You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Thomas Marquardt (JIRA)" <ji...@apache.org> on 2018/12/04 00:09:00 UTC

[jira] [Updated] (HADOOP-15969) ABFS: getNamespaceEnabled can fail blocking user access thru ACLs

     [ https://issues.apache.org/jira/browse/HADOOP-15969?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Marquardt updated HADOOP-15969:
--------------------------------------
    Description: 
The Get Filesystem Properties operation requires Read permission to the Filesystem.  Read permission to the Filesystem can only be granted thru RBAC, Shared Key, or SAS.  This prevents giving low privilege users access to specific files or directories within the filesystem.  An administrator should be able to set an ACL on a file granting read permission to a user, without giving them read permission to the entire Filesystem.

Fortunately there is another way to determine if HNS is enabled.  The Get Path Access Control (getAclStatus) operation only requires traversal access, and for the root folder / all authenticated users have traversal access.

> ABFS: getNamespaceEnabled can fail blocking user access thru ACLs
> -----------------------------------------------------------------
>
>                 Key: HADOOP-15969
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15969
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/azure
>    Affects Versions: 3.2.0
>            Reporter: Da Zhou
>            Assignee: Da Zhou
>            Priority: Major
>
> The Get Filesystem Properties operation requires Read permission to the Filesystem.  Read permission to the Filesystem can only be granted thru RBAC, Shared Key, or SAS.  This prevents giving low privilege users access to specific files or directories within the filesystem.  An administrator should be able to set an ACL on a file granting read permission to a user, without giving them read permission to the entire Filesystem.
> Fortunately there is another way to determine if HNS is enabled.  The Get Path Access Control (getAclStatus) operation only requires traversal access, and for the root folder / all authenticated users have traversal access.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org