HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. Contributed by Vinayakumar B.

This commit is contained in:
cnauroth 2014-11-11 13:29:55 -08:00
parent 456b973819
commit 163bb55067
3 changed files with 39 additions and 2 deletions

View File

@ -413,6 +413,9 @@ Release 2.7.0 - UNRELEASED
HDFS-7387. NFS may only do partial commit due to a race between COMMIT and write HDFS-7387. NFS may only do partial commit due to a race between COMMIT and write
(brandonli) (brandonli)
HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity.
(Vinayakumar B via cnauroth)
Release 2.6.0 - 2014-11-15 Release 2.6.0 - 2014-11-15
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -327,6 +327,7 @@ private void checkAccessAcl(INode inode, int snapshotId, FsAction access,
return; return;
} }
foundMatch = true; foundMatch = true;
break;
} }
} else if (type == AclEntryType.GROUP) { } else if (type == AclEntryType.GROUP) {
// Use group entry (unnamed or named) with mask from permission bits // Use group entry (unnamed or named) with mask from permission bits

View File

@ -65,6 +65,9 @@ public abstract class FSAclBaseTest {
private static final UserGroupInformation SUPERGROUP_MEMBER = private static final UserGroupInformation SUPERGROUP_MEMBER =
UserGroupInformation.createUserForTesting("super", new String[] { UserGroupInformation.createUserForTesting("super", new String[] {
DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT }); DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT });
// group member
private static final UserGroupInformation BOB = UserGroupInformation
.createUserForTesting("bob", new String[] { "groupY", "groupZ" });
protected static MiniDFSCluster cluster; protected static MiniDFSCluster cluster;
protected static Configuration conf; protected static Configuration conf;
@ -74,7 +77,7 @@ public abstract class FSAclBaseTest {
@Rule @Rule
public ExpectedException exception = ExpectedException.none(); public ExpectedException exception = ExpectedException.none();
private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember; private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember, fsAsBob;
@AfterClass @AfterClass
public static void shutdown() { public static void shutdown() {
@ -93,7 +96,7 @@ public void setUp() throws Exception {
@After @After
public void destroyFileSystems() { public void destroyFileSystems() {
IOUtils.cleanup(null, fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember); IOUtils.cleanup(null, fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember);
fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = null; fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = fsAsBob = null;
} }
@Test @Test
@ -1283,6 +1286,35 @@ public void testAccess() throws IOException, InterruptedException {
} catch (FileNotFoundException e) { } catch (FileNotFoundException e) {
// expected // expected
} }
// Add a named group entry with only READ access
fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
aclEntry(ACCESS, GROUP, "groupY", READ)));
// Now bob should have read access, but not write
fsAsBob.access(p1, READ);
try {
fsAsBob.access(p1, WRITE);
fail("The access call should have failed.");
} catch (AccessControlException e) {
// expected;
}
// Add another named group entry with WRITE access
fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
aclEntry(ACCESS, GROUP, "groupZ", WRITE)));
// Now bob should have write access
fsAsBob.access(p1, WRITE);
// Add a named user entry to deny bob
fsAsBruce.modifyAclEntries(p1,
Lists.newArrayList(aclEntry(ACCESS, USER, "bob", NONE)));
try {
fsAsBob.access(p1, READ);
fail("The access call should have failed.");
} catch (AccessControlException e) {
// expected;
}
} }
/** /**
@ -1316,6 +1348,7 @@ private void initFileSystems() throws Exception {
fs = createFileSystem(); fs = createFileSystem();
fsAsBruce = createFileSystem(BRUCE); fsAsBruce = createFileSystem(BRUCE);
fsAsDiana = createFileSystem(DIANA); fsAsDiana = createFileSystem(DIANA);
fsAsBob = createFileSystem(BOB);
fsAsSupergroupMember = createFileSystem(SUPERGROUP_MEMBER); fsAsSupergroupMember = createFileSystem(SUPERGROUP_MEMBER);
} }