[jira] [Commented] (HADOOP-15459) KMSACLs will fail for other optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16479201#comment-16479201 ] Rushabh S Shah commented on HADOOP-15459: - Not fixing the checkstyle warning to maintain readability. [~jojochuang], [~xiaochen], [~RANith]: can someone help with reviewing this patch ? > KMSACLs will fail for other optype if acls is defined for one optype. > - > > Key: HADOOP-15459 > URL: https://issues.apache.org/jira/browse/HADOOP-15459 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.3 >Reporter: Rushabh S Shah >Assignee: Rushabh S Shah >Priority: Critical > Attachments: HADOOP-15459.001.patch, HADOOP-15459.002.patch > > > Assume subset of kms-acls xml file. > {noformat} > > default.key.acl.DECRYPT_EEK > > > default ACL for DECRYPT_EEK operations for all key acls that are not > explicitly defined. > > > > > key.acl.key1.DECRYPT_EEK > user1 > > > default.key.acl.READ > * > > default ACL for READ operations for all key acls that are not > explicitly defined. > > > > whitelist.key.acl.READ > hdfs > > Whitelist ACL for READ operations for all keys. > > > {noformat} > For key {{key1}}, we restricted {{DECRYPT_EEK}} operation to only {{user1}}. > For other {{READ}} operation(like getMetadata), by default I still want > everyone to access all keys via {{default.key.acl.READ}} > But it doesn't allow anyone to access {{key1}} for any other READ operations. > As a result of this, if the admin restricted access for one opType then > (s)he has to define access for all other opTypes also, which is not desirable. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15459) KMSACLs will fail for other optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16478260#comment-16478260 ] genericqa commented on HADOOP-15459: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 19s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 27m 38s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 35s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 26s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 7s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 39s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 25s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 34s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 27m 34s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 25s{color} | {color:orange} hadoop-common-project/hadoop-kms: The patch generated 1 new + 105 unchanged - 0 fixed = 106 total (was 105) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 33s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 33s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 49s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 4m 0s{color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 38s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}116m 39s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:abb62dd | | JIRA Issue | HADOOP-15459 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12923794/HADOOP-15459.002.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 00dcb65da333 3.13.0-139-generic #188-Ubuntu SMP Tue Jan 9 14:43:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / be53969 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_162 | | findbugs | v3.1.0-RC1 | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/14644/artifact/out/diff-checkstyle-hadoop-common-project_hadoop-kms.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/14644/testReport/ | | Max. process+thread count | 342 (vs. ulimit of 1) | | modules | C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/14644/console | | Powered by | Apache Yetus 0.8.0-SNAPSHOT
[jira] [Commented] (HADOOP-15459) KMSACLs will fail for other optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16477807#comment-16477807 ] genericqa commented on HADOOP-15459: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 21s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 29m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 42s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 15s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 36s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 25s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 56s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 27m 56s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 33s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 24s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 44s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 23s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:red}-1{color} | {color:red} unit {color} | {color:red} 3m 57s{color} | {color:red} hadoop-kms in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 39s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}118m 50s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.crypto.key.kms.server.TestKMS | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:abb62dd | | JIRA Issue | HADOOP-15459 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12923707/HADOOP-15459.001.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux f27bc033cf35 3.13.0-139-generic #188-Ubuntu SMP Tue Jan 9 14:43:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / d47c09d | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_162 | | findbugs | v3.1.0-RC1 | | unit | https://builds.apache.org/job/PreCommit-HADOOP-Build/14639/artifact/out/patch-unit-hadoop-common-project_hadoop-kms.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/14639/testReport/ | | Max. process+thread count | 341 (vs. ulimit of 1) | | modules | C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/14639/console | | Powered by | Apache Yetus 0.8.0-SNAPSHOT http://yetus.apache.org |
[jira] [Commented] (HADOOP-15459) KMSACLs will fail for other optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16477483#comment-16477483 ] Rushabh S Shah commented on HADOOP-15459: - bq. Rushabh S Shah No problem. Thank you! > KMSACLs will fail for other optype if acls is defined for one optype. > - > > Key: HADOOP-15459 > URL: https://issues.apache.org/jira/browse/HADOOP-15459 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.3 >Reporter: Rushabh S Shah >Priority: Critical > > Assume subset of kms-acls xml file. > {noformat} > > default.key.acl.DECRYPT_EEK > > > default ACL for DECRYPT_EEK operations for all key acls that are not > explicitly defined. > > > > > key.acl.key1.DECRYPT_EEK > user1 > > > default.key.acl.READ > * > > default ACL for READ operations for all key acls that are not > explicitly defined. > > > > whitelist.key.acl.READ > hdfs > > Whitelist ACL for READ operations for all keys. > > > {noformat} > For key {{key1}}, we restricted {{DECRYPT_EEK}} operation to only {{user1}}. > For other {{READ}} operation(like getMetadata), by default I still want > everyone to access all keys via {{default.key.acl.READ}} > But it doesn't allow anyone to access {{key1}} for any other READ operations. > As a result of this, if the admin restricted access for one opType then > (s)he has to define access for all other opTypes also, which is not desirable. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15459) KMSACLs will fail for other optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16477477#comment-16477477 ] Ranith Sardar commented on HADOOP-15459: [~shahrs87] No problem. > KMSACLs will fail for other optype if acls is defined for one optype. > - > > Key: HADOOP-15459 > URL: https://issues.apache.org/jira/browse/HADOOP-15459 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.3 >Reporter: Rushabh S Shah >Assignee: Ranith Sardar >Priority: Critical > > Assume subset of kms-acls xml file. > {noformat} > > default.key.acl.DECRYPT_EEK > > > default ACL for DECRYPT_EEK operations for all key acls that are not > explicitly defined. > > > > > key.acl.key1.DECRYPT_EEK > user1 > > > default.key.acl.READ > * > > default ACL for READ operations for all key acls that are not > explicitly defined. > > > > whitelist.key.acl.READ > hdfs > > Whitelist ACL for READ operations for all keys. > > > {noformat} > For key {{key1}}, we restricted {{DECRYPT_EEK}} operation to only {{user1}}. > For other {{READ}} operation(like getMetadata), by default I still want > everyone to access all keys via {{default.key.acl.READ}} > But it doesn't allow anyone to access {{key1}} for any other READ operations. > As a result of this, if the admin restricted access for one opType then > (s)he has to define access for all other opTypes also, which is not desirable. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15459) KMSACLs will fail for other optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16477469#comment-16477469 ] Rushabh S Shah commented on HADOOP-15459: - Hi [~RANith], We have an internal release which is blocked on this jira. Do you mind if I provide a patch to this jira ? > KMSACLs will fail for other optype if acls is defined for one optype. > - > > Key: HADOOP-15459 > URL: https://issues.apache.org/jira/browse/HADOOP-15459 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.3 >Reporter: Rushabh S Shah >Assignee: Ranith Sardar >Priority: Critical > > Assume subset of kms-acls xml file. > {noformat} > > default.key.acl.DECRYPT_EEK > > > default ACL for DECRYPT_EEK operations for all key acls that are not > explicitly defined. > > > > > key.acl.key1.DECRYPT_EEK > user1 > > > default.key.acl.READ > * > > default ACL for READ operations for all key acls that are not > explicitly defined. > > > > whitelist.key.acl.READ > hdfs > > Whitelist ACL for READ operations for all keys. > > > {noformat} > For key {{key1}}, we restricted {{DECRYPT_EEK}} operation to only {{user1}}. > For other {{READ}} operation(like getMetadata), by default I still want > everyone to access all keys via {{default.key.acl.READ}} > But it doesn't allow anyone to access {{key1}} for any other READ operations. > As a result of this, if the admin restricted access for one opType then > (s)he has to define access for all other opTypes also, which is not desirable. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15459) KMSACLs will fail for other optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16473728#comment-16473728 ] Rushabh S Shah commented on HADOOP-15459: - Below is the relevant piece of code which IMO is buggy. {code:title=Bar.java|borderStyle=solid} private boolean checkKeyAccess(String keyName, UserGroupInformation ugi, KeyOpType opType) { MapkeyAcl = keyAcls.get(keyName); if (keyAcl == null) {// This should be if(keyAcl == null || keyAcl.get(opType) == null) // If No key acl defined for this key, check to see if // there are key defaults configured for this operation LOG.debug("Key: {} has no ACLs defined, using defaults.", keyName); keyAcl = defaultKeyAcls; } boolean access = checkKeyAccess(keyAcl, ugi, opType); ... {code} Instead of key'ing just on keyname, it should also consider opType also. > KMSACLs will fail for other optype if acls is defined for one optype. > - > > Key: HADOOP-15459 > URL: https://issues.apache.org/jira/browse/HADOOP-15459 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.3 >Reporter: Rushabh S Shah >Priority: Critical > > Assume subset of kms-acls xml file. > {noformat} > > default.key.acl.DECRYPT_EEK > > > default ACL for DECRYPT_EEK operations for all key acls that are not > explicitly defined. > > > > > key.acl.key1.DECRYPT_EEK > user1 > > > default.key.acl.READ > * > > default ACL for READ operations for all key acls that are not > explicitly defined. > > > > whitelist.key.acl.READ > hdfs > > Whitelist ACL for READ operations for all keys. > > > {noformat} > For key {{key1}}, we restricted {{DECRYPT_EEK}} operation to only {{user1}}. > For other {{READ}} operation(like getMetadata), by default I still want > everyone to access all keys via {{default.key.acl.READ}} > But it doesn't allow anyone to access {{key1}} for any other READ operations. > As a result of this, if the admin restricted access for one opType then > (s)he has to define access for all other opTypes also, which is not desirable. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org