HDFS-12062. removeErasureCodingPolicy needs super user permission. Contributed by Wei-Chiu Chuang.
This commit is contained in:
parent
9902be72cb
commit
369f731264
@ -2774,25 +2774,43 @@ public HashMap<String, String> getErasureCodingCodecs() throws IOException {
|
|||||||
public AddECPolicyResponse[] addErasureCodingPolicies(
|
public AddECPolicyResponse[] addErasureCodingPolicies(
|
||||||
ErasureCodingPolicy[] policies) throws IOException {
|
ErasureCodingPolicy[] policies) throws IOException {
|
||||||
checkOpen();
|
checkOpen();
|
||||||
return namenode.addErasureCodingPolicies(policies);
|
try (TraceScope ignored = tracer.newScope("addErasureCodingPolicies")) {
|
||||||
|
return namenode.addErasureCodingPolicies(policies);
|
||||||
|
} catch (RemoteException re) {
|
||||||
|
throw re.unwrapRemoteException(AccessControlException.class);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void removeErasureCodingPolicy(String ecPolicyName)
|
public void removeErasureCodingPolicy(String ecPolicyName)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
checkOpen();
|
checkOpen();
|
||||||
namenode.removeErasureCodingPolicy(ecPolicyName);
|
try (TraceScope ignored = tracer.newScope("removeErasureCodingPolicy")) {
|
||||||
|
namenode.removeErasureCodingPolicy(ecPolicyName);
|
||||||
|
} catch (RemoteException re) {
|
||||||
|
throw re.unwrapRemoteException(AccessControlException.class);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void enableErasureCodingPolicy(String ecPolicyName)
|
public void enableErasureCodingPolicy(String ecPolicyName)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
checkOpen();
|
checkOpen();
|
||||||
namenode.enableErasureCodingPolicy(ecPolicyName);
|
try (TraceScope ignored = tracer.newScope("enableErasureCodingPolicy")) {
|
||||||
|
namenode.enableErasureCodingPolicy(ecPolicyName);
|
||||||
|
} catch (RemoteException re) {
|
||||||
|
throw re.unwrapRemoteException(AccessControlException.class,
|
||||||
|
SafeModeException.class);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void disableErasureCodingPolicy(String ecPolicyName)
|
public void disableErasureCodingPolicy(String ecPolicyName)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
checkOpen();
|
checkOpen();
|
||||||
namenode.disableErasureCodingPolicy(ecPolicyName);
|
try (TraceScope ignored = tracer.newScope("disableErasureCodingPolicy")) {
|
||||||
|
namenode.disableErasureCodingPolicy(ecPolicyName);
|
||||||
|
} catch (RemoteException re) {
|
||||||
|
throw re.unwrapRemoteException(AccessControlException.class,
|
||||||
|
SafeModeException.class);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public DFSInotifyEventInputStream getInotifyEventStream() throws IOException {
|
public DFSInotifyEventInputStream getInotifyEventStream() throws IOException {
|
||||||
|
@ -2304,6 +2304,7 @@ public AddECPolicyResponse[] addErasureCodingPolicies(
|
|||||||
public void removeErasureCodingPolicy(String ecPolicyName)
|
public void removeErasureCodingPolicy(String ecPolicyName)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
checkNNStartup();
|
checkNNStartup();
|
||||||
|
namesystem.checkSuperuserPrivilege();
|
||||||
namesystem.removeErasureCodingPolicy(ecPolicyName);
|
namesystem.removeErasureCodingPolicy(ecPolicyName);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -93,6 +93,7 @@
|
|||||||
import org.apache.hadoop.net.NetUtils;
|
import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.net.ScriptBasedMapping;
|
import org.apache.hadoop.net.ScriptBasedMapping;
|
||||||
import org.apache.hadoop.net.StaticMapping;
|
import org.apache.hadoop.net.StaticMapping;
|
||||||
|
import org.apache.hadoop.security.AccessControlException;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.test.GenericTestUtils;
|
import org.apache.hadoop.test.GenericTestUtils;
|
||||||
import org.apache.hadoop.util.DataChecksum;
|
import org.apache.hadoop.util.DataChecksum;
|
||||||
@ -1561,6 +1562,27 @@ public void testRemoveErasureCodingPolicy() throws Exception {
|
|||||||
fs.removeErasureCodingPolicy(policyName);
|
fs.removeErasureCodingPolicy(policyName);
|
||||||
assertEquals(policyName, ErasureCodingPolicyManager.getInstance().
|
assertEquals(policyName, ErasureCodingPolicyManager.getInstance().
|
||||||
getRemovedPolicies().get(0).getName());
|
getRemovedPolicies().get(0).getName());
|
||||||
|
|
||||||
|
// remove erasure coding policy as a user without privilege
|
||||||
|
UserGroupInformation fakeUGI = UserGroupInformation.createUserForTesting(
|
||||||
|
"ProbablyNotARealUserName", new String[] {"ShangriLa"});
|
||||||
|
final MiniDFSCluster finalCluster = cluster;
|
||||||
|
fakeUGI.doAs(new PrivilegedExceptionAction<Object>() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
DistributedFileSystem fs = finalCluster.getFileSystem();
|
||||||
|
try {
|
||||||
|
fs.removeErasureCodingPolicy(policyName);
|
||||||
|
fail();
|
||||||
|
} catch (AccessControlException ace) {
|
||||||
|
GenericTestUtils.assertExceptionContains("Access denied for user " +
|
||||||
|
"ProbablyNotARealUserName. Superuser privilege is required",
|
||||||
|
ace);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
} finally {
|
} finally {
|
||||||
if (cluster != null) {
|
if (cluster != null) {
|
||||||
cluster.shutdown();
|
cluster.shutdown();
|
||||||
@ -1609,6 +1631,34 @@ public void testEnableAndDisableErasureCodingPolicy() throws Exception {
|
|||||||
GenericTestUtils.assertExceptionContains("does not exists", e);
|
GenericTestUtils.assertExceptionContains("does not exists", e);
|
||||||
// pass
|
// pass
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// disable and enable erasure coding policy as a user without privilege
|
||||||
|
UserGroupInformation fakeUGI = UserGroupInformation.createUserForTesting(
|
||||||
|
"ProbablyNotARealUserName", new String[] {"ShangriLa"});
|
||||||
|
final MiniDFSCluster finalCluster = cluster;
|
||||||
|
fakeUGI.doAs(new PrivilegedExceptionAction<Object>() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
DistributedFileSystem fs = finalCluster.getFileSystem();
|
||||||
|
try {
|
||||||
|
fs.disableErasureCodingPolicy(policyName);
|
||||||
|
fail();
|
||||||
|
} catch (AccessControlException ace) {
|
||||||
|
GenericTestUtils.assertExceptionContains("Access denied for user " +
|
||||||
|
"ProbablyNotARealUserName. Superuser privilege is required",
|
||||||
|
ace);
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
fs.enableErasureCodingPolicy(policyName);
|
||||||
|
fail();
|
||||||
|
} catch (AccessControlException ace) {
|
||||||
|
GenericTestUtils.assertExceptionContains("Access denied for user " +
|
||||||
|
"ProbablyNotARealUserName. Superuser privilege is required",
|
||||||
|
ace);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
} finally {
|
} finally {
|
||||||
if (cluster != null) {
|
if (cluster != null) {
|
||||||
cluster.shutdown();
|
cluster.shutdown();
|
||||||
|
@ -693,5 +693,25 @@ public void testAddErasureCodingPolicies() throws Exception {
|
|||||||
assertTrue(responses[0].isSucceed());
|
assertTrue(responses[0].isSucceed());
|
||||||
assertEquals(SystemErasureCodingPolicies.getPolicies().size() + 1,
|
assertEquals(SystemErasureCodingPolicies.getPolicies().size() + 1,
|
||||||
ErasureCodingPolicyManager.getInstance().getPolicies().length);
|
ErasureCodingPolicyManager.getInstance().getPolicies().length);
|
||||||
|
|
||||||
|
// add erasure coding policy as a user without privilege
|
||||||
|
UserGroupInformation fakeUGI = UserGroupInformation.createUserForTesting(
|
||||||
|
"ProbablyNotARealUserName", new String[] {"ShangriLa"});
|
||||||
|
final ErasureCodingPolicy ecPolicy = newPolicy;
|
||||||
|
fakeUGI.doAs(new PrivilegedExceptionAction<Object>() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
DistributedFileSystem fs = cluster.getFileSystem();
|
||||||
|
try {
|
||||||
|
fs.addErasureCodingPolicies(new ErasureCodingPolicy[]{ecPolicy});
|
||||||
|
fail();
|
||||||
|
} catch (AccessControlException ace) {
|
||||||
|
GenericTestUtils.assertExceptionContains("Access denied for user " +
|
||||||
|
"ProbablyNotARealUserName. Superuser privilege is required",
|
||||||
|
ace);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user