[
https://issues.apache.org/jira/browse/HDFS-16259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17425324#comment-17425324
]
Ayush Saxena commented on HDFS-16259:
-------------------------------------
Isn't that Ranger problem? It should return an exception which can be decoded.
I see the component marked as Namenode, Do you plan to add such a logic in the
Namenode side, that it catches any sub-class ACE & convert to ACE. This doesn't
look like something we should do, Whatever the plugin returns we should
propagate that back, Behaviour for that plugin should be same for all services,
not something for the Namenode.
What special Ranger is trying to do with RangerAccessControlException, that
they can't change it to ACE?
Not very sure about the use case, but is there a problem due to unwrapping did
you try handling in the DFSClient? Something like:
{noformat}
diff --git
a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
index 58906846298..09c68a932af 100755
---
a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
+++
b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/DFSClient.java
@@ -2960,9 +2960,7 @@ public void checkAccess(String src, FsAction mode) throws
IOException {
try (TraceScope ignored = newPathTraceScope("checkAccess", src)) {
namenode.checkAccess(src, mode);
} catch (RemoteException re) {
- throw re.unwrapRemoteException(AccessControlException.class,
- FileNotFoundException.class,
- UnresolvedPathException.class);
+ throw re.unwrapRemoteException();
}
}
{noformat}
> Catch and re-throw sub-classes of AccessControlException thrown by any
> permission provider plugins (eg Ranger)
> --------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-16259
> URL: https://issues.apache.org/jira/browse/HDFS-16259
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: namenode
> Reporter: Stephen O'Donnell
> Assignee: Stephen O'Donnell
> Priority: Major
>
> When a permission provider plugin is enabled (eg Ranger) there are some
> scenarios where it can throw a sub-class of an AccessControlException (eg
> RangerAccessControlException). If this exception is allowed to propagate up
> the stack, it can give problems in the HDFS Client, when it unwraps the
> remote exception containing the AccessControlException sub-class.
> Ideally, we should make AccessControlException final so it cannot be
> sub-classed, but that would be a breaking change at this point. Therefore I
> believe the safest thing to do, is to catch any AccessControlException that
> comes out of the permission enforcer plugin, and re-throw an
> AccessControlException instead.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
