You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Qiang Zhang (JIRA)" <ji...@apache.org> on 2018/03/27 03:03:00 UTC

[jira] [Assigned] (RANGER-1992) Ranger HDFS PermissionCheck logic issue

     [ https://issues.apache.org/jira/browse/RANGER-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Qiang Zhang reassigned RANGER-1992:
-----------------------------------

    Assignee: Qiang Zhang

> Ranger HDFS PermissionCheck logic issue
> ---------------------------------------
>
>                 Key: RANGER-1992
>                 URL: https://issues.apache.org/jira/browse/RANGER-1992
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: chuanjie.duan
>            Assignee: Qiang Zhang
>            Priority: Major
>
> user 'cim_beta_db' create directory in user 'dataswap' parent directory as below
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/
> drwxrwx-   --   -    cim_beta_db dataswap          0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test
> drwxrwx-   --   -    dataswap dataswap         /user/hive/warehouse/dataswap.db
> drwxrwx-   -x-    dataswap dataswap         /user/hive/warehouse
>  
> I add hdfs policy,  user 'cim_beta_db'  ‘’execute‘’ permission to path /user/hive/warehouse/dataswap.db 
>  
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/test
> ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>  
> there are two issue.
>  # exception information should inode="/user/hive/warehouse/dataswap.db":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>  # policy cannot combine use, policy match failed, would check default permission only, even if parent directory give a 'execute' permission
>  
> // checkINodeAccess
>  if(authzStatus == AuthzStatus.ALLOW && access != null && inode != null) {
>  LOG.info("checkINodeAccess");
>  INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
> authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, plugin, auditHandler);
>  if (authzStatus == AuthzStatus.NOT_DETERMINED) {
>  authzStatus = {color:#FF0000}checkDefaultEnforcer{color}(fsOwner, superGroup, ugi, inodeAttrs, inodes,
>  pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
>  FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
>  isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
>  }
>  }



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)