Details
-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: CDH 5.5.0
-
Fix Version/s: None
-
Component/s: Sentry
-
Labels:None
-
Environment:CentOS 6.7
Description
We were testing the sentry -> extended ACL synchronization and did the following:
I created user1 and everything worked fine with the granted roles. I then wanted to test access with a new user (user2) without any sentry permissions set, which then let to the discovery below in red. listing the directory fails due to permissions as expected, so does putting a new file. But when you put an existing file again the error message gives away that the file already exists, this is a potential security risk.
[hadoopadmin@localhost ~]$ kinit user2@LOCAL
Password for user2@LOCAL:
[hadoopadmin@localhost ~]$ hdfs dfs -ls /data/xxx/xxx/xxx/xxx/in
ls: Permission denied: user=user2, access=READ_EXECUTE, inode="/data/xxx/xxx/xxx/xxx/in":hive:hive:drwxrwx--x:user:hive:rwx,group::---,group:hive:rwx,group:hadoopadmin:rwx,group:user1:rwx
{color:red}[hadoopadmin@localhost ~]$ hdfs dfs -put /etc/passwd /data/xxx/xxx/xxx/xxx/in
put: `/data/xxx/xxx/xxx/xxx/in/passwd': File exists{color}
[hadoopadmin@localhost ~]$ hdfs dfs -put /etc/passwd /data/xxx/xxx/xxx/xxx/in/passwd2
put: Permission denied: user=user2, access=WRITE, inode="/data/xxx/xxx/xxx/xxx/in":hive:hive:drwxrwx--x:user:hive:rwx,group::---,group:hive:rwx,group:hadoopadmin:rwx,group:user1:rwx