HADOOP-6634. Fix AccessControlList to use short names to verify access control. Contributed by Vinod Kumar Vavilapalli.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@939242 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
8991eb7959
commit
00cb892150
@ -382,6 +382,9 @@ Trunk (unreleased changes)
|
|||||||
HADOOP-6722. NetUtils.connect should check that it hasn't connected a socket
|
HADOOP-6722. NetUtils.connect should check that it hasn't connected a socket
|
||||||
to itself. (Todd Lipcon via tomwhite)
|
to itself. (Todd Lipcon via tomwhite)
|
||||||
|
|
||||||
|
HADOOP-6634. Fix AccessControlList to use short names to verify access
|
||||||
|
control. (Vinod Kumar Vavilapalli via sharad)
|
||||||
|
|
||||||
Release 0.21.0 - Unreleased
|
Release 0.21.0 - Unreleased
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
@ -93,7 +93,7 @@ Set<String> getGroups() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public boolean isUserAllowed(UserGroupInformation ugi) {
|
public boolean isUserAllowed(UserGroupInformation ugi) {
|
||||||
if (allAllowed || users.contains(ugi.getUserName())) {
|
if (allAllowed || users.contains(ugi.getShortUserName())) {
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
for(String group: ugi.getGroupNames()) {
|
for(String group: ugi.getGroupNames()) {
|
||||||
|
@ -20,6 +20,7 @@
|
|||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
|
|
||||||
|
|
||||||
@ -78,18 +79,6 @@ public void testAccessControlList() throws Exception {
|
|||||||
assertEquals(groups.iterator().next(), "tardis");
|
assertEquals(groups.iterator().next(), "tardis");
|
||||||
|
|
||||||
Iterator<String> iter;
|
Iterator<String> iter;
|
||||||
acl = new AccessControlList("drwho,joe tardis,users");
|
|
||||||
users = acl.getUsers();
|
|
||||||
assertEquals(users.size(), 2);
|
|
||||||
iter = users.iterator();
|
|
||||||
assertEquals(iter.next(), "drwho");
|
|
||||||
assertEquals(iter.next(), "joe");
|
|
||||||
groups = acl.getGroups();
|
|
||||||
assertEquals(groups.size(), 2);
|
|
||||||
iter = groups.iterator();
|
|
||||||
assertEquals(iter.next(), "tardis");
|
|
||||||
assertEquals(iter.next(), "users");
|
|
||||||
|
|
||||||
acl = new AccessControlList("drwho,joe tardis, users");
|
acl = new AccessControlList("drwho,joe tardis, users");
|
||||||
users = acl.getUsers();
|
users = acl.getUsers();
|
||||||
assertEquals(users.size(), 2);
|
assertEquals(users.size(), 2);
|
||||||
@ -102,4 +91,67 @@ public void testAccessControlList() throws Exception {
|
|||||||
assertEquals(iter.next(), "tardis");
|
assertEquals(iter.next(), "tardis");
|
||||||
assertEquals(iter.next(), "users");
|
assertEquals(iter.next(), "users");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify the method isUserAllowed()
|
||||||
|
*/
|
||||||
|
public void testIsUserAllowed() {
|
||||||
|
AccessControlList acl;
|
||||||
|
|
||||||
|
UserGroupInformation drwho =
|
||||||
|
UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
|
||||||
|
new String[] { "aliens", "humanoids", "timelord" });
|
||||||
|
UserGroupInformation susan =
|
||||||
|
UserGroupInformation.createUserForTesting("susan@APACHE.ORG",
|
||||||
|
new String[] { "aliens", "humanoids", "timelord" });
|
||||||
|
UserGroupInformation barbara =
|
||||||
|
UserGroupInformation.createUserForTesting("barbara@APACHE.ORG",
|
||||||
|
new String[] { "humans", "teachers" });
|
||||||
|
UserGroupInformation ian =
|
||||||
|
UserGroupInformation.createUserForTesting("ian@APACHE.ORG",
|
||||||
|
new String[] { "humans", "teachers" });
|
||||||
|
|
||||||
|
acl = new AccessControlList("drwho humanoids");
|
||||||
|
assertUserAllowed(drwho, acl);
|
||||||
|
assertUserAllowed(susan, acl);
|
||||||
|
assertUserNotAllowed(barbara, acl);
|
||||||
|
assertUserNotAllowed(ian, acl);
|
||||||
|
|
||||||
|
acl = new AccessControlList("drwho");
|
||||||
|
assertUserAllowed(drwho, acl);
|
||||||
|
assertUserNotAllowed(susan, acl);
|
||||||
|
assertUserNotAllowed(barbara, acl);
|
||||||
|
assertUserNotAllowed(ian, acl);
|
||||||
|
|
||||||
|
acl = new AccessControlList("drwho ");
|
||||||
|
assertUserAllowed(drwho, acl);
|
||||||
|
assertUserNotAllowed(susan, acl);
|
||||||
|
assertUserNotAllowed(barbara, acl);
|
||||||
|
assertUserNotAllowed(ian, acl);
|
||||||
|
|
||||||
|
acl = new AccessControlList(" humanoids");
|
||||||
|
assertUserAllowed(drwho, acl);
|
||||||
|
assertUserAllowed(susan, acl);
|
||||||
|
assertUserNotAllowed(barbara, acl);
|
||||||
|
assertUserNotAllowed(ian, acl);
|
||||||
|
|
||||||
|
acl = new AccessControlList("drwho,ian aliens,teachers");
|
||||||
|
assertUserAllowed(drwho, acl);
|
||||||
|
assertUserAllowed(susan, acl);
|
||||||
|
assertUserAllowed(barbara, acl);
|
||||||
|
assertUserAllowed(ian, acl);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void assertUserAllowed(UserGroupInformation ugi,
|
||||||
|
AccessControlList acl) {
|
||||||
|
assertTrue("User " + ugi + " is not granted the access-control!!",
|
||||||
|
acl.isUserAllowed(ugi));
|
||||||
|
}
|
||||||
|
|
||||||
|
private void assertUserNotAllowed(UserGroupInformation ugi,
|
||||||
|
AccessControlList acl) {
|
||||||
|
assertFalse("User " + ugi
|
||||||
|
+ " is incorrectly granted the access-control!!",
|
||||||
|
acl.isUserAllowed(ugi));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user