You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "chuanjie.duan (JIRA)" <ji...@apache.org> on 2018/03/21 09:40:00 UTC
[jira] [Updated] (RANGER-1992) Ranger Read Wrong INode Information
[ https://issues.apache.org/jira/browse/RANGER-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
chuanjie.duan updated RANGER-1992:
----------------------------------
Description:
user 'cim_beta_db' create directory in user 'dataswap' parent directory as below
hdfs dfs -ls /user/hive/warehouse/dataswap.db/
drwxrwx- -- - cim_beta_db dataswap 0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test
drwxrwx- -- - dataswap dataswap /user/hive/warehouse/dataswap.db
drwxrwx- -x- dataswap dataswap /user/hive/warehouse
I add hdfs policy, user 'cim_beta_db' ‘’execute‘’ permission to path /user/hive/warehouse/dataswap.db
hdfs dfs -ls /user/hive/warehouse/dataswap.db/test
ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
there are two issue.
# exception information should inode="/user/hive/warehouse/dataswap.db":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
# policy cannot combine use, policy match failed, would check default permission only, even if parent directory give a 'execute' permission
// checkINodeAccess
if(authzStatus == AuthzStatus.ALLOW && access != null && inode != null) {
LOG.info("checkINodeAccess");
INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, plugin, auditHandler);
if (authzStatus == AuthzStatus.NOT_DETERMINED) {
authzStatus = {color:#FF0000}checkDefaultEnforcer{color}(fsOwner, superGroup, ugi, inodeAttrs, inodes,
pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
}
}
was:
hdfs dfs -ls /user/hive/warehouse/dataswap.db/
drwxrwx-- -- cim_beta_db dataswap 0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test
hdfs dfs -ls /user/hive/warehouse/dataswap.db/test
ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
user should be cim_beta_db, maybe it's a hdfs bug
> Ranger Read Wrong INode Information
> -----------------------------------
>
> Key: RANGER-1992
> URL: https://issues.apache.org/jira/browse/RANGER-1992
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: chuanjie.duan
> Priority: Major
>
> user 'cim_beta_db' create directory in user 'dataswap' parent directory as below
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/
> drwxrwx- -- - cim_beta_db dataswap 0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test
> drwxrwx- -- - dataswap dataswap /user/hive/warehouse/dataswap.db
> drwxrwx- -x- dataswap dataswap /user/hive/warehouse
>
> I add hdfs policy, user 'cim_beta_db' ‘’execute‘’ permission to path /user/hive/warehouse/dataswap.db
>
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/test
> ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>
> there are two issue.
> # exception information should inode="/user/hive/warehouse/dataswap.db":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
> # policy cannot combine use, policy match failed, would check default permission only, even if parent directory give a 'execute' permission
>
> // checkINodeAccess
> if(authzStatus == AuthzStatus.ALLOW && access != null && inode != null) {
> LOG.info("checkINodeAccess");
> INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
> authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, plugin, auditHandler);
> if (authzStatus == AuthzStatus.NOT_DETERMINED) {
> authzStatus = {color:#FF0000}checkDefaultEnforcer{color}(fsOwner, superGroup, ugi, inodeAttrs, inodes,
> pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
> FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
> isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
> }
> }
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)