HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne

(cherry picked from commit 5428d36b56)
This commit is contained in:
Szilard Nemeth 2021-09-08 17:27:22 +02:00 committed by Eric Payne
parent b8f3e54ff7
commit 6f45666d0b
2 changed files with 27 additions and 3 deletions

View File

@ -55,6 +55,7 @@ public class AccessControlList implements Writable {
// Indicates an ACL string that represents access to all users // Indicates an ACL string that represents access to all users
public static final String WILDCARD_ACL_VALUE = "*"; public static final String WILDCARD_ACL_VALUE = "*";
private static final int INITIAL_CAPACITY = 256; private static final int INITIAL_CAPACITY = 256;
public static final String USE_REAL_ACLS = "~";
// Set of users who are granted access. // Set of users who are granted access.
private Collection<String> users; private Collection<String> users;
@ -223,9 +224,12 @@ public Collection<String> getGroups() {
/** /**
* Checks if a user represented by the provided {@link UserGroupInformation} * Checks if a user represented by the provided {@link UserGroupInformation}
* is a member of the Access Control List * is a member of the Access Control List. If user was proxied and
* USE_REAL_ACLS + the real user name is in the control list, then treat this
* case as if user were in the ACL list.
* @param ugi UserGroupInformation to check if contained in the ACL * @param ugi UserGroupInformation to check if contained in the ACL
* @return true if ugi is member of the list * @return true if ugi is member of the list or if USE_REAL_ACLS + real user
* is in the list
*/ */
public final boolean isUserInList(UserGroupInformation ugi) { public final boolean isUserInList(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getShortUserName())) { if (allAllowed || users.contains(ugi.getShortUserName())) {
@ -237,7 +241,9 @@ public final boolean isUserInList(UserGroupInformation ugi) {
} }
} }
} }
return false; UserGroupInformation realUgi = ugi.getRealUser();
return realUgi != null &&
users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
} }
public boolean isUserAllowed(UserGroupInformation ugi) { public boolean isUserAllowed(UserGroupInformation ugi) {

View File

@ -471,4 +471,22 @@ private void assertUserNotAllowed(UserGroupInformation ugi,
+ " is incorrectly granted the access-control!!", + " is incorrectly granted the access-control!!",
acl.isUserAllowed(ugi)); acl.isUserAllowed(ugi));
} }
@Test
public void testUseRealUserAclsForProxiedUser() {
String realUser = "realUser";
AccessControlList acl = new AccessControlList(realUser);
UserGroupInformation realUserUgi =
UserGroupInformation.createRemoteUser(realUser);
UserGroupInformation user1 =
UserGroupInformation.createProxyUserForTesting("regularJane",
realUserUgi, new String [] {"group1"});
assertFalse("User " + user1 + " should not have been granted access.",
acl.isUserAllowed(user1));
acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser);
assertTrue("User " + user1 + " should have access but was denied.",
acl.isUserAllowed(user1));
}
} }