Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix permission errors when using Read Only HDFS Repository #26714

Merged
merged 3 commits into from Sep 21, 2017

Conversation

Projects
None yet
5 participants
@jbaiera
Copy link
Contributor

commented Sep 19, 2017

This PR is specific to the 5.x line, as #22793 in master and 6.x, while unrelated, fixes this problem.

When a user goes to list the available snapshots under a readonly HDFDS repository, before any other repository actions are performed, the requests will be met with a security exception. In this scenario, certain methods within the RPC layer have yet to be set accessible for usage in HDFS's dynamic-proxy-based RPC client. Normally, these methods would be set accessible during a privileged call in the validation step, but this process is skipped for readonly repositories. Instead, the security check is made to see if the code allows for supressAccessChecks. While the HDFS repository has these permissions, the core code base that is on the stack trace does not, and thus, a security exception is thrown for that permission.

This PR adds a reproducing test case for the behavior and backports the relevant portions of #22793 - Namely the HDFSPrivilegedInputStream. Additional validations of permissions within privileged blocks are added to the privileged input stream. These validations will be forward-ported to master in a different PR (link).

Relates #26513

jbaiera and others added some commits Sep 18, 2017

Add test to reproduce readonly repository bug.
MiniHDFS will now start with an existing repository with a single snapshot contained within.
Readonly Repository is created in tests and attempts to list the snapshots within this repo.
Correcting typos...
Backport "Add doPrivilege blocks for socket connect ops in repository…
…-hdfs (#22793)"

Only pulled the relevant changes - such as the Priveleged input stream implementation for HDFS.
Adding special permission checks to the HDFS privileged stream.
Limiting the permissions during privileged executions to the same ones used by the rest of the privileged code.
@risdenk

This comment has been minimized.

Copy link
Contributor

commented Sep 19, 2017

@jbaiera - Changes look good to me. Thanks for tracking this down!

@rjernst
Copy link
Member

left a comment

LGTM

@tbrooks8
Copy link
Contributor

left a comment

LGTM

@jbaiera jbaiera merged commit 985320f into elastic:5.6 Sep 21, 2017

2 checks passed

CLA Commit author is a member of Elasticsearch
Details
elasticsearch-ci Build finished.
Details

@jbaiera jbaiera deleted the jbaiera:jbaiera-fix-readonlyhdfs branch Sep 21, 2017

jbaiera added a commit that referenced this pull request Sep 21, 2017

Fix permission errors when using Read Only HDFS Repository (#26714)
Listing the available snapshots under a readonly HDFDS repository before any other repository 
actions are performed is met with a security exception. Certain methods within the RPC layer are 
yet to be set accessible for usage in HDFS's dynamic-proxy-based RPC client. These methods 
would be set accessible during a privileged call in the validation step, but some validation steps 
are skipped for readonly repositories.

This backports the relevant parts of HDFSPrivilegedInputStream to allow for initializing steps that 
would otherwise not be allowed by the codesources found on the stack trace.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.