From 0ec6fc9e3c59c474f45e0fa68bb511778070a13c Mon Sep 17 00:00:00 2001 From: Brandon Li Date: Tue, 27 May 2014 22:58:55 +0000 Subject: [PATCH] HDFS-6411. nfs-hdfs-gateway mount raises I/O error and hangs when a unauthorized user attempts to access it. Contributed by Brandon Li git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1597895 13f79535-47bb-0310-9956-ffa450edef68 --- .../nfs/nfs3/response/ACCESS3Response.java | 6 ++-- .../hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java | 34 +++++++++++++++++++ hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 3 ++ 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/ACCESS3Response.java b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/ACCESS3Response.java index 8ba07aa5b3..5720fc6479 100644 --- a/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/ACCESS3Response.java +++ b/hadoop-common-project/hadoop-nfs/src/main/java/org/apache/hadoop/nfs/nfs3/response/ACCESS3Response.java @@ -46,10 +46,12 @@ public ACCESS3Response(int status, Nfs3FileAttributes postOpAttr, int access) { @Override public XDR writeHeaderAndResponse(XDR out, int xid, Verifier verifier) { super.writeHeaderAndResponse(out, xid, verifier); - out.writeBoolean(true); - postOpAttr.serialize(out); if (this.getStatus() == Nfs3Status.NFS3_OK) { + out.writeBoolean(true); + postOpAttr.serialize(out); out.writeInt(access); + } else { + out.writeBoolean(false); } return out; } diff --git a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java index f78598f13a..62aa8cbedc 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java +++ b/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java @@ -124,6 +124,7 @@ import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authorize.AuthorizationException; import org.jboss.netty.buffer.ChannelBuffer; import org.jboss.netty.buffer.ChannelBuffers; import org.jboss.netty.channel.Channel; @@ -270,6 +271,17 @@ public GETATTR3Response getattr(XDR xdr, SecurityHandler securityHandler, Nfs3FileAttributes attrs = null; try { attrs = writeManager.getFileAttr(dfsClient, handle, iug); + } catch (RemoteException r) { + LOG.warn("Exception ", r); + IOException io = r.unwrapRemoteException(); + /** + * AuthorizationException can be thrown if the user can't be proxy'ed. + */ + if (io instanceof AuthorizationException) { + return new GETATTR3Response(Nfs3Status.NFS3ERR_ACCES); + } else { + return new GETATTR3Response(Nfs3Status.NFS3ERR_IO); + } } catch (IOException e) { LOG.info("Can't get file attribute, fileId=" + handle.getFileId(), e); response.setStatus(Nfs3Status.NFS3ERR_IO); @@ -499,6 +511,17 @@ public ACCESS3Response access(XDR xdr, SecurityHandler securityHandler, securityHandler.getUid(), securityHandler.getGid(), attrs); return new ACCESS3Response(Nfs3Status.NFS3_OK, attrs, access); + } catch (RemoteException r) { + LOG.warn("Exception ", r); + IOException io = r.unwrapRemoteException(); + /** + * AuthorizationException can be thrown if the user can't be proxy'ed. + */ + if (io instanceof AuthorizationException) { + return new ACCESS3Response(Nfs3Status.NFS3ERR_ACCES); + } else { + return new ACCESS3Response(Nfs3Status.NFS3ERR_IO); + } } catch (IOException e) { LOG.warn("Exception ", e); return new ACCESS3Response(Nfs3Status.NFS3ERR_IO); @@ -1680,6 +1703,17 @@ public FSSTAT3Response fsstat(XDR xdr, SecurityHandler securityHandler, return new FSSTAT3Response(Nfs3Status.NFS3_OK, attrs, totalBytes, freeBytes, freeBytes, maxFsObjects, maxFsObjects, maxFsObjects, 0); + } catch (RemoteException r) { + LOG.warn("Exception ", r); + IOException io = r.unwrapRemoteException(); + /** + * AuthorizationException can be thrown if the user can't be proxy'ed. + */ + if (io instanceof AuthorizationException) { + return new FSSTAT3Response(Nfs3Status.NFS3ERR_ACCES); + } else { + return new FSSTAT3Response(Nfs3Status.NFS3ERR_IO); + } } catch (IOException e) { LOG.warn("Exception ", e); return new FSSTAT3Response(Nfs3Status.NFS3ERR_IO); diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index d1b9f391d9..5814821b0e 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -681,6 +681,9 @@ Release 2.4.1 - UNRELEASED HDFS-6397. NN shows inconsistent value in deadnode count. (Mohammad Kamrul Islam via kihwal) + HDFS-6411. nfs-hdfs-gateway mount raises I/O error and hangs when a + unauthorized user attempts to access it (brandonli) + Release 2.4.0 - 2014-04-07 INCOMPATIBLE CHANGES