[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yiqun Lin updated HDFS-13194:
-
Resolution: Fixed
Hadoop Flags: Reviewed
Fix Version/s: 3.2.0
2.10.0
3.1.0
Status: Resolved (was: Patch Available)
Failed unit test is not related. Committed this to trunk, branch-3,1 and
branch-2. Thanks [~jiangjianfei] for the contribution.
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Fix For: 3.1.0, 2.10.0, 3.2.0
>
> Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianfei Jiang updated HDFS-13194:
-
Status: Patch Available (was: In Progress)
Thanks [~linyiqun] for magnanimity and kindly review. Update the patch.
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianfei Jiang updated HDFS-13194:
-
Attachment: HDFS-13194.002.patch
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch, HDFS-13194.002.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianfei Jiang updated HDFS-13194:
-
Status: In Progress (was: Patch Available)
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianfei Jiang updated HDFS-13194:
-
Status: Patch Available (was: Open)
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianfei Jiang updated HDFS-13194:
-
Status: Open (was: Patch Available)
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianfei Jiang updated HDFS-13194:
-
Status: Patch Available (was: Open)
Fix as [~linyiqun] mentioned and add testcase.
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Jianfei Jiang
>Priority: Major
> Attachments: HDFS-13194.001.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-13194) CachePool permissions incorrectly checked
[
https://issues.apache.org/jira/browse/HDFS-13194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianfei Jiang updated HDFS-13194:
-
Attachment: HDFS-13194.001.patch
> CachePool permissions incorrectly checked
> -
>
> Key: HDFS-13194
> URL: https://issues.apache.org/jira/browse/HDFS-13194
> Project: Hadoop HDFS
> Issue Type: Bug
>Affects Versions: 3.0.0
>Reporter: Yiqun Lin
>Assignee: Yiqun Lin
>Priority: Major
> Attachments: HDFS-13194.001.patch
>
>
> The permissions of CachePool incorrectly checked. The checking logic:
> {code:java}
> public void checkPermission(CachePool pool, FsAction access)
> throws AccessControlException {
> FsPermission mode = pool.getMode();
> if (isSuperUser()) {
> return;
> }
> if (getUser().equals(pool.getOwnerName())
> && mode.getUserAction().implies(access)) {
> return;
> }
> if (isMemberOfGroup(pool.getGroupName())
> && mode.getGroupAction().implies(access)) {
> return;
> }
> // Following line seems incorrect,
> // we should ensure current user is not belong the pool's owner or pool's
> group.
> if (mode.getOtherAction().implies(access)) {
> return;
> }
> throw new AccessControlException("Permission denied while accessing pool "
> + pool.getPoolName() + ": user " + getUser() + " does not have "
> + access.toString() + " permissions.");
> }
> {code}
> For example one corner case, a cachepool (owner: test, group,test-group,
> permission mode:--rwx(007)), then one user which named "test" or whose
> group is "test-group" can both access this pool. But actually this is not
> allowed since permission for its owner or group is none.
> The behavior of checking other user should be updated like this:
> {code:java}
> if (!getUser().equals(pool.getOwnerName())
> && !isMemberOfGroup(pool.getGroupName())
> && mode.getOtherAction().implies(access)) {
> return;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
