subject:"\[jira\] \[Commented\] \(HADOOP\-14581\) Restrict setOwner to list of user when security is enabled in wasb"

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-12 Thread Steve Loughran (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083750#comment-16083750
 ] 

Steve Loughran commented on HADOOP-14581:
-

(Had to add a second patch to get branch-2 to compile; java 7 doesn't like us 
using non-final variables in inner classes/closures. My fault for not testing 
the branch-2 build before committing it)

> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Fix For: 2.9.0, 3.0.0-beta1
>
> Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, 
> HADOOP-14581.2.patch, HADOOP-14581.4.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the 
> file system.
> When Authorization is enabled, access to some files/folders is given to 
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users 
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a 
> comma seperated list of users who are allowed to perform chown operation when 
> authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-12 Thread Hudson (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083737#comment-16083737
 ] 

Hudson commented on HADOOP-14581:
-

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11992 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/11992/])
HADOOP-14581. Restrict setOwner to list of user when security is enabled 
(stevel: rev 7d272ea124615c493c60ad454fbd6f144dd3cc24)
* (edit) hadoop-tools/hadoop-azure/src/site/markdown/index.md
* (edit) 
hadoop-tools/hadoop-azure/src/test/java/org/apache/hadoop/fs/azure/TestNativeAzureFileSystemAuthorization.java
* (edit) 
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java


> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Fix For: 2.9.0, 3.0.0-beta1
>
> Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, 
> HADOOP-14581.2.patch, HADOOP-14581.4.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the 
> file system.
> When Authorization is enabled, access to some files/folders is given to 
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users 
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a 
> comma seperated list of users who are allowed to perform chown operation when 
> authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-12 Thread Hadoop QA (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083532#comment-16083532
 ] 

Hadoop QA commented on HADOOP-14581:


| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m 
13s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green}  0m 
 0s{color} | {color:green} The patch appears to include 1 new or modified test 
files. {color} |
|| || || || {color:brown} trunk Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 13m 
23s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
18s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 
14s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  0m 
21s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  0m 
29s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
15s{color} | {color:green} trunk passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  0m 
17s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
16s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  0m 
16s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 
12s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  0m 
18s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m 
 0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  0m 
32s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
11s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  1m 
22s{color} | {color:green} hadoop-azure in the patch passed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 
16s{color} | {color:green} The patch does not generate ASF License warnings. 
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 19m 49s{color} | 
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker |  Image:yetus/hadoop:14b5c93 |
| JIRA Issue | HADOOP-14581 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12876767/HADOOP-14581.4.patch |
| Optional Tests |  asflicense  compile  javac  javadoc  mvninstall  mvnsite  
unit  findbugs  checkstyle  |
| uname | Linux b5ab0dca13c8 3.13.0-117-generic #164-Ubuntu SMP Fri Apr 7 
11:05:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh 
|
| git revision | trunk / ac0a04a |
| Default Java | 1.8.0_131 |
| findbugs | v3.1.0-RC1 |
|  Test Results | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/12767/testReport/ |
| modules | C: hadoop-tools/hadoop-azure U: hadoop-tools/hadoop-azure |
| Console output | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/12767/console |
| Powered by | Apache Yetus 0.6.0-SNAPSHOT   http://yetus.apache.org |


This message was automatically generated.



> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, 
> HADOOP-14581.2.patch, HADOOP-14581.4.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-12 Thread Varada Hemeswari (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16083508#comment-16083508
 ] 

Varada Hemeswari commented on HADOOP-14581:
---

[~steve_l],I have addressed your documentation and check style comments in 
patch - 4.
Here is the snippet of tests run against Azure South India endpoint.

{code}

[INFO] --- maven-surefire-plugin:2.17:test (default-test) @ hadoop-azure ---
[INFO] Surefire report directory: 
E:\2\hadoop\hadoop-tools\hadoop-azure\target\surefire-reports

---
 T E S T S
---

---
 T E S T S
---
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractAppend
Tests run: 5, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 11.617 sec - in 
org.apache.hadoop.fs.azure.contract.TestAzureNativeContractAppend
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractCreate
Tests run: 11, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 21.339 sec - 
in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractCreate
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDelete
Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 21.531 sec - in 
org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDelete
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDistCp
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 88.856 sec - in 
org.apache.hadoop.fs.azure.contract.TestAzureNativeContractDistCp
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractGetFileStatus
Tests run: 18, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 66.887 sec - 
in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractGetFileStatus
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractMkdir
Tests run: 7, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 42.743 sec - in 
org.apache.hadoop.fs.azure.contract.TestAzureNativeContractMkdir
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractOpen
Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 11.879 sec - in 
org.apache.hadoop.fs.azure.contract.TestAzureNativeContractOpen
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractRename
Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 22.626 sec - in 
org.apache.hadoop.fs.azure.contract.TestAzureNativeContractRename
Running org.apache.hadoop.fs.azure.contract.TestAzureNativeContractSeek
Tests run: 18, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 47.695 sec - 
in org.apache.hadoop.fs.azure.contract.TestAzureNativeContractSeek
Running org.apache.hadoop.fs.azure.metrics.TestAzureFileSystemInstrumentation
Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 65.745 sec - in 
org.apache.hadoop.fs.azure.metrics.TestAzureFileSystemInstrumentation
Running org.apache.hadoop.fs.azure.metrics.TestBandwidthGaugeUpdater
Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.671 sec - in 
org.apache.hadoop.fs.azure.metrics.TestBandwidthGaugeUpdater
Running 
org.apache.hadoop.fs.azure.metrics.TestNativeAzureFileSystemMetricsSystem
Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.579 sec - in 
org.apache.hadoop.fs.azure.metrics.TestNativeAzureFileSystemMetricsSystem
Running org.apache.hadoop.fs.azure.metrics.TestRollingWindowAverage
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.266 sec - in 
org.apache.hadoop.fs.azure.metrics.TestRollingWindowAverage
Running org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIo
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 14.682 sec - in 
org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIo
Running org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIoWithSecureMode
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 11.501 sec - in 
org.apache.hadoop.fs.azure.TestAzureConcurrentOutOfBandIoWithSecureMode
Running org.apache.hadoop.fs.azure.TestAzureFileSystemErrorConditions
Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 12.525 sec - in 
org.apache.hadoop.fs.azure.TestAzureFileSystemErrorConditions
Running org.apache.hadoop.fs.azure.TestBlobDataValidation
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.12 sec - in 
org.apache.hadoop.fs.azure.TestBlobDataValidation
Running org.apache.hadoop.fs.azure.TestBlobMetadata
Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.099 sec - in 
org.apache.hadoop.fs.azure.TestBlobMetadata
Running org.apache.hadoop.fs.azure.TestBlobTypeSpeedDifference
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 12.546 sec - in 
org.apache.hadoop.fs.azure.TestBlobTypeSpeedDifference
Running org.apache.hadoop.fs.azure.TestContainerChecks
Tests run: 4,

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-11 Thread Hadoop QA (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16082194#comment-16082194
 ] 

Hadoop QA commented on HADOOP-14581:


| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m 
12s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green}  0m 
 0s{color} | {color:green} The patch appears to include 1 new or modified test 
files. {color} |
|| || || || {color:brown} trunk Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 13m 
 8s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
18s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 
14s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  0m 
20s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  0m 
28s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
14s{color} | {color:green} trunk passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  0m 
17s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
16s{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} javac {color} | {color:red}  0m 16s{color} 
| {color:red} hadoop-tools_hadoop-azure generated 4 new + 5 unchanged - 0 fixed 
= 9 total (was 5) {color} |
| {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange}  
0m 11s{color} | {color:orange} hadoop-tools/hadoop-azure: The patch generated 2 
new + 27 unchanged - 0 fixed = 29 total (was 27) {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  0m 
18s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m 
 0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  0m 
32s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
11s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  1m 
20s{color} | {color:green} hadoop-azure in the patch passed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 
17s{color} | {color:green} The patch does not generate ASF License warnings. 
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 19m 29s{color} | 
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker |  Image:yetus/hadoop:14b5c93 |
| JIRA Issue | HADOOP-14581 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12876604/HADOOP-14581-003.patch
 |
| Optional Tests |  asflicense  compile  javac  javadoc  mvninstall  mvnsite  
unit  findbugs  checkstyle  |
| uname | Linux 13c70e183a42 3.13.0-117-generic #164-Ubuntu SMP Fri Apr 7 
11:05:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh 
|
| git revision | trunk / 3a7f02b |
| Default Java | 1.8.0_131 |
| findbugs | v3.1.0-RC1 |
| javac | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/artifact/patchprocess/diff-compile-javac-hadoop-tools_hadoop-azure.txt
 |
| checkstyle | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/artifact/patchprocess/diff-checkstyle-hadoop-tools_hadoop-azure.txt
 |
|  Test Results | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/testReport/ |
| modules | C: hadoop-tools/hadoop-azure U: hadoop-tools/hadoop-azure |
| Console output | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/12762/console |
| Powered by | Apache Yetus 0.6.0-SNAPSHOT   http://yetus.apache.org |


This message was automatically generated.



> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
>

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-11 Thread Steve Loughran (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16082108#comment-16082108
 ] 

Steve Loughran commented on HADOOP-14581:
-

Patch 003

This is just patch 002 with the conflict in 
{{TestNativeAzureFileSystemAuthorization}} with HADOOP-14443 fixed, and the new 
imports re-orded to go with our preferred layout.

[~vahemesw] this is ready apart from checkstyle. & docs

Remember to hit the "submit patch" button to run it by Yetus. It doesn't run 
the azure test (hence the need to explicitly declare it), but it does run it 
through our style checks, and once HADOOP-14553 splits up unit and integration 
tests, the mock tests will be run by yetus.

# Here a lot of the code is going to be rejected by the line with. Apart from 
the special cases where *some* wider lines helps readability, the project 
requires lines to be <= 80 chars wide. Why? it's so that the [git patch 
viewer|https://chrome.google.com/webstore/detail/git-patch-viewer/hkoggakcdopbgnaeeidcmopfekipkleg]
 can do side-by-side checking better.
# Needs documentation in hadoop-tools/hadoop-azure/src/site/markdown/index.md  
. No good having new features if they are kept secret.

Thanks

> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581-003.patch, HADOOP-14581.1.patch, 
> HADOOP-14581.2.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the 
> file system.
> When Authorization is enabled, access to some files/folders is given to 
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users 
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a 
> comma seperated list of users who are allowed to perform chown operation when 
> authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-08 Thread Varada Hemeswari (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16079214#comment-16079214
 ] 

Varada Hemeswari commented on HADOOP-14581:
---

Hi Steve/Ming Liang,

Can you please review the latest patch at your earliest possible?
Pinging again since we are running tight on deadlines 

Thanks and regards,
Hema







> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581.1.patch, HADOOP-14581.2.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the 
> file system.
> When Authorization is enabled, access to some files/folders is given to 
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users 
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a 
> comma seperated list of users who are allowed to perform chown operation when 
> authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-07-05 Thread Varada Hemeswari (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16075937#comment-16075937
 ] 

Varada Hemeswari commented on HADOOP-14581:
---

[~steve_l], [~liuml07] Can you please take a look at the recent patch?

> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581.1.patch, HADOOP-14581.2.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the 
> file system.
> When Authorization is enabled, access to some files/folders is given to 
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users 
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a 
> comma seperated list of users who are allowed to perform chown operation when 
> authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-06-29 Thread Varada Hemeswari (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068528#comment-16068528
 ] 

Varada Hemeswari commented on HADOOP-14581:
---

I think here you could actually use getStrings() to get the list, and treat an 
empty list as the same as an entry "*": all. Why use that method? Existing 
regression tests.

*--> I am using * to allow all users and "" to not allow anyone. So they could 
not be treated as same. There are no existing tests that regressed due to this.*

needs policy for: * in the string: maybe fail fast for illegal setup?
*--> taken care of, in patch2*

needs policy for "". Right now it probably fails. Should it be a skip.
*--> The failure is intentional. We expect the property to be setup as '*' 
default value or with list of users. In case it is setup as "", it translates 
to no one is allowed to chown.*

TestNativeAzureFileSystemAuthorization
try a string like "user1,user2 , user3 ,,user4 " to see what happens. I'd 
expect the leading/trailing spaces stripped, empty element skipped.
*--> Patch2 tests includes this list*
also try " user1, *" to verify that it gets rejected.
*-->added a test for this in patch 2*

I tested the hadoop-azure module changes on 
'vahemeswregion.blob.core.windows.net' storage account

Thanks.

> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581.1.patch, HADOOP-14581.2.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the 
> file system.
> When Authorization is enabled, access to some files/folders is given to 
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users 
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a 
> comma seperated list of users who are allowed to perform chown operation when 
> authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

2017-06-26 Thread Steve Loughran (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16062882#comment-16062882
 ] 

Steve Loughran commented on HADOOP-14581:
-

h3. {{NativeAzureFileSystem}}

2966: You should use {{getTrimmed}} to have leading, trailing whitespace cut; 
we do that for all new properties.

I think here you could actually use {{getStrings()}} to get the list, and treat 
an empty list as the same as an entry "*": all. Why use that method? Existing 
regression tests.

* needs policy for: * in the string: maybe fail fast for illegal setup?
* needs policy for "". Right now it probably fails. Should it be a skip.



h3. {{TestNativeAzureFileSystemAuthorization}}

* try a string like {{"user1,user2 , user3 ,,user4 "}} to see what happens. I'd 
expect the leading/trailing spaces stripped, empty element skipped.

* also try {{" user1, *"}} to verify that it gets rejected.



Here's the test policy I'm writing down; a formalisation of what's been 
mentioned before
 
https://github.com/steveloughran/hadoop/blob/azure/HADOOP-14553-testing/hadoop-tools/hadoop-azure/src/site/markdown/testing_azure.md
 
 for now, can you state which Azure endpoint you did a {{mvn -T 1C test}} run 
on the hadoop-azure module. Thanks.

h3. Other

* Docs.

> Restrict setOwner to list of user when security is enabled in wasb
> --
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: fs/azure
>Affects Versions: 3.0.0-alpha3
>Reporter: Varada Hemeswari
>Assignee: Varada Hemeswari
>  Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581.1.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the 
> file system.
> When Authorization is enabled, access to some files/folders is given to 
> particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users 
> from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a 
> comma seperated list of users who are allowed to perform chown operation when 
> authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

10 matches

Site Navigation

Mail list logo

Footer information