HIVE-29167: Use access() api to check permission for different filesystems (#6047)

Author: wecharyu

standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java

@@ -69,7 +69,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.security.auth.login.LoginException;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
@@ -750,8 +749,6 @@ private void open() throws MetaException {
             try {
               UserGroupInformation ugi = SecurityUtils.getUGI();
               client.set_ugi(ugi.getUserName(), Arrays.asList(ugi.getGroupNames()));
-            } catch (LoginException e) {
-              LOG.warn("Failed to do login. set_ugi() is not successful, Continuing without it.", e);
             } catch (IOException e) {
               LOG.warn("Failed to find ugi of client set_ugi() is not successful, Continuing without it.", e);
             } catch (TException e) {

standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/Warehouse.java

@@ -503,20 +503,17 @@ public boolean isEmptyDir(Path path, PathFilter pathFilter)
     }
   }
 
-  public boolean isWritable(Path path) throws IOException {
+  public boolean isWritable(Path path) {
     if (!storageAuthCheck) {
       // no checks for non-secure hadoop installations
       return true;
     }
     if (path == null) { //what??!!
       return false;
     }
-    final FileStatus stat;
-    final FileSystem fs;
     try {
-      fs = getFs(path);
-      stat = fs.getFileStatus(path);
-      HdfsUtils.checkFileAccess(fs, stat, FsAction.WRITE);
+      FileSystem fs = getFs(path);
+      HdfsUtils.checkFileAccess(fs, path, FsAction.WRITE);
       return true;
     } catch (FileNotFoundException fnfe){
       // File named by path doesn't exist; nothing to validate.

standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/utils/HdfsUtils.java

@@ -44,7 +44,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.security.auth.login.LoginException;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URI;
@@ -65,57 +64,35 @@ public class HdfsUtils {
   /**
    * Check the permissions on a file.
    * @param fs Filesystem the file is contained in
-   * @param stat Stat info for the file
+   * @param path the file path
    * @param action action to be performed
    * @throws IOException If thrown by Hadoop
-   * @throws AccessControlException if the file cannot be accessed
    */
-  public static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action)
-      throws IOException, LoginException {
-    checkFileAccess(fs, stat, action, SecurityUtils.getUGI());
+  public static void checkFileAccess(FileSystem fs, Path path, FsAction action)
+      throws IOException {
+    checkFileAccess(fs, path, action, SecurityUtils.getUGI());
   }
 
   /**
    * Check the permissions on a file
    * @param fs Filesystem the file is contained in
-   * @param stat Stat info for the file
+   * @param path the file path
    * @param action action to be performed
    * @param ugi user group info for the current user.  This is passed in so that tests can pass
    *            in mock ones.
    * @throws IOException If thrown by Hadoop
-   * @throws AccessControlException if the file cannot be accessed
    */
   @VisibleForTesting
-  static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action,
+  static void checkFileAccess(FileSystem fs, Path path, FsAction action,
                               UserGroupInformation ugi) throws IOException {
-
-    String user = ugi.getShortUserName();
-    String[] groups = ugi.getGroupNames();
-
-    if (groups != null) {
-      String superGroupName = fs.getConf().get("dfs.permissions.supergroup", "");
-      if (arrayContains(groups, superGroupName)) {
-        LOG.debug("User \"" + user + "\" belongs to super-group \"" + superGroupName + "\". " +
-            "Permission granted for action: " + action + ".");
-        return;
-      }
-    }
-
-    FsPermission dirPerms = stat.getPermission();
-
-    if (user.equals(stat.getOwner())) {
-      if (dirPerms.getUserAction().implies(action)) {
-        return;
-      }
-    } else if (arrayContains(groups, stat.getGroup())) {
-      if (dirPerms.getGroupAction().implies(action)) {
-        return;
-      }
-    } else if (dirPerms.getOtherAction().implies(action)) {
-      return;
+    try {
+      ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
+        fs.access(path, action);
+        return null;
+      });
+    } catch (InterruptedException e) {
+      throw new IOException(e);
     }
-    throw new AccessControlException("action " + action + " not permitted on path "
-        + stat.getPath() + " for user " + user);
   }
 
   public static boolean isPathEncrypted(Configuration conf, URI fsUri, Path path)

standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/utils/SecurityUtils.java

@@ -60,7 +60,6 @@
 import javax.net.ssl.TrustManagerFactory;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
-import javax.security.auth.login.LoginException;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.UnknownHostException;
@@ -90,7 +89,7 @@ public class SecurityUtils {
     }
   }
 
-  public static UserGroupInformation getUGI() throws LoginException, IOException {
+  public static UserGroupInformation getUGI() throws IOException {
     String doAs = System.getenv("HADOOP_USER_NAME");
     if (doAs != null && doAs.length() > 0) {
      /*
@@ -264,12 +263,8 @@ private static Token<DelegationTokenIdentifier> createToken(String tokenStr, Str
    * @throws IOException if underlying Hadoop call throws LoginException
    */
   public static String getUser() throws IOException {
-    try {
-      UserGroupInformation ugi = getUGI();
-      return ugi.getUserName();
-    } catch (LoginException le) {
-      throw new IOException(le);
-    }
+    UserGroupInformation ugi = getUGI();
+    return ugi.getUserName();
   }
 
   public static TServerSocket getServerSocket(String hiveHost, int portNum) throws TTransportException {

standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/utils/TestHdfsUtils.java

@@ -23,6 +23,7 @@
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.FsShell;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.RawLocalFileSystem;
 import org.apache.hadoop.fs.permission.AclStatus;
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
@@ -31,9 +32,8 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
-import org.mockito.Mockito;
 
-import javax.security.auth.login.LoginException;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
@@ -65,143 +65,143 @@ private Path createFile(FileSystem fs, FsPermission perms) throws IOException {
     return p;
   }
 
-  private Configuration makeConf() {
-    // Make sure that the user doesn't happen to be in the super group
-    Configuration conf = new Configuration();
-    conf.set("dfs.permissions.supergroup", "ubermensch");
-    return conf;
-  }
-
-  private UserGroupInformation ugiInvalidUserValidGroups() throws LoginException, IOException {
-    UserGroupInformation ugi = Mockito.mock(UserGroupInformation.class);
-    Mockito.when(ugi.getShortUserName()).thenReturn("nosuchuser");
-    Mockito.when(ugi.getGroupNames()).thenReturn(SecurityUtils.getUGI().getGroupNames());
-    return ugi;
+  private UserGroupInformation ugiInvalidUserValidGroups() throws IOException {
+    return UserGroupInformation.createUserForTesting("nosuchuser", SecurityUtils.getUGI().getGroupNames());
   }
 
   private UserGroupInformation ugiInvalidUserInvalidGroups() {
-    UserGroupInformation ugi = Mockito.mock(UserGroupInformation.class);
-    Mockito.when(ugi.getShortUserName()).thenReturn("nosuchuser");
-    Mockito.when(ugi.getGroupNames()).thenReturn(new String[]{"nosuchgroup"});
-    return ugi;
+    return UserGroupInformation.createUserForTesting("nosuchuser", new String[]{"nosuchgroup"});
   }
 
   @Test
-  public void userReadWriteExecute() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void userReadWriteExecute() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.NONE, FsAction.NONE));
     UserGroupInformation ugi = SecurityUtils.getUGI();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi);
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi);
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.READ, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.WRITE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.EXECUTE, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void userNoRead() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void userNoRead() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.ALL, FsAction.ALL));
     UserGroupInformation ugi = SecurityUtils.getUGI();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.READ, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void userNoWrite() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void userNoWrite() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.ALL, FsAction.ALL));
     UserGroupInformation ugi = SecurityUtils.getUGI();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.WRITE, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void userNoExecute() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void userNoExecute() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.ALL, FsAction.ALL));
     UserGroupInformation ugi = SecurityUtils.getUGI();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.EXECUTE, ugi);
   }
 
   @Test
-  public void groupReadWriteExecute() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void groupReadWriteExecute() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.ALL, FsAction.NONE));
     UserGroupInformation ugi = ugiInvalidUserValidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi);
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi);
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.READ, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.WRITE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.EXECUTE, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void groupNoRead() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void groupNoRead() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.NONE, FsAction.ALL));
     UserGroupInformation ugi = ugiInvalidUserValidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.READ, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void groupNoWrite() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void groupNoWrite() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.NONE, FsAction.ALL));
     UserGroupInformation ugi = ugiInvalidUserValidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.WRITE, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void groupNoExecute() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void groupNoExecute() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.NONE, FsAction.ALL));
     UserGroupInformation ugi = ugiInvalidUserValidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.EXECUTE, ugi);
   }
 
   @Test
-  public void otherReadWriteExecute() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void otherReadWriteExecute() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.NONE, FsAction.ALL));
     UserGroupInformation ugi = ugiInvalidUserInvalidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi);
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi);
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.READ, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.WRITE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.EXECUTE, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void otherNoRead() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void otherNoRead() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.NONE));
     UserGroupInformation ugi = ugiInvalidUserInvalidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.READ, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void otherNoWrite() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void otherNoWrite() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.NONE));
     UserGroupInformation ugi = ugiInvalidUserInvalidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.WRITE, ugi);
   }
 
   @Test(expected = AccessControlException.class)
-  public void otherNoExecute() throws IOException, LoginException {
-    FileSystem fs = FileSystem.get(makeConf());
+  public void otherNoExecute() throws IOException {
+    FileSystem fs = FileSystem.get(new Configuration());
     Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.NONE));
     UserGroupInformation ugi = ugiInvalidUserInvalidGroups();
-    HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi);
+    HdfsUtils.checkFileAccess(fs, p, FsAction.EXECUTE, ugi);
   }
 
-  @Test
-  public void rootReadWriteExecute() throws IOException, LoginException {
-    UserGroupInformation ugi = SecurityUtils.getUGI();
+  @Test (expected = FileNotFoundException.class)
+  public void nonExistentFile() throws IOException {
     FileSystem fs = FileSystem.get(new Configuration());
-    String old = fs.getConf().get("dfs.permissions.supergroup");
-    try {
-      fs.getConf().set("dfs.permissions.supergroup", ugi.getPrimaryGroupName());
-      Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.NONE, FsAction.NONE));
-      HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi);
-      HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi);
-      HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi);
-    } finally {
-      fs.getConf().set("dfs.permissions.supergroup", old);
-    }
+    Path p = new Path("/tmp/nosuchfile");
+    UserGroupInformation ugi = SecurityUtils.getUGI();
+    HdfsUtils.checkFileAccess(fs, p, FsAction.READ, ugi);
+  }
+
+  @Test(expected = AccessControlException.class)
+  public void accessPerssionFromCustomFilesystem() throws IOException {
+    FileSystem fs = new RawLocalFileSystem() {
+      @Override
+      public void access(Path path, FsAction mode) throws AccessControlException, IOException {
+        if (path.toString().contains("noaccess")) {
+          throw new AccessControlException("no access");
+        }
+      }
+
+      @Override
+      public Configuration getConf() {
+        return new Configuration();
+      }
+    };
+
+    UserGroupInformation ugi = SecurityUtils.getUGI();
+    Path p = new Path("/tmp/noaccess");
+    HdfsUtils.checkFileAccess(fs, p, FsAction.EXECUTE, ugi);
   }
 
   /**