You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Dongying Jiao (JIRA)" <ji...@apache.org> on 2016/07/18 08:27:20 UTC

[jira] [Commented] (RANGER-1108) Ranger hdfs plugin authentication issue when user mkdir

    [ https://issues.apache.org/jira/browse/RANGER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15381886#comment-15381886 ] 

Dongying Jiao commented on RANGER-1108:
---------------------------------------

After roughly read code, it seems:
To mkdir, it need two times authentication, one is checkTraverse(), the other is checkAncestorAccess().
checkTraverse() need execute right, checkAncestorAccess() need write right, these checks use RangerAccessControlEnforcer. 
If native hdfs give "x" right, ranger give "w" right, for checkTraverse() native hdfs allow, for checkAncestorAccess() ranger allow, so this operation is successful.
If native hdfs give "w" right, ranger give "x" right, for checkTraverse() ranger allow, but for checkAncestorAccess(), ranger deny, then use native hdfs to check again. But for native hdfs to checkAncestorAccess(), it will first call native hdfs checkTraverse() which need "x" right, so the check are also failed.

I am not sure if this is a problem, but it seems this is not reasonable if the two behaviors are not the same. 


> Ranger hdfs plugin authentication issue when user mkdir 
> --------------------------------------------------------
>
>                 Key: RANGER-1108
>                 URL: https://issues.apache.org/jira/browse/RANGER-1108
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.5.2
>            Reporter: Dongying Jiao
>
> 1. Create a user named "ranger_test", create hdfs dir /user/ranger_test.
> 2. Ranger give this user only write right to this dir, native hdfs give this user only execute right to this dir, user is allowed to mkdir under  /user/ranger_test.
> "hadoop fs -mkdir /user/ranger_test/temp1" success.
> 3. On the contrary, Ranger give this user only execute right to this dir, native hdfs give this user only write right to this dir, user is not allowed to mkdir under  /user/ranger_test.
> "hadoop fs -mkdir /user/ranger_test/temp1" failed.
> I think the behavior should be the same for above two scenario.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)