HADOOP-10701. NFS should not validate the access premission only based on the user's primary group. Contributed by Harsh J.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1606042 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Aaron Myers 2014-06-27 12:00:55 +00:00
parent fdf901451f
commit 5f880f79d2
9 changed files with 144 additions and 5 deletions

View File

@ -0,0 +1,28 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<FindBugsFilter>
<!--
FindBugs is complaining about CredentialsSys#getAuxGIDs(...) returning
a mutable array, but it is alright in our case, and copies would be
more expensive instead.
-->
<Match>
<Class name="org.apache.hadoop.oncrpc.security.CredentialsSys"/>
<Method name="getAuxGIDs" params="" returns="int[]"/>
<Bug code="EI"/>
</Match>
</FindBugsFilter>

View File

@ -93,6 +93,18 @@
</dependency> </dependency>
</dependencies> </dependencies>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<configuration>
<excludeFilterFile>${basedir}/dev-support/findbugsExcludeFile.xml
</excludeFilterFile>
</configuration>
</plugin>
</plugins>
</build>
<profiles> <profiles>
<profile> <profile>

View File

@ -58,6 +58,10 @@ public int getUID() {
return mUID; return mUID;
} }
public int[] getAuxGIDs() {
return mAuxGIDs;
}
public void setGID(int gid) { public void setGID(int gid) {
this.mGID = gid; this.mGID = gid;
} }

View File

@ -60,4 +60,9 @@ public int getUid() {
public int getGid() { public int getGid() {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
/** Used by AUTH_SYS */
public int[] getAuxGids() {
throw new UnsupportedOperationException();
}
} }

View File

@ -56,4 +56,9 @@ public int getUid() {
public int getGid() { public int getGid() {
return mCredentialsSys.getGID(); return mCredentialsSys.getGID();
} }
@Override
public int[] getAuxGids() {
return mCredentialsSys.getAuxGIDs();
}
} }

View File

@ -160,7 +160,7 @@ public static int getAccessRights(int mode, int type) {
} }
public static int getAccessRightsForUserGroup(int uid, int gid, public static int getAccessRightsForUserGroup(int uid, int gid,
Nfs3FileAttributes attr) { int[] auxGids, Nfs3FileAttributes attr) {
int mode = attr.getMode(); int mode = attr.getMode();
if (uid == attr.getUid()) { if (uid == attr.getUid()) {
return getAccessRights(mode >> 6, attr.getType()); return getAccessRights(mode >> 6, attr.getType());
@ -168,6 +168,14 @@ public static int getAccessRightsForUserGroup(int uid, int gid,
if (gid == attr.getGid()) { if (gid == attr.getGid()) {
return getAccessRights(mode >> 3, attr.getType()); return getAccessRights(mode >> 3, attr.getType());
} }
// Check for membership in auxiliary groups
if (auxGids != null) {
for (int auxGid : auxGids) {
if (attr.getGid() == auxGid) {
return getAccessRights(mode >> 3, attr.getType());
}
}
}
return getAccessRights(mode, attr.getType()); return getAccessRights(mode, attr.getType());
} }

View File

@ -504,7 +504,8 @@ public ACCESS3Response access(XDR xdr, RpcInfo info) {
return new ACCESS3Response(Nfs3Status.NFS3ERR_STALE); return new ACCESS3Response(Nfs3Status.NFS3ERR_STALE);
} }
int access = Nfs3Utils.getAccessRightsForUserGroup( int access = Nfs3Utils.getAccessRightsForUserGroup(
securityHandler.getUid(), securityHandler.getGid(), attrs); securityHandler.getUid(), securityHandler.getGid(),
securityHandler.getAuxGids(), attrs);
return new ACCESS3Response(Nfs3Status.NFS3_OK, attrs, access); return new ACCESS3Response(Nfs3Status.NFS3_OK, attrs, access);
} catch (RemoteException r) { } catch (RemoteException r) {
@ -659,7 +660,8 @@ READ3Response read(XDR xdr, SecurityHandler securityHandler,
return new READ3Response(Nfs3Status.NFS3ERR_NOENT); return new READ3Response(Nfs3Status.NFS3ERR_NOENT);
} }
int access = Nfs3Utils.getAccessRightsForUserGroup( int access = Nfs3Utils.getAccessRightsForUserGroup(
securityHandler.getUid(), securityHandler.getGid(), attrs); securityHandler.getUid(), securityHandler.getGid(),
securityHandler.getAuxGids(), attrs);
if ((access & Nfs3Constant.ACCESS3_READ) != 0) { if ((access & Nfs3Constant.ACCESS3_READ) != 0) {
eof = offset < attrs.getSize() ? false : true; eof = offset < attrs.getSize() ? false : true;
return new READ3Response(Nfs3Status.NFS3_OK, attrs, 0, eof, return new READ3Response(Nfs3Status.NFS3_OK, attrs, 0, eof,

View File

@ -0,0 +1,72 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hdfs.nfs.nfs3;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Test;
import java.io.IOException;
import org.apache.hadoop.nfs.NfsFileType;
import org.apache.hadoop.nfs.nfs3.Nfs3FileAttributes;
import org.mockito.Mockito;
public class TestNfs3Utils {
@Test
public void testGetAccessRightsForUserGroup() throws IOException {
Nfs3FileAttributes attr = Mockito.mock(Nfs3FileAttributes.class);
Mockito.when(attr.getUid()).thenReturn(2);
Mockito.when(attr.getGid()).thenReturn(3);
Mockito.when(attr.getMode()).thenReturn(448); // 700
Mockito.when(attr.getType()).thenReturn(NfsFileType.NFSREG.toValue());
assertEquals("No access should be allowed as UID does not match attribute over mode 700",
0, Nfs3Utils.getAccessRightsForUserGroup(3, 3, null, attr));
Mockito.when(attr.getUid()).thenReturn(2);
Mockito.when(attr.getGid()).thenReturn(3);
Mockito.when(attr.getMode()).thenReturn(56); // 070
Mockito.when(attr.getType()).thenReturn(NfsFileType.NFSREG.toValue());
assertEquals("No access should be allowed as GID does not match attribute over mode 070",
0, Nfs3Utils.getAccessRightsForUserGroup(2, 4, null, attr));
Mockito.when(attr.getUid()).thenReturn(2);
Mockito.when(attr.getGid()).thenReturn(3);
Mockito.when(attr.getMode()).thenReturn(7); // 007
Mockito.when(attr.getType()).thenReturn(NfsFileType.NFSREG.toValue());
assertEquals("Access should be allowed as mode is 007 and UID/GID do not match",
61 /* RWX */, Nfs3Utils.getAccessRightsForUserGroup(1, 4, new int[] {5, 6}, attr));
Mockito.when(attr.getUid()).thenReturn(2);
Mockito.when(attr.getGid()).thenReturn(10);
Mockito.when(attr.getMode()).thenReturn(288); // 440
Mockito.when(attr.getType()).thenReturn(NfsFileType.NFSREG.toValue());
assertEquals("Access should be allowed as mode is 440 and Aux GID does match",
1 /* R */, Nfs3Utils.getAccessRightsForUserGroup(3, 4, new int[] {5, 16, 10}, attr));
Mockito.when(attr.getUid()).thenReturn(2);
Mockito.when(attr.getGid()).thenReturn(10);
Mockito.when(attr.getMode()).thenReturn(448); // 700
Mockito.when(attr.getType()).thenReturn(NfsFileType.NFSDIR.toValue());
assertEquals("Access should be allowed for dir as mode is 700 and UID does match",
31 /* Lookup */, Nfs3Utils.getAccessRightsForUserGroup(2, 4, new int[] {5, 16, 10}, attr));
assertEquals("No access should be allowed for dir as mode is 700 even though GID does match",
0, Nfs3Utils.getAccessRightsForUserGroup(3, 10, new int[] {5, 16, 4}, attr));
assertEquals("No access should be allowed for dir as mode is 700 even though AuxGID does match",
0, Nfs3Utils.getAccessRightsForUserGroup(3, 20, new int[] {5, 10}, attr));
}
}

View File

@ -725,6 +725,9 @@ Release 2.5.0 - UNRELEASED
HDFS-6475. WebHdfs clients fail without retry because incorrect handling HDFS-6475. WebHdfs clients fail without retry because incorrect handling
of StandbyException. (Yongjun Zhang via atm) of StandbyException. (Yongjun Zhang via atm)
HADOOP-10701. NFS should not validate the access premission only based on
the user's primary group (Harsh J via atm)
BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS
HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh) HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh)