You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Rushabh S Shah (JIRA)" <ji...@apache.org> on 2018/05/14 15:43:00 UTC
[jira] [Comment Edited] (HADOOP-15459) KMSACLs will fail for other
optype if acls is defined for one optype.
[ https://issues.apache.org/jira/browse/HADOOP-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16473728#comment-16473728 ]
Rushabh S Shah edited comment on HADOOP-15459 at 5/14/18 3:42 PM:
------------------------------------------------------------------
Below is the relevant piece of code which IMO is buggy.
{code:title=Bar.java|borderStyle=solid}
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,
KeyOpType opType) {
Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
if (keyAcl == null) { // This should be if(keyAcl == null || keyAcl.get(opType) == null)
// If No key acl defined for this key, check to see if
// there are key defaults configured for this operation
LOG.debug("Key: {} has no ACLs defined, using defaults.", keyName);
keyAcl = defaultKeyAcls;
}
boolean access = checkKeyAccess(keyAcl, ugi, opType);
...
{code}
Instead of key'ing just on keyname, it should consider opType also.
was (Author: shahrs87):
Below is the relevant piece of code which IMO is buggy.
{code:title=Bar.java|borderStyle=solid}
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,
KeyOpType opType) {
Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
if (keyAcl == null) { // This should be if(keyAcl == null || keyAcl.get(opType) == null)
// If No key acl defined for this key, check to see if
// there are key defaults configured for this operation
LOG.debug("Key: {} has no ACLs defined, using defaults.", keyName);
keyAcl = defaultKeyAcls;
}
boolean access = checkKeyAccess(keyAcl, ugi, opType);
...
{code}
Instead of key'ing just on keyname, it should also consider opType also.
> KMSACLs will fail for other optype if acls is defined for one optype.
> ---------------------------------------------------------------------
>
> Key: HADOOP-15459
> URL: https://issues.apache.org/jira/browse/HADOOP-15459
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.3
> Reporter: Rushabh S Shah
> Assignee: Ranith Sardar
> Priority: Critical
>
> Assume subset of kms-acls xml file.
> {noformat}
> <property>
> <name>default.key.acl.DECRYPT_EEK</name>
> <value></value>
> <description>
> default ACL for DECRYPT_EEK operations for all key acls that are not
> explicitly defined.
> </description>
> </property>
> <configuration>
> <property>
> <name>key.acl.key1.DECRYPT_EEK</name>
> <value>user1</value>
> </property>
> <property>
> <name>default.key.acl.READ</name>
> <value>*</value>
> <description>
> default ACL for READ operations for all key acls that are not
> explicitly defined.
> </description>
> </property>
> <property>
> <name>whitelist.key.acl.READ</name>
> <value>hdfs</value>
> <description>
> Whitelist ACL for READ operations for all keys.
> </description>
> </property>
> {noformat}
> For key {{key1}}, we restricted {{DECRYPT_EEK}} operation to only {{user1}}.
> For other {{READ}} operation(like getMetadata), by default I still want everyone to access all keys via {{default.key.acl.READ}}
> But it doesn't allow anyone to access {{key1}} for any other READ operations.
> As a result of this, if the admin restricted access for one opType then (s)he has to define access for all other opTypes also, which is not desirable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org