You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2017/06/26 10:27:00 UTC

[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user when security is enabled in wasb

    [ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16062882#comment-16062882 ] 

Steve Loughran commented on HADOOP-14581:
-----------------------------------------

h3. {{NativeAzureFileSystem}}

2966: You should use {{getTrimmed}} to have leading, trailing whitespace cut; we do that for all new properties.

I think here you could actually use {{getStrings()}} to get the list, and treat an empty list as the same as an entry "*": all. Why use that method? Existing regression tests.

* needs policy for: * in the string: maybe fail fast for illegal setup?
* needs policy for "". Right now it probably fails. Should it be a skip.



h3. {{TestNativeAzureFileSystemAuthorization}}

* try a string like {{"user1,user2 , user3 ,,user4 "}} to see what happens. I'd expect the leading/trailing spaces stripped, empty element skipped.

* also try {{" user1, *"}} to verify that it gets rejected.



Here's the test policy I'm writing down; a formalisation of what's been mentioned before
 https://github.com/steveloughran/hadoop/blob/azure/HADOOP-14553-testing/hadoop-tools/hadoop-azure/src/site/markdown/testing_azure.md
 
 for now, can you state which Azure endpoint you did a {{mvn -T 1C test}} run on the hadoop-azure module. Thanks.

h3. Other

* Docs.

> Restrict setOwner to list of user when security is enabled in wasb
> ------------------------------------------------------------------
>
>                 Key: HADOOP-14581
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14581
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/azure
>    Affects Versions: 3.0.0-alpha3
>            Reporter: Varada Hemeswari
>            Assignee: Varada Hemeswari
>              Labels: azure, fs, secure, wasb
>         Attachments: HADOOP-14581.1.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the file system.
> When Authorization is enabled, access to some files/folders is given to particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a comma seperated list of users who are allowed to perform chown operation when authorization is enabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org