You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Abhay Kulkarni (JIRA)" <ji...@apache.org> on 2017/08/16 15:03:00 UTC

[jira] [Reopened] (RANGER-1181) HDFS Plugin does not allow removal of a non-empty directory if the directory is allowed to be removed by HDFS, but the file inside the directory is allowed to be removed by Ranger

     [ https://issues.apache.org/jira/browse/RANGER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Abhay Kulkarni reopened RANGER-1181:
------------------------------------
      Assignee: Abhay Kulkarni

This fix introduces a performance issue.
When Ranger cannot authorize the access request, and fallback to HDFS native authorizer is enabled, then native authorizer is invoked with incorrect parameter values for ancestorAccess, parentAccess, access or subAccess; instead of passing 'null' for these parameters when 'null' is provided in the original checkPermission() call, a value of FsAction:NONE is passed to native authorizer. This may cause the HDFS native authorizer to take a long time to authorize access, especially if the directory being authorized for access contains a large number of files/subdirectories.

> HDFS Plugin does not allow removal of a non-empty directory if the directory is allowed to be removed by HDFS, but the file inside the directory is allowed to be removed by Ranger
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-1181
>                 URL: https://issues.apache.org/jira/browse/RANGER-1181
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.6.1
>            Reporter: Yan
>            Assignee: Abhay Kulkarni
>             Fix For: 0.7.0
>
>         Attachments: Ranger-1181.patch
>
>
> Reproduction Steps:
> 1. Ranger is installed and HDFS plug-in is enabled.
> 2. As qaadmin user, create a folder on HDFS with permission 500:
> hadoop fs -mkdir /tmp/rangertest1
> hadoop fs -chmod 500 /tmp/rangertest1
> while the /tmp itself has the 777 as the HDFS bits:
> hadoop fs -ls /
> drwxrwxrwx   - user1 group1          0 2016-10-03 14:54 /tmp
> 3. Create a Ranger policy p1_1 by granting qaadmin with RWX permission to the folder of /tmp/rangertest1, recursive set to true 
> 4. Wait for around >30 seconds after Policy synced up.
> 5. Put a file to /tmp/rangertest1 folder:
> echo "This is a file2" > /tmp/temp
> hadoop fs -put /tmp/temp /tmp/rangertest1
> hadoop fs -ls /tmp/rangertest1
> Found 1 items
> -rw-r--r--   3 qaadmin hdfs         16 2016-09-21 19:13 /tmp/rangertest1/temp
> 6. Try to delete the non-empty folder with "-skipTrash" option, but it failed (delete the empty folder could success): 
> hadoop fs -rm -r -skipTrash /tmp/rangertest1
> rm: Permission denied: user=qaadmin, access=ALL, inode="/tmp/rangertest1":qaadmin:hdfs:dr-x------



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)