From 44606aa8508a6e98219b8330e625c8d397bfb067 Mon Sep 17 00:00:00 2001 From: Xiao Chen Date: Thu, 26 Jan 2017 10:44:29 -0800 Subject: [PATCH] HDFS-11364. Add a test to verify Audit log entries for setfacl/getfacl commands over FS shell. Contributed by Manoj Govindassamy. --- .../hdfs/server/namenode/TestAuditLogger.java | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java index d637abc3e3..0e3cc8dc5a 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java @@ -26,6 +26,7 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.AclEntry; import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hdfs.DFSTestUtil; import org.apache.hadoop.hdfs.HdfsConfiguration; import org.apache.hadoop.hdfs.MiniDFSCluster; import org.apache.hadoop.hdfs.server.namenode.top.TopAuditLogger; @@ -58,6 +59,14 @@ import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_ENABLED_KEY; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY; +import static org.apache.hadoop.fs.permission.AclEntryScope.ACCESS; +import static org.apache.hadoop.fs.permission.AclEntryScope.DEFAULT; +import static org.apache.hadoop.fs.permission.AclEntryType.GROUP; +import static org.apache.hadoop.fs.permission.AclEntryType.OTHER; +import static org.apache.hadoop.fs.permission.AclEntryType.USER; +import static org.apache.hadoop.fs.permission.FsAction.ALL; +import static org.apache.hadoop.fs.permission.FsAction.EXECUTE; +import static org.apache.hadoop.fs.permission.FsAction.READ_EXECUTE; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_ACLS_ENABLED_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_AUDIT_LOGGERS_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.NNTOP_ENABLED_KEY; @@ -443,6 +452,70 @@ public void testAuditLogWithAclFailure() throws Exception { } } + /** + * Verify Audit log entries for the successful ACL API calls and ACL commands + * over FS Shell. + */ + @Test (timeout = 60000) + public void testAuditLogForAcls() throws Exception { + final Configuration conf = new HdfsConfiguration(); + conf.setBoolean(DFS_NAMENODE_ACLS_ENABLED_KEY, true); + conf.set(DFS_NAMENODE_AUDIT_LOGGERS_KEY, + DummyAuditLogger.class.getName()); + final MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).build(); + try { + cluster.waitClusterUp(); + assertTrue(DummyAuditLogger.initialized); + + final FileSystem fs = cluster.getFileSystem(); + final Path p = new Path("/debug.log"); + DFSTestUtil.createFile(fs, p, 1024, (short)1, 0L); + + DummyAuditLogger.resetLogCount(); + fs.getAclStatus(p); + assertEquals(1, DummyAuditLogger.logCount); + + // FS shell command '-getfacl' additionally calls getFileInfo() and then + // followed by getAclStatus() only if the ACL bit is set. Since the + // initial permission didn't have the ACL bit set, getAclStatus() is + // skipped. + DFSTestUtil.FsShellRun("-getfacl " + p.toUri().getPath(), 0, null, conf); + assertEquals(2, DummyAuditLogger.logCount); + + final List acls = Lists.newArrayList(); + acls.add(AclTestHelpers.aclEntry(ACCESS, USER, ALL)); + acls.add(AclTestHelpers.aclEntry(ACCESS, USER, "user1", ALL)); + acls.add(AclTestHelpers.aclEntry(ACCESS, GROUP, READ_EXECUTE)); + acls.add(AclTestHelpers.aclEntry(ACCESS, OTHER, EXECUTE)); + + fs.setAcl(p, acls); + assertEquals(3, DummyAuditLogger.logCount); + + // Since the file has ACL bit set, FS shell command '-getfacl' should now + // call getAclStatus() additionally after getFileInfo(). + DFSTestUtil.FsShellRun("-getfacl " + p.toUri().getPath(), 0, null, conf); + assertEquals(5, DummyAuditLogger.logCount); + + fs.removeAcl(p); + assertEquals(6, DummyAuditLogger.logCount); + + List aclsToRemove = Lists.newArrayList(); + aclsToRemove.add(AclTestHelpers.aclEntry(DEFAULT, USER, "user1", ALL)); + fs.removeAclEntries(p, aclsToRemove); + fs.removeDefaultAcl(p); + assertEquals(8, DummyAuditLogger.logCount); + + // User ACL has been removed, FS shell command '-getfacl' should now + // skip call to getAclStatus() after getFileInfo(). + DFSTestUtil.FsShellRun("-getfacl " + p.toUri().getPath(), 0, null, conf); + assertEquals(9, DummyAuditLogger.logCount); + assertEquals(0, DummyAuditLogger.unsuccessfulCount); + } finally { + cluster.shutdown(); + } + } + + /** * Tests that a broken audit logger causes requests to fail. */