From 120f680318d766f44787fd0eec88270d61172523 Mon Sep 17 00:00:00 2001 From: Akira Ajisaka Date: Tue, 7 Mar 2017 13:22:11 +0900 Subject: [PATCH] Treat encrypted files as private. Contributed by Daniel Templeton. (cherry picked from commit f01a69f84f4cc7d925d078a7ce32e5800da4e429) --- .../ClientDistributedCacheManager.java | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java index 73a0330396d..9f8edb5df0d 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java @@ -294,10 +294,21 @@ public class ClientDistributedCacheManager { FsAction action, Map statCache) throws IOException { FileStatus status = getFileStatus(fs, path.toUri(), statCache); FsPermission perms = status.getPermission(); - FsAction otherAction = perms.getOtherAction(); - if (otherAction.implies(action)) { - return true; + + // Encrypted files are always treated as private. This stance has two + // important side effects. The first is that the encrypted files will be + // downloaded as the job owner instead of the YARN user, which is required + // for the KMS ACLs to work as expected. Second, it prevent a file with + // world readable permissions that is stored in an encryption zone from + // being localized as a publicly shared file with world readable + // permissions. + if (!perms.getEncryptedBit()) { + FsAction otherAction = perms.getOtherAction(); + if (otherAction.implies(action)) { + return true; + } } + return false; }