[HBASE-25543] When configuration "hadoop.security.authorization" is set to false, the system will still try to authorize an RPC and raise AccessDeniedException - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0-alpha-1, 1.7.0, 2.2.7, 2.5.0, 2.3.5, 2.4.2
Component/s: IPC/RPC
Labels:
None

Hadoop Flags:

Reviewed

Description

In method processOneRpc(Bytebuffer buf) in RpcServer.java (branch-1), ServerRpcConnection.java (branch-2, master), if connectionHeadRead is set to false, the method authorizeConnection() will be invoked whatever the boolean authorize is true or false.

if (!authorizeConnection()) {
  // Throw FatalConnectionException wrapping ACE so client does right thing and closes
  // down the connection instead of trying to read non-existent retun.
  throw new AccessDeniedException("Connection from " + this + " for service " +
    connectionHeader.getServiceName() + " is unauthorized for user: " + ugi);
}

In method authorizeConnection()

if (ugi != null && ugi.getRealUser() != null
    && (authMethod != AuthMethod.DIGEST)) {
  ProxyUsers.authorize(ugi, this.getHostAddress(), conf);
}

ProxyUsers.authorize() will raise AuthorizationException.

Attachments

Issue Links

links to

GitHub Pull Request #2919

GitHub Pull Request #2929

GitHub Pull Request #2932

Activity

People

Assignee:: Yutong Xiao

Reporter:: Yutong Xiao

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 02/Feb/21 08:45

Updated:: 08/Feb/21 15:07

Resolved:: 07/Feb/21 15:42