Fix permission errors when using Read Only HDFS Repository #26714
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MiniHDFS will now start with an existing repository with a single snapshot contained within. Readonly Repository is created in tests and attempts to list the snapshots within this repo. Correcting typos...
…-hdfs (elastic#22793)" Only pulled the relevant changes - such as the Priveleged input stream implementation for HDFS.
Limiting the permissions during privileged executions to the same ones used by the rest of the privileged code.
Contributor
|
@jbaiera - Changes look good to me. Thanks for tracking this down! |
jbaiera
added a commit
that referenced
this pull request
Sep 21, 2017
Listing the available snapshots under a readonly HDFDS repository before any other repository actions are performed is met with a security exception. Certain methods within the RPC layer are yet to be set accessible for usage in HDFS's dynamic-proxy-based RPC client. These methods would be set accessible during a privileged call in the validation step, but some validation steps are skipped for readonly repositories. This backports the relevant parts of HDFSPrivilegedInputStream to allow for initializing steps that would otherwise not be allowed by the codesources found on the stack trace.
clintongormley
added
:Distributed Coordination/Snapshot/Restore
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is specific to the 5.x line, as #22793 in master and 6.x, while unrelated, fixes this problem.
When a user goes to list the available snapshots under a
readonlyHDFDS repository, before any other repository actions are performed, the requests will be met with a security exception. In this scenario, certain methods within the RPC layer have yet to be set accessible for usage in HDFS's dynamic-proxy-based RPC client. Normally, these methods would be set accessible during a privileged call in the validation step, but this process is skipped forreadonlyrepositories. Instead, the security check is made to see if the code allows forsupressAccessChecks. While the HDFS repository has these permissions, the core code base that is on the stack trace does not, and thus, a security exception is thrown for that permission.This PR adds a reproducing test case for the behavior and backports the relevant portions of #22793 - Namely the HDFSPrivilegedInputStream. Additional validations of permissions within privileged blocks are added to the privileged input stream. These validations will be forward-ported to master in a different PR (link).
Relates #26513