org.apache.hadoop.io
Class SecureIOUtils

java.lang.Object
  extended by org.apache.hadoop.io.SecureIOUtils

public class SecureIOUtils
extends Object

This class provides secure APIs for opening and creating files on the local disk. The main issue this class tries to handle is that of symlink traversal.
An example of such an attack is:

  1. Malicious user removes his task's syslog file, and puts a link to the jobToken file of a target user.
  2. Malicious user tries to open the syslog file via the servlet on the tasktracker.
  3. The tasktracker is unaware of the symlink, and simply streams the contents of the jobToken file. The malicious user can now access potentially sensitive map outputs, etc. of the target user's job.
A similar attack is possible involving task log truncation, but in that case due to an insecure write to a file.


Nested Class Summary
static class SecureIOUtils.AlreadyExistsException
          Signals that an attempt to create a file at a given pathname has failed because another file already existed at that path.
 
Constructor Summary
SecureIOUtils()
           
 
Method Summary
static FileOutputStream createForWrite(File f, int permissions)
          Open the specified File for write access, ensuring that it does not exist.
protected static RandomAccessFile forceSecureOpenForRandomRead(File f, String mode, String expectedOwner, String expectedGroup)
          Same as openForRandomRead except that it will run even if security is off.
protected static FileInputStream forceSecureOpenForRead(File f, String expectedOwner, String expectedGroup)
          Same as openForRead() except that it will run even if security is off.
protected static FSDataInputStream forceSecureOpenFSDataInputStream(File file, String expectedOwner, String expectedGroup)
          Same as openFSDataInputStream except that it will run even if security is off.
static RandomAccessFile openForRandomRead(File f, String mode, String expectedOwner, String expectedGroup)
          Open the given File for random read access, verifying the expected user/ group constraints if security is enabled.
static FileInputStream openForRead(File f, String expectedOwner, String expectedGroup)
          Open the given File for read access, verifying the expected user/group constraints if security is enabled.
static FSDataInputStream openFSDataInputStream(File file, String expectedOwner, String expectedGroup)
          Opens the FSDataInputStream on the requested file on local file system, verifying the expected user/group constraints if security is enabled.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SecureIOUtils

public SecureIOUtils()
Method Detail

openForRandomRead

public static RandomAccessFile openForRandomRead(File f,
                                                 String mode,
                                                 String expectedOwner,
                                                 String expectedGroup)
                                          throws IOException
Open the given File for random read access, verifying the expected user/ group constraints if security is enabled. Note that this function provides no additional security checks if hadoop security is disabled, since doing the checks would be too expensive when native libraries are not available.

Parameters:
f - file that we are trying to open
mode - mode in which we want to open the random access file
expectedOwner - the expected user owner for the file
expectedGroup - the expected group owner for the file
Throws:
IOException - if an IO error occurred or if the user/group does not match when security is enabled.

forceSecureOpenForRandomRead

protected static RandomAccessFile forceSecureOpenForRandomRead(File f,
                                                               String mode,
                                                               String expectedOwner,
                                                               String expectedGroup)
                                                        throws IOException
Same as openForRandomRead except that it will run even if security is off. This is used by unit tests.

Throws:
IOException

openFSDataInputStream

public static FSDataInputStream openFSDataInputStream(File file,
                                                      String expectedOwner,
                                                      String expectedGroup)
                                               throws IOException
Opens the FSDataInputStream on the requested file on local file system, verifying the expected user/group constraints if security is enabled.

Parameters:
file - absolute path of the file
expectedOwner - the expected user owner for the file
expectedGroup - the expected group owner for the file
Throws:
IOException - if an IO Error occurred or the user/group does not match if security is enabled

forceSecureOpenFSDataInputStream

protected static FSDataInputStream forceSecureOpenFSDataInputStream(File file,
                                                                    String expectedOwner,
                                                                    String expectedGroup)
                                                             throws IOException
Same as openFSDataInputStream except that it will run even if security is off. This is used by unit tests.

Throws:
IOException

openForRead

public static FileInputStream openForRead(File f,
                                          String expectedOwner,
                                          String expectedGroup)
                                   throws IOException
Open the given File for read access, verifying the expected user/group constraints if security is enabled. Note that this function provides no additional checks if Hadoop security is disabled, since doing the checks would be too expensive when native libraries are not available.

Parameters:
f - the file that we are trying to open
expectedOwner - the expected user owner for the file
expectedGroup - the expected group owner for the file
Throws:
IOException - if an IO Error occurred, or security is enabled and the user/group does not match

forceSecureOpenForRead

protected static FileInputStream forceSecureOpenForRead(File f,
                                                        String expectedOwner,
                                                        String expectedGroup)
                                                 throws IOException
Same as openForRead() except that it will run even if security is off. This is used by unit tests.

Throws:
IOException

createForWrite

public static FileOutputStream createForWrite(File f,
                                              int permissions)
                                       throws IOException
Open the specified File for write access, ensuring that it does not exist.

Parameters:
f - the file that we want to create
permissions - we want to have on the file (if security is enabled)
Throws:
SecureIOUtils.AlreadyExistsException - if the file already exists
IOException - if any other error occurred


Copyright © 2014 Apache Software Foundation. All Rights Reserved.