HADOOP-6634. Fix AccessControlList to use short names to verify access control. Contributed by Vinod Kumar Vavilapalli.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@939242 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -382,6 +382,9 @@ Trunk (unreleased changes)
     HADOOP-6722. NetUtils.connect should check that it hasn't connected a socket
     to itself. (Todd Lipcon via tomwhite)
 
+    HADOOP-6634. Fix AccessControlList to use short names to verify access 
+    control. (Vinod Kumar Vavilapalli via sharad)
+ 
 Release 0.21.0 - Unreleased
 
   INCOMPATIBLE CHANGES

src/java/org/apache/hadoop/security/authorize/AccessControlList.java

@@ -93,7 +93,7 @@ Set<String> getGroups() {
   }
 
   public boolean isUserAllowed(UserGroupInformation ugi) {
-    if (allAllowed || users.contains(ugi.getUserName())) {
+    if (allAllowed || users.contains(ugi.getShortUserName())) {
       return true;
     } else {
       for(String group: ugi.getGroupNames()) {

src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java

@@ -20,6 +20,7 @@
 import java.util.Iterator;
 import java.util.Set;
 
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AccessControlList;
 
 
@@ -89,17 +90,68 @@ public void testAccessControlList() throws Exception {
     iter = groups.iterator();
     assertEquals(iter.next(), "tardis");
     assertEquals(iter.next(), "users");
+  }
 
-    acl = new AccessControlList("drwho,joe tardis, users");
+  /**
-    users = acl.getUsers();
+   * Verify the method isUserAllowed()
-    assertEquals(users.size(), 2);
+   */
-    iter = users.iterator();
+  public void testIsUserAllowed() {
-    assertEquals(iter.next(), "drwho");
+    AccessControlList acl;
-    assertEquals(iter.next(), "joe");
+
-    groups = acl.getGroups();
+    UserGroupInformation drwho =
-    assertEquals(groups.size(), 2);
+        UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
-    iter = groups.iterator();
+            new String[] { "aliens", "humanoids", "timelord" });
-    assertEquals(iter.next(), "tardis");
+    UserGroupInformation susan =
-    assertEquals(iter.next(), "users");
+        UserGroupInformation.createUserForTesting("susan@APACHE.ORG",
+            new String[] { "aliens", "humanoids", "timelord" });
+    UserGroupInformation barbara =
+        UserGroupInformation.createUserForTesting("barbara@APACHE.ORG",
+            new String[] { "humans", "teachers" });
+    UserGroupInformation ian =
+        UserGroupInformation.createUserForTesting("ian@APACHE.ORG",
+            new String[] { "humans", "teachers" });
+
+    acl = new AccessControlList("drwho humanoids");
+    assertUserAllowed(drwho, acl);
+    assertUserAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList("drwho");
+    assertUserAllowed(drwho, acl);
+    assertUserNotAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList("drwho ");
+    assertUserAllowed(drwho, acl);
+    assertUserNotAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList(" humanoids");
+    assertUserAllowed(drwho, acl);
+    assertUserAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList("drwho,ian aliens,teachers");
+    assertUserAllowed(drwho, acl);
+    assertUserAllowed(susan, acl);
+    assertUserAllowed(barbara, acl);
+    assertUserAllowed(ian, acl);
+  }
+
+  private void assertUserAllowed(UserGroupInformation ugi,
+      AccessControlList acl) {
+    assertTrue("User " + ugi + " is not granted the access-control!!",
+        acl.isUserAllowed(ugi));
+  }
+
+  private void assertUserNotAllowed(UserGroupInformation ugi,
+      AccessControlList acl) {
+    assertFalse("User " + ugi
+        + " is incorrectly granted the access-control!!",
+        acl.isUserAllowed(ugi));
   }
 }