big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne

Browse Source
This commit is contained in:
Szilard Nemeth 2021-09-08 17:27:22 +02:00
parent 5e166898aa
commit 5428d36b56
2 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
View File

@ -56,6 +56,7 @@ public class AccessControlList implements Writable {
// Indicates an ACL string that represents access to all users // Indicates an ACL string that represents access to all users
public static final String WILDCARD_ACL_VALUE = "*"; public static final String WILDCARD_ACL_VALUE = "*";
private static final int INITIAL_CAPACITY = 256; private static final int INITIAL_CAPACITY = 256;
public static final String USE_REAL_ACLS = "~";
// Set of users who are granted access. // Set of users who are granted access.
private Collection<String> users; private Collection<String> users;
@ -224,9 +225,12 @@ public Collection<String> getGroups() {
/** /**
* Checks if a user represented by the provided {@link UserGroupInformation} * Checks if a user represented by the provided {@link UserGroupInformation}
* is a member of the Access Control List * is a member of the Access Control List. If user was proxied and
* USE_REAL_ACLS + the real user name is in the control list, then treat this
* case as if user were in the ACL list.
* @param ugi UserGroupInformation to check if contained in the ACL * @param ugi UserGroupInformation to check if contained in the ACL
* @return true if ugi is member of the list * @return true if ugi is member of the list or if USE_REAL_ACLS + real user
* is in the list
*/ */
public final boolean isUserInList(UserGroupInformation ugi) { public final boolean isUserInList(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getShortUserName())) { if (allAllowed || users.contains(ugi.getShortUserName())) {
@ -239,7 +243,9 @@ public final boolean isUserInList(UserGroupInformation ugi) {
} }
} }
} }
return false; UserGroupInformation realUgi = ugi.getRealUser();
return realUgi != null &&
users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
} }
public boolean isUserAllowed(UserGroupInformation ugi) { public boolean isUserAllowed(UserGroupInformation ugi) {

18
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
View File

@ -471,4 +471,22 @@ private void assertUserNotAllowed(UserGroupInformation ugi,
+ " is incorrectly granted the access-control!!", + " is incorrectly granted the access-control!!",
acl.isUserAllowed(ugi)); acl.isUserAllowed(ugi));
} }
@Test
public void testUseRealUserAclsForProxiedUser() {
String realUser = "realUser";
AccessControlList acl = new AccessControlList(realUser);
UserGroupInformation realUserUgi =
UserGroupInformation.createRemoteUser(realUser);
UserGroupInformation user1 =
UserGroupInformation.createProxyUserForTesting("regularJane",
realUserUgi, new String [] {"group1"});
assertFalse("User " + user1 + " should not have been granted access.",
acl.isUserAllowed(user1));
acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser);
assertTrue("User " + user1 + " should have access but was denied.",
acl.isUserAllowed(user1));
}
} }