fix: Set path to / when the operation contentSummary is called on /i

Author: sbernauer

CHANGELOG.md

@@ -8,7 +8,11 @@ All notable changes to this project will be documented in this file.
 
 - BREAKING: Only send a subset of the fields sufficient for most use-cases to OPA for performance reasons.
   The old behavior of sending all fields can be restored by setting `hadoop.security.authorization.opa.extended-requests` to `true` ([#XX]).
-- Bump `okio` to 1.17.6 and to 3.9.1 afterwards  to get rid of CVE-2023-3635 ([#46], [#XX]).
+- Bump `okio` to 1.17.6 and to 3.9.1 afterwards to get rid of CVE-2023-3635 ([#46], [#XX]).
+
+### Fixed
+
+- Set path to `/` when the operation `contentSummary` is called on `/`. Previously path was set to `null` ([#XX]).
 
 [#46]: https://github.com/stackabletech/hdfs-utils/pull/46
 

src/main/java/tech/stackable/hadoop/StackableAccessControlEnforcer.java

@@ -124,6 +124,12 @@ public void checkPermission(String fsOwner, String supergroup,
 
     @Override
     public void checkPermissionWithContext(INodeAttributeProvider.AuthorizationContext authzContext) throws AccessControlException {
+        // When executing "hdfs dfs -du /" the path is set to null. This does not worsen security, as "/" is the
+        // highest level of access that a user can have.
+        if (authzContext.getOperationName().equals("contentSummary") && authzContext.getPath() == null) {
+            authzContext.setPath("/");
+        }
+
         final Object query;
         if (this.extendedRequests) {
             query = new OpaAllowQuery(new OpaAllowQuery.OpaAllowQueryInput(authzContext));