[
https://issues.apache.org/jira/browse/HDFS-5923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13898142#comment-13898142
]
Chris Nauroth commented on HDFS-5923:
-------------------------------------
Hi Fengdong,
We committed HDFS-5914 yesterday to the HDFS-4685 branch to take care of ACL
serialization after the protobuf merge.
+1 for the proposal. We have a choice between 2 possible code maintenance
scenarios:
# Persist the ACL bit. Guarantee that all code paths accepting an
{{FsPermission}} from the client don't trust it and don't allow it to change
the persisted version. The benefit is that we don't need to do outbound
translation to toggle on the ACL bit for APIs like {{getFileStatus}}. The
drawback is that we need to remember to do inbound translation to maintain the
persisted value of the ACL bit for APIs like {{setPermission}}.
# Do not persist the ACL bit. Guarantee that all code paths returning an
{{FsPermission}} to the client toggle on the ACL bit if the inode has an
{{AclFeature}}. The benefit is that we don't need to do inbound translation.
The drawback is that we need to remember to do outbound translation.
The HDFS-4685 branch currently implements #1, but I agree that #2 is superior,
because it reduces risk. Bugs in strategy #1 could result in toggling the ACL
bit on or off incorrectly, which impacts permission enforcement. Bugs in
strategy #2 would only return incorrect results to a client, but would not
compromise permission enforcement.
Thanks for proposing the change, Haohui.
> Do not persist the ACL bit in the FsPermission
> ----------------------------------------------
>
> Key: HDFS-5923
> URL: https://issues.apache.org/jira/browse/HDFS-5923
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: hdfs-client, namenode, security
> Reporter: Haohui Mai
> Assignee: Haohui Mai
>
> The current implementation persists and ACL bit in FSImage and editlogs.
> Moreover, the security decisions also depend on whether the bit is set.
> The problem here is that we have to maintain the implicit invariant, which is
> the ACL bit is set if and only if the the inode has AclFeature. The invariant
> has to be maintained everywhere otherwise it can lead to a security
> vulnerability. In the worst case, an attacker can toggle the bit and bypass
> the ACL checks.
> The jira proposes to treat the ACL bit as a transient bit. The bit should not
> be persisted onto the disk, neither it should affect any security decisions.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
