HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne
This commit is contained in:
parent
5e166898aa
commit
5428d36b56
@ -56,6 +56,7 @@ public class AccessControlList implements Writable {
|
||||
// Indicates an ACL string that represents access to all users
|
||||
public static final String WILDCARD_ACL_VALUE = "*";
|
||||
private static final int INITIAL_CAPACITY = 256;
|
||||
public static final String USE_REAL_ACLS = "~";
|
||||
|
||||
// Set of users who are granted access.
|
||||
private Collection<String> users;
|
||||
@ -224,9 +225,12 @@ public Collection<String> getGroups() {
|
||||
|
||||
/**
|
||||
* Checks if a user represented by the provided {@link UserGroupInformation}
|
||||
* is a member of the Access Control List
|
||||
* is a member of the Access Control List. If user was proxied and
|
||||
* USE_REAL_ACLS + the real user name is in the control list, then treat this
|
||||
* case as if user were in the ACL list.
|
||||
* @param ugi UserGroupInformation to check if contained in the ACL
|
||||
* @return true if ugi is member of the list
|
||||
* @return true if ugi is member of the list or if USE_REAL_ACLS + real user
|
||||
* is in the list
|
||||
*/
|
||||
public final boolean isUserInList(UserGroupInformation ugi) {
|
||||
if (allAllowed || users.contains(ugi.getShortUserName())) {
|
||||
@ -239,7 +243,9 @@ public final boolean isUserInList(UserGroupInformation ugi) {
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
UserGroupInformation realUgi = ugi.getRealUser();
|
||||
return realUgi != null &&
|
||||
users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
|
||||
}
|
||||
|
||||
public boolean isUserAllowed(UserGroupInformation ugi) {
|
||||
|
@ -471,4 +471,22 @@ private void assertUserNotAllowed(UserGroupInformation ugi,
|
||||
+ " is incorrectly granted the access-control!!",
|
||||
acl.isUserAllowed(ugi));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUseRealUserAclsForProxiedUser() {
|
||||
String realUser = "realUser";
|
||||
AccessControlList acl = new AccessControlList(realUser);
|
||||
UserGroupInformation realUserUgi =
|
||||
UserGroupInformation.createRemoteUser(realUser);
|
||||
UserGroupInformation user1 =
|
||||
UserGroupInformation.createProxyUserForTesting("regularJane",
|
||||
realUserUgi, new String [] {"group1"});
|
||||
assertFalse("User " + user1 + " should not have been granted access.",
|
||||
acl.isUserAllowed(user1));
|
||||
|
||||
acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser);
|
||||
|
||||
assertTrue("User " + user1 + " should have access but was denied.",
|
||||
acl.isUserAllowed(user1));
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user