You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "chuanjie.duan (JIRA)" <ji...@apache.org> on 2018/03/21 09:40:00 UTC

[jira] [Updated] (RANGER-1992) Ranger Read Wrong INode Information

     [ https://issues.apache.org/jira/browse/RANGER-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

chuanjie.duan updated RANGER-1992:
----------------------------------
    Description: 
user 'cim_beta_db' create directory in user 'dataswap' parent directory as below

hdfs dfs -ls /user/hive/warehouse/dataswap.db/

drwxrwx-   --   -    cim_beta_db dataswap          0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test

drwxrwx-   --   -    dataswap dataswap         /user/hive/warehouse/dataswap.db

drwxrwx-   -x-    dataswap dataswap         /user/hive/warehouse

 

I add hdfs policy,  user 'cim_beta_db'  ‘’execute‘’ permission to path /user/hive/warehouse/dataswap.db 

 

hdfs dfs -ls /user/hive/warehouse/dataswap.db/test

ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---

 

there are two issue.
 # exception information should inode="/user/hive/warehouse/dataswap.db":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
 # policy cannot combine use, policy match failed, would check default permission only, even if parent directory give a 'execute' permission

 

// checkINodeAccess
 if(authzStatus == AuthzStatus.ALLOW && access != null && inode != null) {
 LOG.info("checkINodeAccess");
 INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;

authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, plugin, auditHandler);
 if (authzStatus == AuthzStatus.NOT_DETERMINED) {
 authzStatus = {color:#FF0000}checkDefaultEnforcer{color}(fsOwner, superGroup, ugi, inodeAttrs, inodes,
 pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
 FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
 isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
 }
 }

  was:
hdfs dfs -ls /user/hive/warehouse/dataswap.db/

drwxrwx--   --    cim_beta_db dataswap          0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test

 

hdfs dfs -ls /user/hive/warehouse/dataswap.db/test

ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---

 

user should be cim_beta_db, maybe it's a hdfs bug


> Ranger Read Wrong INode Information
> -----------------------------------
>
>                 Key: RANGER-1992
>                 URL: https://issues.apache.org/jira/browse/RANGER-1992
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: chuanjie.duan
>            Priority: Major
>
> user 'cim_beta_db' create directory in user 'dataswap' parent directory as below
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/
> drwxrwx-   --   -    cim_beta_db dataswap          0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test
> drwxrwx-   --   -    dataswap dataswap         /user/hive/warehouse/dataswap.db
> drwxrwx-   -x-    dataswap dataswap         /user/hive/warehouse
>  
> I add hdfs policy,  user 'cim_beta_db'  ‘’execute‘’ permission to path /user/hive/warehouse/dataswap.db 
>  
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/test
> ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>  
> there are two issue.
>  # exception information should inode="/user/hive/warehouse/dataswap.db":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>  # policy cannot combine use, policy match failed, would check default permission only, even if parent directory give a 'execute' permission
>  
> // checkINodeAccess
>  if(authzStatus == AuthzStatus.ALLOW && access != null && inode != null) {
>  LOG.info("checkINodeAccess");
>  INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
> authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, plugin, auditHandler);
>  if (authzStatus == AuthzStatus.NOT_DETERMINED) {
>  authzStatus = {color:#FF0000}checkDefaultEnforcer{color}(fsOwner, superGroup, ugi, inodeAttrs, inodes,
>  pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
>  FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
>  isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
>  }
>  }



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)