[jira] [Commented] (HDFS-4918) HDFS permission check is incorrect

Tue, 18 Jun 2013 22:18:57 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13687620#comment-13687620
 ] 

Fengdong Yu commented on HDFS-4918:
-----------------------------------

I see this problem from trunk.

HDFS operation works well, but when submit MR, I always get the following:
{code}
ERROR security.UserGroupInformation: PriviledgedActionException as:root 
(auth:SIMPLE) cause:java.io.IOException: The ownership/permissions on the 
staging directory 
hdfs://webdm-cluster/data/hadoop/data/mapred/staging/root/.staging is not as 
expected. It is owned by root and permissions are rwxr-xr-x. The directory must 
be owned by the submitter root or by root and permissions must be rwx------

{code}

chown and chmod cannot solve the problem.

so I read the code again. and get the following:
FSPermissionChecker.java:

{code}
 void checkPermission(String path, INodeDirectory root, boolean doCheckOwner,
      FsAction ancestorAccess, FsAction parentAccess, FsAction access,
      FsAction subAccess, boolean resolveLink)
   final Snapshot snapshot = inodesInPath.getPathSnapshot();
{code}

then:
{code}
  /** Guarded by {@link FSNamesystem#readLock()} */
  private void check(INode inode, Snapshot snapshot, FsAction access
      ) throws AccessControlException {
    if (inode == null) {
      return;
    }
    FsPermission mode = inode.getFsPermission(snapshot);

    if (user.equals(inode.getUserName(snapshot))) { //user class
      if (mode.getUserAction().implies(access)) { return; }
    }
    else if (groups.contains(inode.getGroupName(snapshot))) { //group class
      if (mode.getGroupAction().implies(access)) { return; }
    }
    else { //other class
      if (mode.getOtherAction().implies(access)) { return; }
    }
    throw new AccessControlException("Permission denied: user=" + user
        + ", access=" + access + ", inode=" + toAccessControlString(inode));
  }
{code}


so , If snapshot is null, all permission check are all did by "other class".


                
> HDFS permission check is incorrect
> ----------------------------------
>
>                 Key: HDFS-4918
>                 URL: https://issues.apache.org/jira/browse/HDFS-4918
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: hdfs-client, namenode
>    Affects Versions: 2.0.0-alpha
>            Reporter: Fengdong Yu
>
> HDFS permisson check is incorrect, even if dfs.permissions is set false. it 
> does look like this was caused by snap shot.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to