You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Velmurugan Periasamy (JIRA)" <ji...@apache.org> on 2017/10/05 15:37:00 UTC
[jira] [Commented] (RANGER-1707) Traverse check in
RangerHdfsAuthorizer works incorrectly
[ https://issues.apache.org/jira/browse/RANGER-1707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16193060#comment-16193060 ]
Velmurugan Periasamy commented on RANGER-1707:
----------------------------------------------
[~zsombor] - It would be good to check RangerHdfsAuthorizer behavior with Hadoop 3.0, which is being planned for next month. https://cwiki.apache.org/confluence/display/HADOOP/Hadoop+3.0.0+release
[~kulkabhay]/[~madhan@apache.org]/[~rmani] - any other thoughts?
> Traverse check in RangerHdfsAuthorizer works incorrectly
> --------------------------------------------------------
>
> Key: RANGER-1707
> URL: https://issues.apache.org/jira/browse/RANGER-1707
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 1.0.0
> Reporter: Zsombor Gegesy
> Assignee: Zsombor Gegesy
> Labels: hdfs-2.8
> Fix For: 1.0.0
>
> Attachments: 0001-RANGER-1707-Fix-hdfs-traverse-check-which-problem-wa.patch
>
>
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for access to /a/b/c.txt, it only checks that if there are a policy which grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 doesn't called the traversal check before reading or writing a file, however it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform a mandatory traversal check.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)