------- > > Key: HDFS-16004 > URL: https://issues.apache.org/jira/browse/HDFS-16004 > Project: Hadoop HDFS > Issue Type: Bug > Reporter: lujie > Assignee: lujie > Priority: Critical > Labels: pull-request-available > Time Spent: 1h > Remaining Estimate: 0h > > I have some doubt when i configurate secure HDFS. I know we have Service > Level Authorization for protocols like NamenodeProtocol,DatanodeProtocol and > so on. > But i do not find such Authorization for JournalProtocol after reading the > code in HDFSPolicyProvider. And if we have, how can i configurate such > Authorization? > > Besides even NamenodeProtocol has Service Level Authorization, its methods > still have Permission check. Take startCheckpoint in NameNodeRpcServer who > implemented NamenodeProtocol for example: > > _public NamenodeCommand startCheckpoint(NamenodeRegistration registration)_ > _throws IOException {_ > _String operationName = "startCheckpoint";_ > _checkNNStartup();_ > _{color:#ff6600}namesystem.checkSuperuserPrivilege(operationName);{color}_ > _......_ > > I found that the methods in BackupNodeRpcServer who implemented > JournalProtocol lack of such Permission check. See below: > > > _public void startLogSegment(JournalInfo journalInfo, long epoch,_ > _long txid) throws IOException {_ > _namesystem.checkOperation(OperationCategory.JOURNAL);_ > _verifyJournalRequest(journalInfo);_ > _getBNImage().namenodeStartedLogSegment(txid);_ > _}_ > > _@Override_ > _public void journal(JournalInfo journalInfo, long epoch, long firstTxId,_ > _int numTxns, byte[] records) throws IOException {_ > _namesystem.checkOperation(OperationCategory.JOURNAL);_ > _verifyJournalRequest(journalInfo);_ > _getBNImage().journal(firstTxId, numTxns, records);_ > _}_ > > Do we need add Permission check for them? > > Please point out my mistakes if i am wrong or miss something. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org