[jira] [Created] (HADOOP-14899) Restrict Access to set stickybit operation when authorization is enabled in WASB
Kannapiran Srinivasan created HADOOP-14899: -- Summary: Restrict Access to set stickybit operation when authorization is enabled in WASB Key: HADOOP-14899 URL: https://issues.apache.org/jira/browse/HADOOP-14899 Project: Hadoop Common Issue Type: New Feature Components: fs/azure Reporter: Kannapiran Srinivasan In case of authorization enabled Wasb clusters, we need to restrict setting permissions on files or folders to owner or list of privileged users. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Description: In case of authorization enabled Wasb clusters, we need to restrict setting permissions on files or folders to owner or list of privileged users. Currently in the WASB implementation even when authorization is enabled there is no check happens while doing setPermission call. In this JIRA we would like to add the check on the setPermission call in NativeAzureFileSystem implementation so that only owner or the privileged list of users can change the permissions of files/folders was:In case of authorization enabled Wasb clusters, we need to restrict setting permissions on files or folders to owner or list of privileged users. > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: New Feature > Components: fs/azure >Reporter: Kannapiran Srinivasan > Labels: fs, secure, wasb > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users can change > the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Summary: Restrict Access to setPermission operation when authorization is enabled in WASB (was: Restrict Access to set stickybit operation when authorization is enabled in WASB) > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: New Feature > Components: fs/azure >Reporter: Kannapiran Srinivasan > Labels: fs, secure, wasb > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16194481#comment-16194481 ] Kannapiran Srinivasan commented on HADOOP-14899: [~ste...@apache.org] : I have updated the patch with following fixes * L698: I think it is better to have a separate list defined for chmod allowed users instead of using a common one for both chown and chmod. Because this gives a flexibility to configure different set of allowed users for both chmod & chown. I have reverted the code back to use fs.azure.chown.allowed.userlist for chown. * L2916: Fixed * L2980: Fixed * L7971. chmod & chown should check against the current user not the actualUser. actualUser is set in the context of impersonation. Earlier logic on setPermission was wrongly checking the actualUser instead of currentUser. Yes getCurrentUser should not be null during chmod / chown calls irrespective of impersonation enabled or not * L3055. Cached the user lists (chown, chmod & daemon) during the init & enabled set of helper methods for tests to update them during test runs * Refactoring is done on the testcases as mentioned in the comment Apart from this I have fixed testcases related to setOwner (testSetOwnerThrowsForUnauthorisedUsers, testSetOwnerFailsForIllegalSetup, testSetOwnerThrowsForUnauthorisedUsers & testSetOwnerSucceedsForAnyUserWhenWildCardIsSpecified) All the tests have passed in hadoop-azure in both secure and unsecure mode. Tested against storage account in South India > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch, > HADOOP-14899-003.patch, HADOOP-14899-004.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Attachment: HADOOP-14899-004.patch > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch, > HADOOP-14899-003.patch, HADOOP-14899-004.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Attachment: HADOOP-14899-004.patch > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch, > HADOOP-14899-003.patch, HADOOP-14899-004.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Attachment: (was: HADOOP-14899-004.patch) > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch, > HADOOP-14899-003.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Description: In case of authorization enabled Wasb clusters, we need to restrict setting permissions on files or folders to owner or list of privileged users. Currently in the WASB implementation even when authorization is enabled there is no check happens while doing setPermission call. In this JIRA we would like to add the check on the setPermission call in NativeAzureFileSystem implementation so that only owner or the privileged list of users or daemon users can change the permissions of files/folders was: In case of authorization enabled Wasb clusters, we need to restrict setting permissions on files or folders to owner or list of privileged users. Currently in the WASB implementation even when authorization is enabled there is no check happens while doing setPermission call. In this JIRA we would like to add the check on the setPermission call in NativeAzureFileSystem implementation so that only owner or the privileged list of users can change the permissions of files/folders > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16180687#comment-16180687 ] Kannapiran Srinivasan edited comment on HADOOP-14899 at 9/26/17 12:42 PM: -- Following fixes are done in the patch [^HADOOP-14899-002.patch] * Updated setPermission & setOwner implementation to check only the current user * Updated the tests for setOwner with appropriate asserts * Fixed typo in the documentation was (Author: kansrini): Following fixes are done in this patch * Updated setPermission & setOwner implementation to check only the current user * Updated the tests for setOwner with appropriate asserts * Fixed typo in the documentation > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Attachment: HADOOP-14899-002.patch Following fixes are done in this patch * Updated setPermission & setOwner implementation to check only the current user * Updated the tests for setOwner with appropriate asserts * Fixed typo in the documentation > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16180747#comment-16180747 ] Kannapiran Srinivasan commented on HADOOP-14899: [~ste...@apache.org] : Can you please review this patch > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Status: Patch Available (was: Open) > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users can change > the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Attachment: HADOOP-14899-001.patch > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users can change > the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kannapiran Srinivasan updated HADOOP-14899: --- Attachment: HADOOP-14899-003.patch > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch, > HADOOP-14899-003.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14899) Restrict Access to setPermission operation when authorization is enabled in WASB
[ https://issues.apache.org/jira/browse/HADOOP-14899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16182547#comment-16182547 ] Kannapiran Srinivasan commented on HADOOP-14899: [~ste...@apache.org] : I have updated the patch with following fixes * L698: I think it is better to have a separate list defined for chmod allowed users instead of using a common one for both chown and chmod. Because this gives a flexibility to configure different set of allowed users for both chmod & chown. I have reverted the code back to use fs.azure.chown.allowed.userlist for chown. * L2916: Fixed * L2980: Fixed * L7971. chmod & chown should check against the current user not the actualUser. actualUser is set in the context of impersonation. Earlier logic on setPermission was wrongly checking the actualUser instead of currentUser. Yes getCurrentUser should not be null during chmod / chown calls irrespective of impersonation enabled or not * L3055. Cached the user lists (chown, chmod & daemon) during the init & enabled set of helper methods for tests to update them during test runs * Refactoring is done on the testcases as mentioned in the comment All the tests have passed in hadoop-azure in both secure and unsecure mode. Tested against storage account in South India > Restrict Access to setPermission operation when authorization is enabled in > WASB > > > Key: HADOOP-14899 > URL: https://issues.apache.org/jira/browse/HADOOP-14899 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/azure >Reporter: Kannapiran Srinivasan >Assignee: Kannapiran Srinivasan > Labels: fs, secure, wasb > Attachments: HADOOP-14899-001.patch, HADOOP-14899-002.patch, > HADOOP-14899-003.patch > > > In case of authorization enabled Wasb clusters, we need to restrict setting > permissions on files or folders to owner or list of privileged users. > Currently in the WASB implementation even when authorization is enabled there > is no check happens while doing setPermission call. In this JIRA we would > like to add the check on the setPermission call in NativeAzureFileSystem > implementation so that only owner or the privileged list of users or daemon > users can change the permissions of files/folders -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org