HDFS-14418. Remove redundant super user priveledge checks from namenode. Contributed by Ayush Saxena.
This commit is contained in:
parent
2364c7d0bf
commit
be6c8014e6
@ -7397,7 +7397,6 @@ void createEncryptionZone(final String src, final String keyName,
|
||||
Metadata metadata = FSDirEncryptionZoneOp.ensureKeyIsInitialized(dir,
|
||||
keyName, src);
|
||||
final FSPermissionChecker pc = getPermissionChecker();
|
||||
checkSuperuserPrivilege(pc);
|
||||
checkOperation(OperationCategory.WRITE);
|
||||
final FileStatus resultingStat;
|
||||
writeLock();
|
||||
@ -7459,7 +7458,6 @@ BatchedListEntries<EncryptionZone> listEncryptionZones(long prevId)
|
||||
boolean success = false;
|
||||
checkOperation(OperationCategory.READ);
|
||||
final FSPermissionChecker pc = getPermissionChecker();
|
||||
checkSuperuserPrivilege(pc);
|
||||
readLock();
|
||||
try {
|
||||
checkOperation(OperationCategory.READ);
|
||||
@ -7497,7 +7495,6 @@ BatchedListEntries<ZoneReencryptionStatus> listReencryptionStatus(
|
||||
boolean success = false;
|
||||
checkOperation(OperationCategory.READ);
|
||||
final FSPermissionChecker pc = getPermissionChecker();
|
||||
checkSuperuserPrivilege(pc);
|
||||
readLock();
|
||||
try {
|
||||
checkOperation(OperationCategory.READ);
|
||||
|
@ -1331,7 +1331,6 @@ public long getMostRecentCheckpointTxId() throws IOException {
|
||||
@Override // NamenodeProtocol
|
||||
public CheckpointSignature rollEditLog() throws IOException {
|
||||
checkNNStartup();
|
||||
namesystem.checkSuperuserPrivilege();
|
||||
return namesystem.rollEditLog();
|
||||
}
|
||||
|
||||
|
@ -97,6 +97,7 @@
|
||||
import org.apache.hadoop.hdfs.server.namenode.ErasureCodingPolicyManager;
|
||||
import org.apache.hadoop.hdfs.web.WebHdfsConstants;
|
||||
import org.apache.hadoop.io.erasurecode.ECSchema;
|
||||
import org.apache.hadoop.ipc.RemoteException;
|
||||
import org.apache.hadoop.net.DNSToSwitchMapping;
|
||||
import org.apache.hadoop.net.NetUtils;
|
||||
import org.apache.hadoop.net.ScriptBasedMapping;
|
||||
@ -104,6 +105,7 @@
|
||||
import org.apache.hadoop.security.AccessControlException;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.test.GenericTestUtils;
|
||||
import org.apache.hadoop.test.LambdaTestUtils;
|
||||
import org.apache.hadoop.test.Whitebox;
|
||||
import org.apache.hadoop.util.DataChecksum;
|
||||
import org.apache.hadoop.util.Time;
|
||||
@ -1804,6 +1806,59 @@ public void testDFSDataOutputStreamBuilderForAppend() throws IOException {
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuperUserPrivilege() throws Exception {
|
||||
HdfsConfiguration conf = new HdfsConfiguration();
|
||||
File tmpDir = GenericTestUtils.getTestDir(UUID.randomUUID().toString());
|
||||
final Path jksPath = new Path(tmpDir.toString(), "test.jks");
|
||||
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH,
|
||||
JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri());
|
||||
|
||||
try (MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).build()) {
|
||||
cluster.waitActive();
|
||||
final DistributedFileSystem dfs = cluster.getFileSystem();
|
||||
Path dir = new Path("/testPrivilege");
|
||||
dfs.mkdirs(dir);
|
||||
|
||||
final KeyProvider provider =
|
||||
cluster.getNameNode().getNamesystem().getProvider();
|
||||
final KeyProvider.Options options = KeyProvider.options(conf);
|
||||
provider.createKey("key", options);
|
||||
provider.flush();
|
||||
|
||||
// Create a non-super user.
|
||||
UserGroupInformation user = UserGroupInformation.createUserForTesting(
|
||||
"Non_SuperUser", new String[] {"Non_SuperGroup"});
|
||||
|
||||
DistributedFileSystem userfs = (DistributedFileSystem) user.doAs(
|
||||
(PrivilegedExceptionAction<FileSystem>) () -> FileSystem.get(conf));
|
||||
|
||||
LambdaTestUtils.intercept(AccessControlException.class,
|
||||
"Superuser privilege is required",
|
||||
() -> userfs.createEncryptionZone(dir, "key"));
|
||||
|
||||
RemoteException re = LambdaTestUtils.intercept(RemoteException.class,
|
||||
"Superuser privilege is required",
|
||||
() -> userfs.listEncryptionZones().hasNext());
|
||||
assertTrue(re.unwrapRemoteException() instanceof AccessControlException);
|
||||
|
||||
re = LambdaTestUtils.intercept(RemoteException.class,
|
||||
"Superuser privilege is required",
|
||||
() -> userfs.listReencryptionStatus().hasNext());
|
||||
assertTrue(re.unwrapRemoteException() instanceof AccessControlException);
|
||||
|
||||
LambdaTestUtils.intercept(AccessControlException.class,
|
||||
"Superuser privilege is required",
|
||||
() -> user.doAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
cluster.getNameNode().getRpcServer().rollEditLog();
|
||||
return null;
|
||||
}
|
||||
}));
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testRemoveErasureCodingPolicy() throws Exception {
|
||||
Configuration conf = getTestConfiguration();
|
||||
|
Loading…
Reference in New Issue
Block a user