Package org.apache.hadoop.io

Class SecureIOUtils

java.lang.Object
org.apache.hadoop.io.SecureIOUtils
public class SecureIOUtils extends Object
This class provides secure APIs for opening and creating files on the local disk. The main issue this class tries to handle is that of symlink traversal.
An example of such an attack is:
  1. Malicious user removes his task's syslog file, and puts a link to the jobToken file of a target user.
  2. Malicious user tries to open the syslog file via the servlet on the tasktracker.
  3. The tasktracker is unaware of the symlink, and simply streams the contents of the jobToken file. The malicious user can now access potentially sensitive map outputs, etc. of the target user's job.
A similar attack is possible involving task log truncation, but in that case due to an insecure write to a file.

  • Constructor Details

    • SecureIOUtils

      public SecureIOUtils()

  • Method Details

    • openForRandomRead

      public static RandomAccessFile openForRandomRead(File f, String mode, String expectedOwner, String expectedGroup) throws IOException
      Parameters:
      f - file that we are trying to open
      mode - mode in which we want to open the random access file
      expectedOwner - the expected user owner for the file
      expectedGroup - the expected group owner for the file
      Returns:
      Open the given File for random read access, verifying the expected user/ group constraints if security is enabled. Note that this function provides no additional security checks if hadoop security is disabled, since doing the checks would be too expensive when native libraries are not available.
      Throws:
      IOException - if an IO error occurred or if the user/group does not match when security is enabled.

    • forceSecureOpenForRandomRead

      @VisibleForTesting protected static RandomAccessFile forceSecureOpenForRandomRead(File f, String mode, String expectedOwner, String expectedGroup) throws IOException
      Parameters:
      f - input f.
      mode - input mode.
      expectedOwner - input expectedOwner.
      expectedGroup - input expectedGroup.
      Returns:
      Same as openForRandomRead except that it will run even if security is off. This is used by unit tests.
      Throws:
      IOException - raised on errors performing I/O.

    • openFSDataInputStream

      public static FSDataInputStream openFSDataInputStream(File file, String expectedOwner, String expectedGroup) throws IOException
      Opens the FSDataInputStream on the requested file on local file system, verifying the expected user/group constraints if security is enabled.
      Parameters:
      file - absolute path of the file
      expectedOwner - the expected user owner for the file
      expectedGroup - the expected group owner for the file
      Returns:
      FSDataInputStream.
      Throws:
      IOException - if an IO Error occurred or the user/group does not match if security is enabled

    • forceSecureOpenFSDataInputStream

      @VisibleForTesting protected static FSDataInputStream forceSecureOpenFSDataInputStream(File file, String expectedOwner, String expectedGroup) throws IOException
      Same as openFSDataInputStream except that it will run even if security is off. This is used by unit tests.
      Parameters:
      file - input file.
      expectedOwner - input expectedOwner.
      expectedGroup - input expectedGroup.
      Returns:
      FSDataInputStream.
      Throws:
      IOException - raised on errors performing I/O.

    • openForRead

      public static FileInputStream openForRead(File f, String expectedOwner, String expectedGroup) throws IOException
      Open the given File for read access, verifying the expected user/group constraints if security is enabled.
      Parameters:
      f - the file that we are trying to open
      expectedOwner - the expected user owner for the file
      expectedGroup - the expected group owner for the file
      Returns:
      Note that this function provides no additional checks if Hadoop security is disabled, since doing the checks would be too expensive when native libraries are not available.
      Throws:
      IOException - if an IO Error occurred, or security is enabled and the user/group does not match

    • forceSecureOpenForRead

      @VisibleForTesting protected static FileInputStream forceSecureOpenForRead(File f, String expectedOwner, String expectedGroup) throws IOException
      Parameters:
      f - input f.
      expectedOwner - input expectedOwner.
      expectedGroup - input expectedGroup.
      Returns:
      Same as openForRead() except that it will run even if security is off. This is used by unit tests.
      Throws:
      IOException - raised on errors performing I/O.

    • createForWrite

      public static FileOutputStream createForWrite(File f, int permissions) throws IOException
      Open the specified File for write access, ensuring that it does not exist.
      Parameters:
      f - the file that we want to create
      permissions - we want to have on the file (if security is enabled)
      Returns:
      createForWrite FileOutputStream.
      Throws:
      SecureIOUtils.AlreadyExistsException - if the file already exists
      IOException - if any other error occurred