HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. Contributed by Vinayakumar B.
This commit is contained in:
parent
456b973819
commit
163bb55067
@ -413,6 +413,9 @@ Release 2.7.0 - UNRELEASED
|
|||||||
HDFS-7387. NFS may only do partial commit due to a race between COMMIT and write
|
HDFS-7387. NFS may only do partial commit due to a race between COMMIT and write
|
||||||
(brandonli)
|
(brandonli)
|
||||||
|
|
||||||
|
HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity.
|
||||||
|
(Vinayakumar B via cnauroth)
|
||||||
|
|
||||||
Release 2.6.0 - 2014-11-15
|
Release 2.6.0 - 2014-11-15
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
@ -327,6 +327,7 @@ private void checkAccessAcl(INode inode, int snapshotId, FsAction access,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
foundMatch = true;
|
foundMatch = true;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
} else if (type == AclEntryType.GROUP) {
|
} else if (type == AclEntryType.GROUP) {
|
||||||
// Use group entry (unnamed or named) with mask from permission bits
|
// Use group entry (unnamed or named) with mask from permission bits
|
||||||
|
@ -65,6 +65,9 @@ public abstract class FSAclBaseTest {
|
|||||||
private static final UserGroupInformation SUPERGROUP_MEMBER =
|
private static final UserGroupInformation SUPERGROUP_MEMBER =
|
||||||
UserGroupInformation.createUserForTesting("super", new String[] {
|
UserGroupInformation.createUserForTesting("super", new String[] {
|
||||||
DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT });
|
DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT });
|
||||||
|
// group member
|
||||||
|
private static final UserGroupInformation BOB = UserGroupInformation
|
||||||
|
.createUserForTesting("bob", new String[] { "groupY", "groupZ" });
|
||||||
|
|
||||||
protected static MiniDFSCluster cluster;
|
protected static MiniDFSCluster cluster;
|
||||||
protected static Configuration conf;
|
protected static Configuration conf;
|
||||||
@ -74,7 +77,7 @@ public abstract class FSAclBaseTest {
|
|||||||
@Rule
|
@Rule
|
||||||
public ExpectedException exception = ExpectedException.none();
|
public ExpectedException exception = ExpectedException.none();
|
||||||
|
|
||||||
private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember;
|
private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember, fsAsBob;
|
||||||
|
|
||||||
@AfterClass
|
@AfterClass
|
||||||
public static void shutdown() {
|
public static void shutdown() {
|
||||||
@ -93,7 +96,7 @@ public void setUp() throws Exception {
|
|||||||
@After
|
@After
|
||||||
public void destroyFileSystems() {
|
public void destroyFileSystems() {
|
||||||
IOUtils.cleanup(null, fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember);
|
IOUtils.cleanup(null, fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember);
|
||||||
fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = null;
|
fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = fsAsBob = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -1283,6 +1286,35 @@ public void testAccess() throws IOException, InterruptedException {
|
|||||||
} catch (FileNotFoundException e) {
|
} catch (FileNotFoundException e) {
|
||||||
// expected
|
// expected
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Add a named group entry with only READ access
|
||||||
|
fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
|
||||||
|
aclEntry(ACCESS, GROUP, "groupY", READ)));
|
||||||
|
// Now bob should have read access, but not write
|
||||||
|
fsAsBob.access(p1, READ);
|
||||||
|
try {
|
||||||
|
fsAsBob.access(p1, WRITE);
|
||||||
|
fail("The access call should have failed.");
|
||||||
|
} catch (AccessControlException e) {
|
||||||
|
// expected;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add another named group entry with WRITE access
|
||||||
|
fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
|
||||||
|
aclEntry(ACCESS, GROUP, "groupZ", WRITE)));
|
||||||
|
// Now bob should have write access
|
||||||
|
fsAsBob.access(p1, WRITE);
|
||||||
|
|
||||||
|
// Add a named user entry to deny bob
|
||||||
|
fsAsBruce.modifyAclEntries(p1,
|
||||||
|
Lists.newArrayList(aclEntry(ACCESS, USER, "bob", NONE)));
|
||||||
|
|
||||||
|
try {
|
||||||
|
fsAsBob.access(p1, READ);
|
||||||
|
fail("The access call should have failed.");
|
||||||
|
} catch (AccessControlException e) {
|
||||||
|
// expected;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1316,6 +1348,7 @@ private void initFileSystems() throws Exception {
|
|||||||
fs = createFileSystem();
|
fs = createFileSystem();
|
||||||
fsAsBruce = createFileSystem(BRUCE);
|
fsAsBruce = createFileSystem(BRUCE);
|
||||||
fsAsDiana = createFileSystem(DIANA);
|
fsAsDiana = createFileSystem(DIANA);
|
||||||
|
fsAsBob = createFileSystem(BOB);
|
||||||
fsAsSupergroupMember = createFileSystem(SUPERGROUP_MEMBER);
|
fsAsSupergroupMember = createFileSystem(SUPERGROUP_MEMBER);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user