Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
3.3.0, 3.3.6
-
Reviewed
Description
In the environment where the Ranger-HDFS plugin is enabled, I look at the log information of AccessControlException caused by the du. I find that the printed log information is not accurate, because the original AccessControlException is ignored by checkPermission, which is not conducive to judging the real situation of the AccessControlException . At least part of the original log information should be printed.
Later, the inode information prompted by the original AccessControlException log information makes me realize that the Ranger-HDFS plug-in in the current environment is not incorporated into RANGER-2297.
Because the current log prints the inode information is not the ”inode information“ passed to the authorizers. At this time if certain external authorizers does not adjust its authentication logic according to HDFS-12130 , it is more difficult to locate the real situation of the problem.So I think it is necessary to prompt this part of the log information.
AccessControlException information currently printed:
org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): Permission denied: user=test,access=READ_EXECUTE, inode="/warehouse/tablespace/managed/hive/test.db/stu/dt=2024-01-17":hive:hadoop:drwxrwx---
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:226)
The original AccessControlException information printed:
org.apache.hadoop.security.AccessControlException: Permission denied: user=test,access=READ_EXECUTE, inode="dt=2024-01-17":hive:hadoop:drwxrwx---
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:400)
From the comparison results of the above log information, it can be seen that the inode information and the exception stack printed by the log are not accurate.
Attachments
Attachments
Issue Links
- links to