[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14080720#comment-14080720 ] Hudson commented on HDFS-6570: -- FAILURE: Integrated in Hadoop-Yarn-trunk #629 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/629/]) HDFS-6570. add api that enables checking if a user has certain permissions on a file. Contributed by Jitendra Pandey. (cnauroth: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1614723) * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Improvement Components: hdfs-client, namenode, webhdfs
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14080959#comment-14080959 ] Hudson commented on HDFS-6570: -- SUCCESS: Integrated in Hadoop-Mapreduce-trunk #1848 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1848/]) HDFS-6570. add api that enables checking if a user has certain permissions on a file. Contributed by Jitendra Pandey. (cnauroth: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1614723) * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Improvement Components: hdfs-client, namenode, webhdfs
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14079639#comment-14079639 ] Hudson commented on HDFS-6570: -- FAILURE: Integrated in Hadoop-trunk-Commit #5986 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/5986/]) HDFS-6570. add api that enables checking if a user has certain permissions on a file. Contributed by Jitendra Pandey. (cnauroth: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1614723) * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Improvement Components: hdfs-client, namenode, webhdfs
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14080356#comment-14080356 ] Hudson commented on HDFS-6570: -- FAILURE: Integrated in Hadoop-Hdfs-trunk #1822 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1822/]) HDFS-6570. add api that enables checking if a user has certain permissions on a file. Contributed by Jitendra Pandey. (cnauroth: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1614723) * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AbstractFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileContext.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FilterFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ChRootedFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFileSystem.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/viewfs/ViewFs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestHarFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/fs/Hdfs.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSClient.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DistributedFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolServerSideTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/ClientNamenodeProtocolTranslatorPB.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocolPB/PBHelper.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/web/resources/NamenodeWebHdfsMethods.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/GetOpParam.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/proto/ClientNamenodeProtocol.proto * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/WebHDFS.apt.vm * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSPermission.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSafeMode.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeFile.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/snapshot/TestAclWithSnapshot.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsFileSystemContract.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java * /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/security/TestPermissionSymlinks.java add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Improvement Components: hdfs-client, namenode, webhdfs
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14077559#comment-14077559
]
Jason Dere commented on HDFS-6570:
--
Trying out this patch and adding an extra test to testAccess(), it looks like
access to nested path /p1/p2 is failing due to perms issues with /p1, is this
expected? It fails with the same error even if I give full rwx access to bruce
on /p1.
{noformat}
Caused by: org.apache.hadoop.ipc.RemoteException: Permission denied:
user=bruce, access=EXECUTE,
inode=/p1:bruce:groupX:dr--r-:user:bruce:r--,group::---
{noformat}
{code}
@Test
public void testAccess() throws IOException, InterruptedException {
Path p1 = new Path(/p1);
fs.mkdirs(p1);
fs.setOwner(p1, BRUCE.getShortUserName(), groupX);
fsAsBruce.setAcl(p1, Lists.newArrayList(
aclEntry(ACCESS, USER, READ),
aclEntry(ACCESS, USER, bruce, READ),
aclEntry(ACCESS, GROUP, NONE),
aclEntry(ACCESS, OTHER, NONE)));
fsAsBruce.access(p1, FsAction.READ);
try {
fsAsBruce.access(p1, FsAction.WRITE);
fail(The access call should have failed.);
} catch (AccessControlException e) {
// expected
}
// Give full access perms to bruce for /p1/p2
Path p2 = new Path(p1, p2);
fs.mkdirs(p2);
fs.setOwner(p2, BRUCE.getShortUserName(), groupX);
fs.setAcl(p2, Lists.newArrayList(
aclEntry(ACCESS, USER, READ),
aclEntry(ACCESS, USER, bruce, ALL),
aclEntry(ACCESS, GROUP, NONE),
aclEntry(ACCESS, OTHER, NONE)));
fsAsBruce.access(p2, FsAction.READ); // Fails here
fsAsBruce.access(p2, FsAction.WRITE);
fsAsBruce.access(p2, FsAction.EXECUTE);
Path badPath = new Path(/bad/bad);
try {
fsAsBruce.access(badPath, FsAction.READ);
fail(The access call should have failed);
} catch (FileNotFoundException e) {
// expected
}
}
{code}
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Components: hdfs-client, namenode, webhdfs
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
HDFS-6570.3.patch, HDFS-6570.4.patch, HDFS-6570.5.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14077954#comment-14077954
]
Chris Nauroth commented on HDFS-6570:
-
Hi, [~jdere]. The expected behavior is to get an {{AccessControlException}}
thrown from the Fails here line. The test creates directory /p1 and gives
bruce read access. Then, it creates sub-directory /p1/p2 and gives bruce full
read-write-execute access. Traversing an HDFS directory to access its children
requires execute permission, not read permission. (This is consistent with
POSIX.) Bruce doesn't have execute access on /p1, so HDFS halts traversal
there and throws an {{AccessControlException}}. The presence of a
read-write-execute ACL entry on a child inode does not override the requirement
for execute permission on the parent.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Components: hdfs-client, namenode, webhdfs
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
HDFS-6570.3.patch, HDFS-6570.4.patch, HDFS-6570.5.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14077025#comment-14077025 ] Chris Nauroth commented on HDFS-6570: - +1 for patch v5. Thanks again, Jitendra. add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Bug Components: hdfs-client, namenode, webhdfs Reporter: Thejas M Nair Assignee: Jitendra Nath Pandey Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch, HDFS-6570.3.patch, HDFS-6570.4.patch, HDFS-6570.5.patch For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14077259#comment-14077259
]
Hadoop QA commented on HDFS-6570:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12658274/HDFS-6570.5.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 9 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in
hadoop-common-project/hadoop-common hadoop-hdfs-project/hadoop-hdfs:
org.apache.hadoop.TestRefreshCallQueue
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-HDFS-Build/7479//testReport/
Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/7479//console
This message is automatically generated.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Components: hdfs-client, namenode, webhdfs
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
HDFS-6570.3.patch, HDFS-6570.4.patch, HDFS-6570.5.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14077346#comment-14077346 ] Chris Nauroth commented on HDFS-6570: - The test failure looks unrelated. add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Bug Components: hdfs-client, namenode, webhdfs Reporter: Thejas M Nair Assignee: Jitendra Nath Pandey Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch, HDFS-6570.3.patch, HDFS-6570.4.patch, HDFS-6570.5.patch For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14075397#comment-14075397
]
Chris Nauroth commented on HDFS-6570:
-
Sorry, Jitendra. I just realized there is one more small problem in
{{FSNamesystem#checkAccess}}. Take a look at HDFS-6749. We just fixed a bug
where a few {{FSNamesystem}} methods were not calling {{resolvePath}}, and I
can see that our new {{checkAccess}} method in this patch has the same problem.
The fix will look similar to the change applied to {{getAclStatus}} in
HDFS-6749. It's just adding 2 lines to call
{{FSDirectory#getPathComponentsForReservedPath}} and
{{FSDirectory#resolvePath}}:
{code}
@@ -8183,9 +8185,11 @@ AclStatus getAclStatus(String src) throws IOException {
nnConf.checkAclsConfigFlag();
FSPermissionChecker pc = getPermissionChecker();
checkOperation(OperationCategory.READ);
+byte[][] pathComponents =
FSDirectory.getPathComponentsForReservedPath(src);
readLock();
try {
checkOperation(OperationCategory.READ);
+ src = FSDirectory.resolvePath(src, pathComponents, dir);
if (isPermissionEnabled) {
checkPermission(pc, src, false, null, null, null, null);
}
{code}
Then, for testing, we can just add a line here to {{TestINodeFile}} to call
{{fs.access(testFileInodePath);}}:
{code}
+
+ /*
+ * HDFS-6749 added missing calls to FSDirectory.resolvePath in the
+ * following four methods. The calls below ensure that
+ * /.reserved/.inodes paths work properly. No need to check return
+ * values as these methods are tested elsewhere.
+ */
+ {
+fs.isFileClosed(testFileInodePath);
+fs.getAclStatus(testFileInodePath);
+fs.getXAttrs(testFileInodePath);
+fs.listXAttrs(testFileInodePath);
+ }
{code}
I suspect the test would fail before making the change in {{FSNamesystem}} and
then pass after you make the change.
+1 after that very minor change. Thanks very much!
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Components: hdfs-client, namenode, webhdfs
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
HDFS-6570.3.patch, HDFS-6570.4.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14075184#comment-14075184
]
Hadoop QA commented on HDFS-6570:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12657911/HDFS-6570.4.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 8 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in
hadoop-common-project/hadoop-common hadoop-hdfs-project/hadoop-hdfs:
org.apache.hadoop.ipc.TestIPC
org.apache.hadoop.hdfs.server.namenode.ha.TestPipelinesFailover
org.apache.hadoop.hdfs.server.namenode.TestNamenodeCapacityReport
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-HDFS-Build/7468//testReport/
Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/7468//console
This message is automatically generated.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
HDFS-6570.3.patch, HDFS-6570.4.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14072126#comment-14072126
]
Chris Nauroth commented on HDFS-6570:
-
Jitendra, thanks for incorporating the feedback. I think this is almost ready.
I see just one more thing to fix, and I have recommendations on a few more
test cases to add. I expect the patch is already correct for all of these
suggested test cases, so adding them would just be helpful for preventing
regressions in the future.
# {{GetOpParam}}: It looks like the convention on WebHDFS operation names is to
put all the words together, not separated by underscore. Let's change
{{CHECK_ACCESS}} to {{CHECKACCESS}}. This is actually how you named the
operation in the docs already.
# {{TestPermissionSymlinks}}: Let's add a test asserting that a call to check
access for a symlink checks the permissions of its target. (Symlinks always
have 777, so it wouldn't be correct to check the symlink inode directly.)
# {{TestSafeMode#testOperationsWhileInSafeMode}}: Let's make a small change
here to add a call to check access while in safe mode. This is a read-only
operation, so we expect it to work during safe mode.
# {{TestAclWithSnapshot}}: If there is a snapshot, and the original inode's
permissions change, then checking access on the snapshot inode must still
enforce the old permissions, and checking access on the current version of the
inode must reflect the changes. I think the current patch does this correctly,
but let's test to make sure. Snapshot tests like this need a lot of setup, so
I recommend we just add a few quick access check calls to the 4 existing
{{testOriginalAclEnforced*}} tests in this suite. That way, we can get a free
ride on the setup code that's already done here. :-)
# BTW, I agree with what you did for audit logging in this version of the
patch. HDFS-5730 has more discussion on making audit logging consistent across
all APIs.
bq. -1 core tests. The patch failed these unit tests in
hadoop-common-project/hadoop-common hadoop-hdfs-project/hadoop-hdfs:
These look like spurious test failures. They passed for me locally.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
HDFS-6570.3.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14071215#comment-14071215
]
Hadoop QA commented on HDFS-6570:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12657190/HDFS-6570.3.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 5 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in
hadoop-common-project/hadoop-common hadoop-hdfs-project/hadoop-hdfs:
org.apache.hadoop.ha.TestZKFailoverControllerStress
org.apache.hadoop.ipc.TestIPC
org.apache.hadoop.hdfs.server.namenode.ha.TestPipelinesFailover
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-HDFS-Build/7428//testReport/
Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/7428//console
This message is automatically generated.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch,
HDFS-6570.3.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14068894#comment-14068894 ] Colin Patrick McCabe commented on HDFS-6570: bq. acl.proto: I'm not sure it's backwards-compatible to take the existing FsActionProto nested inside AclEntryProto and move it to top level. If protobuf encodes the message name now as AclEntryProto.FsActionProto, then it might break interop. It would be interesting to test hdfs dfs -getfacl on files with ACLs using a mix of old client + new server or new client + old server. If there is a problem, then we might need to find a way to refer to the nested definition, or if all else fails maintain duplicate definitions (nested and top-level) just for comaptibility. Protobuf doesn't encode field names. It just assumes that the data you're giving it fits the schema you're giving it. As far as I know, moving the enum from nested to top-level will not change its representation.Enums are just represented as varints in protobuf... i.e. the same as uint32s is represented. Unless you're changing the value of the enum constants, it shouldn't change anything. So I believe this part is OK. add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Bug Reporter: Thejas M Nair Assignee: Jitendra Nath Pandey Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14068931#comment-14068931 ] Chris Nauroth commented on HDFS-6570: - Thanks, Colin. add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Bug Reporter: Thejas M Nair Assignee: Jitendra Nath Pandey Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14067685#comment-14067685
]
Chris Nauroth commented on HDFS-6570:
-
Hi, [~jnp]. The patch is looking good so far. Here are a few comments:
# acl.proto: I'm not sure it's backwards-compatible to take the existing
{{FsActionProto}} nested inside {{AclEntryProto}} and move it to top level. If
protobuf encodes the message name now as AclEntryProto.FsActionProto, then it
might break interop. It would be interesting to test hdfs dfs -getfacl on
files with ACLs using a mix of old client + new server or new client + old
server. If there is a problem, then we might need to find a way to refer to
the nested definition, or if all else fails maintain duplicate definitions
(nested and top-level) just for comaptibility.
# {{FSNamesystem}}: There are a few things missing here. We need to hold the
read lock so that we don't get unexpected behavior while another thread mutates
the part of the tree that we're traversing. We also need to check that the
current HA context allows a read operation. {{getAclStatus}} is probably the
simplest method to look at for an example that does everything. Do you think
we need to write to the audit log for this method? I'm thinking that we
shouldn't, because the purpose of this method is to query whether or not the
user has access. A no answer isn't really denying the call from happening, so
I don't think it's an interesting event to audit. If you agree, then maybe we
should put a comment in here stating that we intentionally do not write to the
audit log.
# {{NamenodeWebHdfsMethods}}: There are some merge conflicts in the patch that
made it challenging to review, but it looks like the changes are on the right
track.
# {{WebHdfsFileSystem}}: Would this throw the expected
{{FileNotFoundException}} when trying to call {{access}} on a non-existent
path? Methods like {{getHdfsFileStatus}} and {{getAclStatus}} have coded an
explicit check on a null JSON response.
# {{FsActionParam}}: We could potentially improve input validation by
specifying a simple regex for the {{Domain}}, like \[rwx-\]\{3\}. See
{{AclPermissionParam}}, which embeds the same permission string format inside
ACL entries.
# {{GetOpParam}}: I don't think passing {{true}} for the {{requireAuth}}
argument is correct. That's just for the operations related to
getting/renewing/canceling delegation tokens, not the typical file system
operations.
# We'll need to add the new method to the WebHDFS REST API documentation.
# Just an optional thought: much of this patch file's size is due to reordering
import statements. You might consider dropping that part for now and filing a
separate pure refactoring patch later as cleanup to make the patches more
manageable. This way is fine too though if you prefer.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Jitendra Nath Pandey
Attachments: HDFS-6570-prototype.1.patch, HDFS-6570.2.patch
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14054208#comment-14054208 ] Chris Nauroth commented on HDFS-6570: - Thejas has reviewed the prototype API definition here, and he says it will work well for Hive. We can proceed with implementation. add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Bug Reporter: Thejas M Nair Assignee: Chris Nauroth Attachments: HDFS-6570-prototype.1.patch For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14041492#comment-14041492
]
Colin Patrick McCabe commented on HDFS-6570:
bq. Note that the man page for access clearly spells out the risk of
time-of-check/time-of-use race conditions. This API is only going to be useful
for systems implementing their own authorization enforcement on top of HDFS
files, and only if those systems consider the risk acceptable.
Let's make sure that we spell out the risks in the API. In fact, I wonder if
we should we make this {{\@LimitedPrivate}} between Hive and HDFS. The man
page for the {{access}} system call is pretty blunt on my machine: the use of
this system call should be avoided.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Chris Nauroth
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14038077#comment-14038077 ] Arpit Agarwal commented on HDFS-6570: - Is it possible to impersonate the user and try to open the file with the permissions you are interested in? If it succeeds the user has the permissions. add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Bug Reporter: Thejas M Nair Assignee: Chris Nauroth For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14038145#comment-14038145
]
Chris Nauroth commented on HDFS-6570:
-
Before submitting this issue, Thejas and I discussed trying to do this by
running existing {{FileSystem}} APIs inside a {{UserGroupInformation#doAs}}
block. Unfortunately, the permissions enforced by existing APIs do not match
exactly with the requirements of Hive. Also, this could have some unwanted
side effects, particularly for checking write access. This could unnecessarily
hold the write lock and write to the journal. Running an API like {{access}}
inside a {{UserGroupInformation#doAs}} would suit Hive's requirements better.
add api that enables checking if a user has certain permissions on a file
-
Key: HDFS-6570
URL: https://issues.apache.org/jira/browse/HDFS-6570
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Chris Nauroth
For some of the authorization modes in Hive, the servers in Hive check if a
given user has permissions on a certain file or directory. For example, the
storage based authorization mode allows hive table metadata to be modified
only when the user has access to the corresponding table directory on hdfs.
There are likely to be such use cases outside of Hive as well.
HDFS does not provide an api for such checks. As a result, the logic to check
if a user has permissions on a directory gets replicated in Hive. This
results in duplicate logic and there introduces possibilities for
inconsistencies in the interpretation of the permission model. This becomes a
bigger problem with the complexity of ACL logic.
HDFS should provide an api that provides functionality that is similar to
access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HDFS-6570) add api that enables checking if a user has certain permissions on a file
[ https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14038188#comment-14038188 ] Arpit Agarwal commented on HDFS-6570: - Thanks for the clarification Chris. add api that enables checking if a user has certain permissions on a file - Key: HDFS-6570 URL: https://issues.apache.org/jira/browse/HDFS-6570 Project: Hadoop HDFS Issue Type: Bug Reporter: Thejas M Nair Assignee: Chris Nauroth For some of the authorization modes in Hive, the servers in Hive check if a given user has permissions on a certain file or directory. For example, the storage based authorization mode allows hive table metadata to be modified only when the user has access to the corresponding table directory on hdfs. There are likely to be such use cases outside of Hive as well. HDFS does not provide an api for such checks. As a result, the logic to check if a user has permissions on a directory gets replicated in Hive. This results in duplicate logic and there introduces possibilities for inconsistencies in the interpretation of the permission model. This becomes a bigger problem with the complexity of ACL logic. HDFS should provide an api that provides functionality that is similar to access function in unistd.h - http://linux.die.net/man/2/access . -- This message was sent by Atlassian JIRA (v6.2#6252)
