HDFS-11364. Add a test to verify Audit log entries for setfacl/getfacl commands over FS shell. Contributed by Manoj Govindassamy.

This commit is contained in:
Xiao Chen 2017-01-26 10:44:29 -08:00
parent f85b74ccf9
commit 44606aa850

View File

@ -26,6 +26,7 @@
import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.AclEntry; import org.apache.hadoop.fs.permission.AclEntry;
import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.DFSTestUtil;
import org.apache.hadoop.hdfs.HdfsConfiguration; import org.apache.hadoop.hdfs.HdfsConfiguration;
import org.apache.hadoop.hdfs.MiniDFSCluster; import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.hdfs.server.namenode.top.TopAuditLogger; import org.apache.hadoop.hdfs.server.namenode.top.TopAuditLogger;
@ -58,6 +59,14 @@
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_ENABLED_KEY; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_ENABLED_KEY;
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY;
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY;
import static org.apache.hadoop.fs.permission.AclEntryScope.ACCESS;
import static org.apache.hadoop.fs.permission.AclEntryScope.DEFAULT;
import static org.apache.hadoop.fs.permission.AclEntryType.GROUP;
import static org.apache.hadoop.fs.permission.AclEntryType.OTHER;
import static org.apache.hadoop.fs.permission.AclEntryType.USER;
import static org.apache.hadoop.fs.permission.FsAction.ALL;
import static org.apache.hadoop.fs.permission.FsAction.EXECUTE;
import static org.apache.hadoop.fs.permission.FsAction.READ_EXECUTE;
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_ACLS_ENABLED_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_ACLS_ENABLED_KEY;
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_AUDIT_LOGGERS_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_AUDIT_LOGGERS_KEY;
import static org.apache.hadoop.hdfs.DFSConfigKeys.NNTOP_ENABLED_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.NNTOP_ENABLED_KEY;
@ -443,6 +452,70 @@ public void testAuditLogWithAclFailure() throws Exception {
} }
} }
/**
* Verify Audit log entries for the successful ACL API calls and ACL commands
* over FS Shell.
*/
@Test (timeout = 60000)
public void testAuditLogForAcls() throws Exception {
final Configuration conf = new HdfsConfiguration();
conf.setBoolean(DFS_NAMENODE_ACLS_ENABLED_KEY, true);
conf.set(DFS_NAMENODE_AUDIT_LOGGERS_KEY,
DummyAuditLogger.class.getName());
final MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).build();
try {
cluster.waitClusterUp();
assertTrue(DummyAuditLogger.initialized);
final FileSystem fs = cluster.getFileSystem();
final Path p = new Path("/debug.log");
DFSTestUtil.createFile(fs, p, 1024, (short)1, 0L);
DummyAuditLogger.resetLogCount();
fs.getAclStatus(p);
assertEquals(1, DummyAuditLogger.logCount);
// FS shell command '-getfacl' additionally calls getFileInfo() and then
// followed by getAclStatus() only if the ACL bit is set. Since the
// initial permission didn't have the ACL bit set, getAclStatus() is
// skipped.
DFSTestUtil.FsShellRun("-getfacl " + p.toUri().getPath(), 0, null, conf);
assertEquals(2, DummyAuditLogger.logCount);
final List<AclEntry> acls = Lists.newArrayList();
acls.add(AclTestHelpers.aclEntry(ACCESS, USER, ALL));
acls.add(AclTestHelpers.aclEntry(ACCESS, USER, "user1", ALL));
acls.add(AclTestHelpers.aclEntry(ACCESS, GROUP, READ_EXECUTE));
acls.add(AclTestHelpers.aclEntry(ACCESS, OTHER, EXECUTE));
fs.setAcl(p, acls);
assertEquals(3, DummyAuditLogger.logCount);
// Since the file has ACL bit set, FS shell command '-getfacl' should now
// call getAclStatus() additionally after getFileInfo().
DFSTestUtil.FsShellRun("-getfacl " + p.toUri().getPath(), 0, null, conf);
assertEquals(5, DummyAuditLogger.logCount);
fs.removeAcl(p);
assertEquals(6, DummyAuditLogger.logCount);
List<AclEntry> aclsToRemove = Lists.newArrayList();
aclsToRemove.add(AclTestHelpers.aclEntry(DEFAULT, USER, "user1", ALL));
fs.removeAclEntries(p, aclsToRemove);
fs.removeDefaultAcl(p);
assertEquals(8, DummyAuditLogger.logCount);
// User ACL has been removed, FS shell command '-getfacl' should now
// skip call to getAclStatus() after getFileInfo().
DFSTestUtil.FsShellRun("-getfacl " + p.toUri().getPath(), 0, null, conf);
assertEquals(9, DummyAuditLogger.logCount);
assertEquals(0, DummyAuditLogger.unsuccessfulCount);
} finally {
cluster.shutdown();
}
}
/** /**
* Tests that a broken audit logger causes requests to fail. * Tests that a broken audit logger causes requests to fail.
*/ */