You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Qiang Zhang (JIRA)" <ji...@apache.org> on 2018/03/27 03:03:00 UTC
[jira] [Assigned] (RANGER-1992) Ranger HDFS PermissionCheck logic
issue
[ https://issues.apache.org/jira/browse/RANGER-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Qiang Zhang reassigned RANGER-1992:
-----------------------------------
Assignee: Qiang Zhang
> Ranger HDFS PermissionCheck logic issue
> ---------------------------------------
>
> Key: RANGER-1992
> URL: https://issues.apache.org/jira/browse/RANGER-1992
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: chuanjie.duan
> Assignee: Qiang Zhang
> Priority: Major
>
> user 'cim_beta_db' create directory in user 'dataswap' parent directory as below
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/
> drwxrwx- -- - cim_beta_db dataswap 0 2018-02-26 09:49 /user/hive/warehouse/dataswap.db/test
> drwxrwx- -- - dataswap dataswap /user/hive/warehouse/dataswap.db
> drwxrwx- -x- dataswap dataswap /user/hive/warehouse
>
> I add hdfs policy, user 'cim_beta_db' ‘’execute‘’ permission to path /user/hive/warehouse/dataswap.db
>
> hdfs dfs -ls /user/hive/warehouse/dataswap.db/test
> ls: Permission denied: user=cim_beta_db, access=EXECUTE, inode="/user/hive/warehouse/dataswap.db/test":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
>
> there are two issue.
> # exception information should inode="/user/hive/warehouse/dataswap.db":{color:#ff0000}dataswap{color}:dataswap:drwxrwx---
> # policy cannot combine use, policy match failed, would check default permission only, even if parent directory give a 'execute' permission
>
> // checkINodeAccess
> if(authzStatus == AuthzStatus.ALLOW && access != null && inode != null) {
> LOG.info("checkINodeAccess");
> INodeAttributes inodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
> authzStatus = isAccessAllowed(inode, inodeAttribs, access, user, groups, plugin, auditHandler);
> if (authzStatus == AuthzStatus.NOT_DETERMINED) {
> authzStatus = {color:#FF0000}checkDefaultEnforcer{color}(fsOwner, superGroup, ugi, inodeAttrs, inodes,
> pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
> FsAction.NONE, FsAction.NONE, access, FsAction.NONE, ignoreEmptyDir,
> isTraverseOnlyCheck, ancestor, parent, inode, auditHandler);
> }
> }
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)