[jira] [Comment Edited] (HDFS-13194) CachePool permissions incorrectly checked

2018-02-26 Thread Jianfei Jiang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16378168#comment-16378168
 ] 

Jianfei Jiang edited comment on HDFS-13194 at 2/27/18 7:37 AM:
---

Thanks [~linyiqun] for your magnanimity and kindly review. Update the patch.

As unprivilegedUser has no group, so not use the following to avoid exception.
{code:java}
.setGroupName(unprivilegedUser.getPrimaryGroupName()
{code}
 


was (Author: jiangjianfei):
Thanks [~linyiqun] for your magnanimity and kindly review. Update the patch.

As unprivilegedUser has no group, so not use 
{code:java}
.setGroupName(unprivilegedUser.getPrimaryGroupName()
{code}
 

> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
>  Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>   throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
>   return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
>   return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
>   return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's 
> group.
> if (mode.getOtherAction().implies(access)) {
>   return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, 
> permission mode:--rwx(007)), then one user which named "test" or whose 
> group is "test-group" can both access this pool. But actually this is not 
> allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
>   return;
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HDFS-13194) CachePool permissions incorrectly checked

2018-02-26 Thread Jianfei Jiang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16378168#comment-16378168
 ] 

Jianfei Jiang edited comment on HDFS-13194 at 2/27/18 7:36 AM:
---

Thanks [~linyiqun] for your magnanimity and kindly review. Update the patch.

As unprivilegedUser has no group, so not use 
{code:java}
.setGroupName(unprivilegedUser.getPrimaryGroupName()
{code}
 


was (Author: jiangjianfei):
Thanks [~linyiqun] for your magnanimity and kindly review. Update the patch.

As unprivilegedUser has no group, so not use 
\{{.setGroupName(unprivilegedUser.getPrimaryGroupName()}}

> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
>  Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>   throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
>   return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
>   return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
>   return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's 
> group.
> if (mode.getOtherAction().implies(access)) {
>   return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, 
> permission mode:--rwx(007)), then one user which named "test" or whose 
> group is "test-group" can both access this pool. But actually this is not 
> allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
>   return;
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HDFS-13194) CachePool permissions incorrectly checked

2018-02-26 Thread Jianfei Jiang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16378168#comment-16378168
 ] 

Jianfei Jiang edited comment on HDFS-13194 at 2/27/18 7:36 AM:
---

Thanks [~linyiqun] for your magnanimity and kindly review. Update the patch.

As unprivilegedUser has no group, so not use 
\{{.setGroupName(unprivilegedUser.getPrimaryGroupName()}}


was (Author: jiangjianfei):
Thanks [~linyiqun] for magnanimity  and kindly review. Update the patch.

> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
>  Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>   throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
>   return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
>   return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
>   return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's 
> group.
> if (mode.getOtherAction().implies(access)) {
>   return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, 
> permission mode:--rwx(007)), then one user which named "test" or whose 
> group is "test-group" can both access this pool. But actually this is not 
> allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
>   return;
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HDFS-13194) CachePool permissions incorrectly checked

2018-02-26 Thread Jianfei Jiang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16377991#comment-16377991
 ] 

Jianfei Jiang edited comment on HDFS-13194 at 2/27/18 4:00 AM:
---

Sorry [~linyiqun], I missed your comment and add a patch. I have unassigned. 


was (Author: jiangjianfei):
Sorry [~linyiqun], I missed your comment and add a patch, should I unassigned 
to you? Sorry a lot.

> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
>  Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Priority: Major
> Attachments: HDFS-13194.001.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>   throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
>   return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
>   return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
>   return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's 
> group.
> if (mode.getOtherAction().implies(access)) {
>   return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, 
> permission mode:--rwx(007)), then one user which named "test" or whose 
> group is "test-group" can both access this pool. But actually this is not 
> allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
>   return;
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HDFS-13194) CachePool permissions incorrectly checked

2018-02-26 Thread Jianfei Jiang (JIRA) 

[ 
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16376935#comment-16376935
 ] 

Jianfei Jiang edited comment on HDFS-13194 at 2/26/18 2:29 PM:
---

Disgree with [~hexiaoqiao], the fix still return without exception under the 
condition given by [~linyiqun]. What you mentions may be like following. 
Separate the determine statements to two {{if}}. However, I prefer the change 
in description given by Lin.
{code:java}
public void checkPermission(CachePool pool, FsAction access)
throws AccessControlException {
  FsPermission mode = pool.getMode();
  if (isSuperUser()) {
return;
  } else if (getUser().equals(pool.getOwnerName())) {
if (mode.getUserAction().implies(access)) {
  return;
}
  } else if (isMemberOfGroup(pool.getGroupName())) {
if (mode.getGroupAction().implies(access)) {
  return;
}
  } else if (mode.getOtherAction().implies(access)) {
return;
  }
  throw new AccessControlException("Permission denied while accessing pool "
  + pool.getPoolName() + ": user " + getUser() + " does not have "
  + access.toString() + " permissions.");
}
{code}
 


was (Author: jiangjianfei):
Disgree with [~hexiaoqiao], the fix still return without exception under the 
condition given by [~linyiqun]. What you mentions may be like following. 
Separate the determine statements to two \{{if}}.
{code:java}

public void checkPermission(CachePool pool, FsAction access)
throws AccessControlException {
  FsPermission mode = pool.getMode();
  if (isSuperUser()) {
return;
  } else if (getUser().equals(pool.getOwnerName())) {
if (mode.getUserAction().implies(access)) {
  return;
}
  } else if (isMemberOfGroup(pool.getGroupName())) {
if (mode.getGroupAction().implies(access)) {
  return;
}
  } else if (mode.getOtherAction().implies(access)) {
return;
  }
  throw new AccessControlException("Permission denied while accessing pool "
  + pool.getPoolName() + ": user " + getUser() + " does not have "
  + access.toString() + " permissions.");
}
{code}
 

> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
>  Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Priority: Major
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
>   public void checkPermission(CachePool pool, FsAction access)
>   throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
>   return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
>   return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
>   return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's 
> group.
> if (mode.getOtherAction().implies(access)) {
>   return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
>   }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group, 
> permission mode:--rwx(007)), then one user which named "test" or whose 
> group is "test-group" can both access this pool. But actually this is not 
> allowed since permission for its owner or group is none.
>  The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
>   return;
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org