[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083750#comment-16083750 ] Steve Loughran commented on HADOOP-14581: - (Had to add a second patch to get branch-2 to compile; java 7 doesn't like us using non-final variables in inner classes/closures. My fault for not testing the branch-2 build before committing it) > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Fix For: 2.9.0, 3.0.0-beta1 > > Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, > HADOOP-14581.2.patch, HADOOP-14581.4.patch > > > Currently in azure FS, setOwner api is exposed to all the users accessing the > file system. > When Authorization is enabled, access to some files/folders is given to > particular users based on whether the user is the owner of the file. > So setOwner has to be restricted to limited set of users to prevent users > from exploiting owner based authorization of files and folders. > Introducing a new config called fs.azure.chown.allowed.userlist which is a > comma seperated list of users who are allowed to perform chown operation when > authorization is enabled. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083737#comment-16083737 ] Hudson commented on HADOOP-14581: - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11992 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/11992/]) HADOOP-14581. Restrict setOwner to list of user when security is enabled (stevel: rev 7d272ea124615c493c60ad454fbd6f144dd3cc24) * (edit) hadoop-tools/hadoop-azure/src/site/markdown/index.md * (edit) hadoop-tools/hadoop-azure/src/test/java/org/apache/hadoop/fs/azure/TestNativeAzureFileSystemAuthorization.java * (edit) hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Fix For: 2.9.0, 3.0.0-beta1 > > Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, > HADOOP-14581.2.patch, HADOOP-14581.4.patch > > > Currently in azure FS, setOwner api is exposed to all the users accessing the > file system. > When Authorization is enabled, access to some files/folders is given to > particular users based on whether the user is the owner of the file. > So setOwner has to be restricted to limited set of users to prevent users > from exploiting owner based authorization of files and folders. > Introducing a new config called fs.azure.chown.allowed.userlist which is a > comma seperated list of users who are allowed to perform chown operation when > authorization is enabled. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083532#comment-16083532 ] Hadoop QA commented on HADOOP-14581: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 13s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 13m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 14s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 15s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 12s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 32s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 11s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 22s{color} | {color:green} hadoop-azure in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 16s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 19m 49s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:14b5c93 | | JIRA Issue | HADOOP-14581 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12876767/HADOOP-14581.4.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux b5ab0dca13c8 3.13.0-117-generic #164-Ubuntu SMP Fri Apr 7 11:05:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / ac0a04a | | Default Java | 1.8.0_131 | | findbugs | v3.1.0-RC1 | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/12767/testReport/ | | modules | C: hadoop-tools/hadoop-azure U: hadoop-tools/hadoop-azure | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/12767/console | | Powered by | Apache Yetus 0.6.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, > HADOOP-14581.2.patch, HADOOP-14581.4.patch > > > Currently in azure FS, setOwner api is exposed to all the users
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083508#comment-16083508 ] Varada Hemeswari commented on HADOOP-14581: --- [~steve_l],I have addressed your documentation and check style comments in patch - 4. Here is the snippet of tests run against Azure South India endpoint. {code} [INFO] --- maven-surefire-plugin:2.17:test (default-test) @ hadoop-azure --- [INFO] Surefire report directory: E:\2\hadoop\hadoop-tools\hadoop-azure\target\surefire-reports --- T E S T S --- --- T E S T S --- Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractAppend Tests run: 5, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 11.617 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractAppend Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractCreate Tests run: 11, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 21.339 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractCreate Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDelete Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 21.531 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDelete Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDistCp Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 88.856 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDistCp Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractGetFileStatus Tests run: 18, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 66.887 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractGetFileStatus Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractMkdir Tests run: 7, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 42.743 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractMkdir Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractOpen Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 11.879 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractOpen Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractRename Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 22.626 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractRename Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractSeek Tests run: 18, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 47.695 sec - in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractSeek Running org.apache.hadoop.fs.azure.metrics.TestAzureFileSystemInstrumentation Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 65.745 sec - in org.apache.hadoop.fs.azure.metrics.TestAzureFileSystemInstrumentation Running org.apache.hadoop.fs.azure.metrics.TestBandwidthGaugeUpdater Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.671 sec - in org.apache.hadoop.fs.azure.metrics.TestBandwidthGaugeUpdater Running org.apache.hadoop.fs.azure.metrics.TestNativeAzureFileSystemMetricsSystem Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.579 sec - in org.apache.hadoop.fs.azure.metrics.TestNativeAzureFileSystemMetricsSystem Running org.apache.hadoop.fs.azure.metrics.TestRollingWindowAverage Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.266 sec - in org.apache.hadoop.fs.azure.metrics.TestRollingWindowAverage Running org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIo Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 14.682 sec - in org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIo Running org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIoWithSecureMode Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 11.501 sec - in org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIoWithSecureMode Running org.apache.hadoop.fs.azure.TestAzureFileSystemErrorConditions Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 12.525 sec - in org.apache.hadoop.fs.azure.TestAzureFileSystemErrorConditions Running org.apache.hadoop.fs.azure.TestBlobDataValidation Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.12 sec - in org.apache.hadoop.fs.azure.TestBlobDataValidation Running org.apache.hadoop.fs.azure.TestBlobMetadata Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.099 sec - in org.apache.hadoop.fs.azure.TestBlobMetadata Running org.apache.hadoop.fs.azure.TestBlobTypeSpeedDifference Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 12.546 sec - in org.apache.hadoop.fs.azure.TestBlobTypeSpeedDifference Running org.apache.hadoop.fs.azure.TestContainerChecks Tests run: 4,
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16082194#comment-16082194 ] Hadoop QA commented on HADOOP-14581: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 12s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 13m 8s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 14s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 20s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 28s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 14s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 16s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 0m 16s{color} | {color:red} hadoop-tools_hadoop-azure generated 4 new + 5 unchanged - 0 fixed = 9 total (was 5) {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 11s{color} | {color:orange} hadoop-tools/hadoop-azure: The patch generated 2 new + 27 unchanged - 0 fixed = 29 total (was 27) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 32s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 11s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 20s{color} | {color:green} hadoop-azure in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 17s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 19m 29s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:14b5c93 | | JIRA Issue | HADOOP-14581 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12876604/HADOOP-14581-003.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 13c70e183a42 3.13.0-117-generic #164-Ubuntu SMP Fri Apr 7 11:05:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 3a7f02b | | Default Java | 1.8.0_131 | | findbugs | v3.1.0-RC1 | | javac | https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/artifact/patchprocess/diff-compile-javac-hadoop-tools_hadoop-azure.txt | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/artifact/patchprocess/diff-checkstyle-hadoop-tools_hadoop-azure.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/testReport/ | | modules | C: hadoop-tools/hadoop-azure U: hadoop-tools/hadoop-azure | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/console | | Powered by | Apache Yetus 0.6.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 >
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16082108#comment-16082108 ] Steve Loughran commented on HADOOP-14581: - Patch 003 This is just patch 002 with the conflict in {{TestNativeAzureFileSystemAuthorization}} with HADOOP-14443 fixed, and the new imports re-orded to go with our preferred layout. [~vahemesw] this is ready apart from checkstyle. & docs Remember to hit the "submit patch" button to run it by Yetus. It doesn't run the azure test (hence the need to explicitly declare it), but it does run it through our style checks, and once HADOOP-14553 splits up unit and integration tests, the mock tests will be run by yetus. # Here a lot of the code is going to be rejected by the line with. Apart from the special cases where *some* wider lines helps readability, the project requires lines to be <= 80 chars wide. Why? it's so that the [git patch viewer|https://chrome.google.com/webstore/detail/git-patch-viewer/hkoggakcdopbgnaeeidcmopfekipkleg] can do side-by-side checking better. # Needs documentation in hadoop-tools/hadoop-azure/src/site/markdown/index.md . No good having new features if they are kept secret. Thanks > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, > HADOOP-14581.2.patch > > > Currently in azure FS, setOwner api is exposed to all the users accessing the > file system. > When Authorization is enabled, access to some files/folders is given to > particular users based on whether the user is the owner of the file. > So setOwner has to be restricted to limited set of users to prevent users > from exploiting owner based authorization of files and folders. > Introducing a new config called fs.azure.chown.allowed.userlist which is a > comma seperated list of users who are allowed to perform chown operation when > authorization is enabled. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16079214#comment-16079214 ] Varada Hemeswari commented on HADOOP-14581: --- Hi Steve/Ming Liang, Can you please review the latest patch at your earliest possible? Pinging again since we are running tight on deadlines Thanks and regards, Hema > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Attachments: HADOOP-14581.1.patch, HADOOP-14581.2.patch > > > Currently in azure FS, setOwner api is exposed to all the users accessing the > file system. > When Authorization is enabled, access to some files/folders is given to > particular users based on whether the user is the owner of the file. > So setOwner has to be restricted to limited set of users to prevent users > from exploiting owner based authorization of files and folders. > Introducing a new config called fs.azure.chown.allowed.userlist which is a > comma seperated list of users who are allowed to perform chown operation when > authorization is enabled. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16075937#comment-16075937 ] Varada Hemeswari commented on HADOOP-14581: --- [~steve_l], [~liuml07] Can you please take a look at the recent patch? > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Attachments: HADOOP-14581.1.patch, HADOOP-14581.2.patch > > > Currently in azure FS, setOwner api is exposed to all the users accessing the > file system. > When Authorization is enabled, access to some files/folders is given to > particular users based on whether the user is the owner of the file. > So setOwner has to be restricted to limited set of users to prevent users > from exploiting owner based authorization of files and folders. > Introducing a new config called fs.azure.chown.allowed.userlist which is a > comma seperated list of users who are allowed to perform chown operation when > authorization is enabled. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068528#comment-16068528 ] Varada Hemeswari commented on HADOOP-14581: --- I think here you could actually use getStrings() to get the list, and treat an empty list as the same as an entry "*": all. Why use that method? Existing regression tests. *--> I am using * to allow all users and "" to not allow anyone. So they could not be treated as same. There are no existing tests that regressed due to this.* needs policy for: * in the string: maybe fail fast for illegal setup? *--> taken care of, in patch2* needs policy for "". Right now it probably fails. Should it be a skip. *--> The failure is intentional. We expect the property to be setup as '*' default value or with list of users. In case it is setup as "", it translates to no one is allowed to chown.* TestNativeAzureFileSystemAuthorization try a string like "user1,user2 , user3 ,,user4 " to see what happens. I'd expect the leading/trailing spaces stripped, empty element skipped. *--> Patch2 tests includes this list* also try " user1, *" to verify that it gets rejected. *-->added a test for this in patch 2* I tested the hadoop-azure module changes on 'vahemeswregion.blob.core.windows.net' storage account Thanks. > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Attachments: HADOOP-14581.1.patch, HADOOP-14581.2.patch > > > Currently in azure FS, setOwner api is exposed to all the users accessing the > file system. > When Authorization is enabled, access to some files/folders is given to > particular users based on whether the user is the owner of the file. > So setOwner has to be restricted to limited set of users to prevent users > from exploiting owner based authorization of files and folders. > Introducing a new config called fs.azure.chown.allowed.userlist which is a > comma seperated list of users who are allowed to perform chown operation when > authorization is enabled. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16062882#comment-16062882 ] Steve Loughran commented on HADOOP-14581: - h3. {{NativeAzureFileSystem}} 2966: You should use {{getTrimmed}} to have leading, trailing whitespace cut; we do that for all new properties. I think here you could actually use {{getStrings()}} to get the list, and treat an empty list as the same as an entry "*": all. Why use that method? Existing regression tests. * needs policy for: * in the string: maybe fail fast for illegal setup? * needs policy for "". Right now it probably fails. Should it be a skip. h3. {{TestNativeAzureFileSystemAuthorization}} * try a string like {{"user1,user2 , user3 ,,user4 "}} to see what happens. I'd expect the leading/trailing spaces stripped, empty element skipped. * also try {{" user1, *"}} to verify that it gets rejected. Here's the test policy I'm writing down; a formalisation of what's been mentioned before https://github.com/steveloughran/hadoop/blob/azure/HADOOP-14553-testing/hadoop-tools/hadoop-azure/src/site/markdown/testing_azure.md for now, can you state which Azure endpoint you did a {{mvn -T 1C test}} run on the hadoop-azure module. Thanks. h3. Other * Docs. > Restrict setOwner to list of user when security is enabled in wasb > -- > > Key: HADOOP-14581 > URL: https://issues.apache.org/jira/browse/HADOOP-14581 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.0.0-alpha3 >Reporter: Varada Hemeswari >Assignee: Varada Hemeswari > Labels: azure, fs, secure, wasb > Attachments: HADOOP-14581.1.patch > > > Currently in azure FS, setOwner api is exposed to all the users accessing the > file system. > When Authorization is enabled, access to some files/folders is given to > particular users based on whether the user is the owner of the file. > So setOwner has to be restricted to limited set of users to prevent users > from exploiting owner based authorization of files and folders. > Introducing a new config called fs.azure.chown.allowed.userlist which is a > comma seperated list of users who are allowed to perform chown operation when > authorization is enabled. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org