You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2017/06/26 10:27:00 UTC
[jira] [Commented] (HADOOP-14581) Restrict setOwner to list of user
when security is enabled in wasb
[ https://issues.apache.org/jira/browse/HADOOP-14581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16062882#comment-16062882 ]
Steve Loughran commented on HADOOP-14581:
-----------------------------------------
h3. {{NativeAzureFileSystem}}
2966: You should use {{getTrimmed}} to have leading, trailing whitespace cut; we do that for all new properties.
I think here you could actually use {{getStrings()}} to get the list, and treat an empty list as the same as an entry "*": all. Why use that method? Existing regression tests.
* needs policy for: * in the string: maybe fail fast for illegal setup?
* needs policy for "". Right now it probably fails. Should it be a skip.
h3. {{TestNativeAzureFileSystemAuthorization}}
* try a string like {{"user1,user2 , user3 ,,user4 "}} to see what happens. I'd expect the leading/trailing spaces stripped, empty element skipped.
* also try {{" user1, *"}} to verify that it gets rejected.
Here's the test policy I'm writing down; a formalisation of what's been mentioned before
https://github.com/steveloughran/hadoop/blob/azure/HADOOP-14553-testing/hadoop-tools/hadoop-azure/src/site/markdown/testing_azure.md
for now, can you state which Azure endpoint you did a {{mvn -T 1C test}} run on the hadoop-azure module. Thanks.
h3. Other
* Docs.
> Restrict setOwner to list of user when security is enabled in wasb
> ------------------------------------------------------------------
>
> Key: HADOOP-14581
> URL: https://issues.apache.org/jira/browse/HADOOP-14581
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/azure
> Affects Versions: 3.0.0-alpha3
> Reporter: Varada Hemeswari
> Assignee: Varada Hemeswari
> Labels: azure, fs, secure, wasb
> Attachments: HADOOP-14581.1.patch
>
>
> Currently in azure FS, setOwner api is exposed to all the users accessing the file system.
> When Authorization is enabled, access to some files/folders is given to particular users based on whether the user is the owner of the file.
> So setOwner has to be restricted to limited set of users to prevent users from exploiting owner based authorization of files and folders.
> Introducing a new config called fs.azure.chown.allowed.userlist which is a comma seperated list of users who are allowed to perform chown operation when authorization is enabled.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org