HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne
(cherry picked from commit 5428d36b56
)
This commit is contained in:
parent
b8f3e54ff7
commit
6f45666d0b
@ -55,6 +55,7 @@ public class AccessControlList implements Writable {
|
|||||||
// Indicates an ACL string that represents access to all users
|
// Indicates an ACL string that represents access to all users
|
||||||
public static final String WILDCARD_ACL_VALUE = "*";
|
public static final String WILDCARD_ACL_VALUE = "*";
|
||||||
private static final int INITIAL_CAPACITY = 256;
|
private static final int INITIAL_CAPACITY = 256;
|
||||||
|
public static final String USE_REAL_ACLS = "~";
|
||||||
|
|
||||||
// Set of users who are granted access.
|
// Set of users who are granted access.
|
||||||
private Collection<String> users;
|
private Collection<String> users;
|
||||||
@ -223,9 +224,12 @@ public Collection<String> getGroups() {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Checks if a user represented by the provided {@link UserGroupInformation}
|
* Checks if a user represented by the provided {@link UserGroupInformation}
|
||||||
* is a member of the Access Control List
|
* is a member of the Access Control List. If user was proxied and
|
||||||
|
* USE_REAL_ACLS + the real user name is in the control list, then treat this
|
||||||
|
* case as if user were in the ACL list.
|
||||||
* @param ugi UserGroupInformation to check if contained in the ACL
|
* @param ugi UserGroupInformation to check if contained in the ACL
|
||||||
* @return true if ugi is member of the list
|
* @return true if ugi is member of the list or if USE_REAL_ACLS + real user
|
||||||
|
* is in the list
|
||||||
*/
|
*/
|
||||||
public final boolean isUserInList(UserGroupInformation ugi) {
|
public final boolean isUserInList(UserGroupInformation ugi) {
|
||||||
if (allAllowed || users.contains(ugi.getShortUserName())) {
|
if (allAllowed || users.contains(ugi.getShortUserName())) {
|
||||||
@ -237,7 +241,9 @@ public final boolean isUserInList(UserGroupInformation ugi) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return false;
|
UserGroupInformation realUgi = ugi.getRealUser();
|
||||||
|
return realUgi != null &&
|
||||||
|
users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean isUserAllowed(UserGroupInformation ugi) {
|
public boolean isUserAllowed(UserGroupInformation ugi) {
|
||||||
|
@ -471,4 +471,22 @@ private void assertUserNotAllowed(UserGroupInformation ugi,
|
|||||||
+ " is incorrectly granted the access-control!!",
|
+ " is incorrectly granted the access-control!!",
|
||||||
acl.isUserAllowed(ugi));
|
acl.isUserAllowed(ugi));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testUseRealUserAclsForProxiedUser() {
|
||||||
|
String realUser = "realUser";
|
||||||
|
AccessControlList acl = new AccessControlList(realUser);
|
||||||
|
UserGroupInformation realUserUgi =
|
||||||
|
UserGroupInformation.createRemoteUser(realUser);
|
||||||
|
UserGroupInformation user1 =
|
||||||
|
UserGroupInformation.createProxyUserForTesting("regularJane",
|
||||||
|
realUserUgi, new String [] {"group1"});
|
||||||
|
assertFalse("User " + user1 + " should not have been granted access.",
|
||||||
|
acl.isUserAllowed(user1));
|
||||||
|
|
||||||
|
acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser);
|
||||||
|
|
||||||
|
assertTrue("User " + user1 + " should have access but was denied.",
|
||||||
|
acl.isUserAllowed(user1));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user