HADOOP-6634. Fix AccessControlList to use short names to verify access control. Contributed by Vinod Kumar Vavilapalli.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@939242 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Sharad Agarwal 2010-04-29 09:31:30 +00:00
parent 8991eb7959
commit 00cb892150
3 changed files with 69 additions and 14 deletions

View File

@ -382,6 +382,9 @@ Trunk (unreleased changes)
HADOOP-6722. NetUtils.connect should check that it hasn't connected a socket HADOOP-6722. NetUtils.connect should check that it hasn't connected a socket
to itself. (Todd Lipcon via tomwhite) to itself. (Todd Lipcon via tomwhite)
HADOOP-6634. Fix AccessControlList to use short names to verify access
control. (Vinod Kumar Vavilapalli via sharad)
Release 0.21.0 - Unreleased Release 0.21.0 - Unreleased
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -93,7 +93,7 @@ Set<String> getGroups() {
} }
public boolean isUserAllowed(UserGroupInformation ugi) { public boolean isUserAllowed(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getUserName())) { if (allAllowed || users.contains(ugi.getShortUserName())) {
return true; return true;
} else { } else {
for(String group: ugi.getGroupNames()) { for(String group: ugi.getGroupNames()) {

View File

@ -20,6 +20,7 @@
import java.util.Iterator; import java.util.Iterator;
import java.util.Set; import java.util.Set;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.authorize.AccessControlList;
@ -77,19 +78,7 @@ public void testAccessControlList() throws Exception {
assertEquals(groups.size(), 1); assertEquals(groups.size(), 1);
assertEquals(groups.iterator().next(), "tardis"); assertEquals(groups.iterator().next(), "tardis");
Iterator<String> iter; Iterator<String> iter;
acl = new AccessControlList("drwho,joe tardis,users");
users = acl.getUsers();
assertEquals(users.size(), 2);
iter = users.iterator();
assertEquals(iter.next(), "drwho");
assertEquals(iter.next(), "joe");
groups = acl.getGroups();
assertEquals(groups.size(), 2);
iter = groups.iterator();
assertEquals(iter.next(), "tardis");
assertEquals(iter.next(), "users");
acl = new AccessControlList("drwho,joe tardis, users"); acl = new AccessControlList("drwho,joe tardis, users");
users = acl.getUsers(); users = acl.getUsers();
assertEquals(users.size(), 2); assertEquals(users.size(), 2);
@ -102,4 +91,67 @@ public void testAccessControlList() throws Exception {
assertEquals(iter.next(), "tardis"); assertEquals(iter.next(), "tardis");
assertEquals(iter.next(), "users"); assertEquals(iter.next(), "users");
} }
/**
* Verify the method isUserAllowed()
*/
public void testIsUserAllowed() {
AccessControlList acl;
UserGroupInformation drwho =
UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
new String[] { "aliens", "humanoids", "timelord" });
UserGroupInformation susan =
UserGroupInformation.createUserForTesting("susan@APACHE.ORG",
new String[] { "aliens", "humanoids", "timelord" });
UserGroupInformation barbara =
UserGroupInformation.createUserForTesting("barbara@APACHE.ORG",
new String[] { "humans", "teachers" });
UserGroupInformation ian =
UserGroupInformation.createUserForTesting("ian@APACHE.ORG",
new String[] { "humans", "teachers" });
acl = new AccessControlList("drwho humanoids");
assertUserAllowed(drwho, acl);
assertUserAllowed(susan, acl);
assertUserNotAllowed(barbara, acl);
assertUserNotAllowed(ian, acl);
acl = new AccessControlList("drwho");
assertUserAllowed(drwho, acl);
assertUserNotAllowed(susan, acl);
assertUserNotAllowed(barbara, acl);
assertUserNotAllowed(ian, acl);
acl = new AccessControlList("drwho ");
assertUserAllowed(drwho, acl);
assertUserNotAllowed(susan, acl);
assertUserNotAllowed(barbara, acl);
assertUserNotAllowed(ian, acl);
acl = new AccessControlList(" humanoids");
assertUserAllowed(drwho, acl);
assertUserAllowed(susan, acl);
assertUserNotAllowed(barbara, acl);
assertUserNotAllowed(ian, acl);
acl = new AccessControlList("drwho,ian aliens,teachers");
assertUserAllowed(drwho, acl);
assertUserAllowed(susan, acl);
assertUserAllowed(barbara, acl);
assertUserAllowed(ian, acl);
}
private void assertUserAllowed(UserGroupInformation ugi,
AccessControlList acl) {
assertTrue("User " + ugi + " is not granted the access-control!!",
acl.isUserAllowed(ugi));
}
private void assertUserNotAllowed(UserGroupInformation ugi,
AccessControlList acl) {
assertFalse("User " + ugi
+ " is incorrectly granted the access-control!!",
acl.isUserAllowed(ugi));
}
} }