Treat encrypted files as private. Contributed by Daniel Templeton.

2017-03-07 13:22:11 +09:00 · 2017-03-07 13:22:11 +09:00 · f01a69f84f
commit f01a69f84f
parent 14413989ca
1 changed files with 14 additions and 3 deletions
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java
@ -294,10 +294,21 @@ private static boolean checkPermissionOfOther(FileSystem fs, Path path,
      FsAction action, Map<URI, FileStatus> statCache) throws IOException {
    FileStatus status = getFileStatus(fs, path.toUri(), statCache);
    FsPermission perms = status.getPermission();
-    FsAction otherAction = perms.getOtherAction();
-    if (otherAction.implies(action)) {
-      return true;
+
+    // Encrypted files are always treated as private. This stance has two
+    // important side effects.  The first is that the encrypted files will be
+    // downloaded as the job owner instead of the YARN user, which is required
+    // for the KMS ACLs to work as expected.  Second, it prevent a file with
+    // world readable permissions that is stored in an encryption zone from
+    // being localized as a publicly shared file with world readable
+    // permissions.
+    if (!perms.getEncryptedBit()) {
+      FsAction otherAction = perms.getOtherAction();
+      if (otherAction.implies(action)) {
+        return true;
+      }
    }
+
    return false;
  }