You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Alejandro Abdelnur (JIRA)" <ji...@apache.org> on 2014/09/02 19:19:21 UTC

[jira] [Commented] (HADOOP-10758) KMS: add ACLs on per key basis.

    [ https://issues.apache.org/jira/browse/HADOOP-10758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14118382#comment-14118382 ] 

Alejandro Abdelnur commented on HADOOP-10758:
---------------------------------------------

Looks good, just a few minor things:


*KeyAuthorizationKeyProvider.java*:

* shouldn’t {{getExtension()}} and {{getKeyProvider()}} return {{this}}? or is the intention to return the unguarded entity? if the later, we should log a warning on the GET call.

* {{doAccessCheck()}}, if the {{KEY_ACL_NAME}} attribute is NULL, shouldn’t we pass the name of the key? by doing this you can key-acl existing keys via its name (in the case you enable key-acl after the keys were created).

* {{authorizeCkreateKey()}}, the {{success =...}} predicate assignment could be done once by doing a refactoring on how the name/attribute is assigned.

*KMSACLs.java*:

* {{setKeyACLs()}}, if name of the key has dots (can it?) then the logic here will fail as you are expecting 4 elements after split. I think you should look for postfix without assuming dots, you already filtered the prefix.

* it is not clear to me what is the behavior if no default ACLs are set. are we assuming '*' or we are requiring explicit ACLs for every key? it seems the later makes more sense, no? we should log a warning and put that in the docs.

*KMSConstants.java*:

* {{KEY_ACL_PREFIX}} does not seem used.




> KMS: add ACLs on per key basis.
> -------------------------------
>
>                 Key: HADOOP-10758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10758
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
>         Attachments: HADOOP-10758.1.patch, HADOOP-10758.2.patch, HADOOP-10758.3.patch, HADOOP-10758.4.patch, HADOOP-10758.5.patch, HADOOP-10758.6.patch
>
>
> The KMS server should enforce ACLs on per key basis.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)