[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14077559#comment-14077559
]
Jason Dere commented on HDFS-6570:
----------------------------------
Trying out this patch and adding an extra test to testAccess(), it looks like
access to nested path /p1/p2 is failing due to perms issues with /p1, is this
expected? It fails with the same error even if I give full rwx access to bruce
on /p1.
{noformat}
Caused by: org.apache.hadoop.ipc.RemoteException: Permission denied:
user=bruce, access=EXECUTE,
inode="/p1":bruce:groupX:dr--r-----:user:bruce:r--,group::---
{noformat}
{code}
@Test
public void testAccess() throws IOException, InterruptedException {
Path p1 = new Path("/p1");
fs.mkdirs(p1);
fs.setOwner(p1, BRUCE.getShortUserName(), "groupX");
fsAsBruce.setAcl(p1, Lists.newArrayList(
aclEntry(ACCESS, USER, READ),
aclEntry(ACCESS, USER, "bruce", READ),
aclEntry(ACCESS, GROUP, NONE),
aclEntry(ACCESS, OTHER, NONE)));
fsAsBruce.access(p1, FsAction.READ);
try {
fsAsBruce.access(p1, FsAction.WRITE);
fail("The access call should have failed.");
} catch (AccessControlException e) {
// expected
}
// Give full access perms to bruce for /p1/p2
Path p2 = new Path(p1, "p2");
fs.mkdirs(p2);
fs.setOwner(p2, BRUCE.getShortUserName(), "groupX");
fs.setAcl(p2, Lists.newArrayList(
aclEntry(ACCESS, USER, READ),
aclEntry(ACCESS, USER, "bruce", ALL),
aclEntry(ACCESS, GROUP, NONE),
aclEntry(ACCESS, OTHER, NONE)));
fsAsBruce.access(p2, FsAction.READ); // Fails here
fsAsBruce.access(p2, FsAction.WRITE);
fsAsBruce.access(p2, FsAction.EXECUTE);
Path badPath = new Path("/bad/bad");
try {
fsAsBruce.access(badPath, FsAction.READ);
fail("The access call should have failed");
} catch (FileNotFoundException e) {
// expected
}
}
{code}
> add api that enables checking if a user has certain permissions on a file
> -------------------------------------------------------------------------
>
> Key: HDFS-6570
> URL: https://issues.apache.org/jira/browse/HDFS-6570
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: hdfs-client, namenode, webhdfs
> Reporter: Thejas M Nair
> Assignee: Jitendra Nath Pandey
> Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
> HDFS-6570.3.patch, HDFS-6570.4.patch, HDFS-6570.5.patch
>
>
> For some of the authorization modes in Hive, the servers in Hive check if a
> given user has permissions on a certain file or directory. For example, the
> storage based authorization mode allows hive table metadata to be modified
> only when the user has access to the corresponding table directory on hdfs.
> There are likely to be such use cases outside of Hive as well.
> HDFS does not provide an api for such checks. As a result, the logic to check
> if a user has permissions on a directory gets replicated in Hive. This
> results in duplicate logic and there introduces possibilities for
> inconsistencies in the interpretation of the permission model. This becomes a
> bigger problem with the complexity of ACL logic.
> HDFS should provide an api that provides functionality that is similar to
> access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
