From 5428d36b56fab319ab68258139d6133ded9bbafc Mon Sep 17 00:00:00 2001 From: Szilard Nemeth Date: Wed, 8 Sep 2021 17:27:22 +0200 Subject: [PATCH] HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne --- .../security/authorize/AccessControlList.java | 12 +++++++++--- .../authorize/TestAccessControlList.java | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java index e86d918b05..aa5b01fbed 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java @@ -56,6 +56,7 @@ public class AccessControlList implements Writable { // Indicates an ACL string that represents access to all users public static final String WILDCARD_ACL_VALUE = "*"; private static final int INITIAL_CAPACITY = 256; + public static final String USE_REAL_ACLS = "~"; // Set of users who are granted access. private Collection users; @@ -224,9 +225,12 @@ public Collection getGroups() { /** * Checks if a user represented by the provided {@link UserGroupInformation} - * is a member of the Access Control List + * is a member of the Access Control List. If user was proxied and + * USE_REAL_ACLS + the real user name is in the control list, then treat this + * case as if user were in the ACL list. * @param ugi UserGroupInformation to check if contained in the ACL - * @return true if ugi is member of the list + * @return true if ugi is member of the list or if USE_REAL_ACLS + real user + * is in the list */ public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { @@ -239,7 +243,9 @@ public final boolean isUserInList(UserGroupInformation ugi) { } } } - return false; + UserGroupInformation realUgi = ugi.getRealUser(); + return realUgi != null && + users.contains(USE_REAL_ACLS + realUgi.getShortUserName()); } public boolean isUserAllowed(UserGroupInformation ugi) { diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java index 8e1b82bea9..53ab275b66 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java @@ -471,4 +471,22 @@ private void assertUserNotAllowed(UserGroupInformation ugi, + " is incorrectly granted the access-control!!", acl.isUserAllowed(ugi)); } + + @Test + public void testUseRealUserAclsForProxiedUser() { + String realUser = "realUser"; + AccessControlList acl = new AccessControlList(realUser); + UserGroupInformation realUserUgi = + UserGroupInformation.createRemoteUser(realUser); + UserGroupInformation user1 = + UserGroupInformation.createProxyUserForTesting("regularJane", + realUserUgi, new String [] {"group1"}); + assertFalse("User " + user1 + " should not have been granted access.", + acl.isUserAllowed(user1)); + + acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser); + + assertTrue("User " + user1 + " should have access but was denied.", + acl.isUserAllowed(user1)); + } }