HDFS-8037. CheckAccess in WebHDFS silently accepts malformed FsActions parameters. Contributed by Walter Su.

hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/resources/FsActionParam.java

@@ -30,7 +30,7 @@ public class FsActionParam extends StringParam {
   /** Default parameter value. */
   public static final String DEFAULT = NULL;
 
-  private static String FS_ACTION_PATTERN = "[rwx-]{3}";
+  private static String FS_ACTION_PATTERN = "[r-][w-][x-]";
 
   private static final Domain DOMAIN = new Domain(NAME,
       Pattern.compile(FS_ACTION_PATTERN));

hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt

@@ -648,6 +648,9 @@ Release 2.8.0 - UNRELEASED
     HDFS-8321. CacheDirectives and CachePool operations should throw
     RetriableException in safemode. (wheat9)
 
+    HDFS-8037. CheckAccess in WebHDFS silently accepts malformed FsActions
+    parameters. (wheat9)
+
 Release 2.7.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES

hadoop-hdfs-project/hadoop-hdfs/src/site/markdown/WebHDFS.md

@@ -1690,8 +1690,8 @@ See also: [Proxy Users](#Proxy_Users)
 | Description | File system operation read/write/execute |
 | Type | String |
 | Default Value | null (an invalid value) |
-| Valid Values | Strings matching regex pattern  "[rwx-]{3} " |
-| Syntax |  "[rwx-]{3} " |
+| Valid Values | Strings matching regex pattern  "[r-][w-][x-] " |
+| Syntax |  "[r-][w-][x-] " |
 
 See also: [`CHECKACCESS`](#Check_access),
 

hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/resources/TestParam.java

@@ -399,4 +399,58 @@ public class TestParam {
     Assert.assertEquals("s1", s1.getValue());
     Assert.assertEquals("s2", s2.getValue());
   }
+
+  @Test
+  public void testFsActionParam() {
+    new FsActionParam("rwx");
+    new FsActionParam("rw-");
+    new FsActionParam("r-x");
+    new FsActionParam("-wx");
+    new FsActionParam("r--");
+    new FsActionParam("-w-");
+    new FsActionParam("--x");
+    new FsActionParam("---");
+
+    try {
+      new FsActionParam("rw");
+      Assert.fail();
+    } catch(IllegalArgumentException e) {
+      LOG.info("EXPECTED: " + e);
+    }
+
+    try {
+      new FsActionParam("qwx");
+      Assert.fail();
+    } catch(IllegalArgumentException e) {
+      LOG.info("EXPECTED: " + e);
+    }
+
+    try {
+      new FsActionParam("qrwx");
+      Assert.fail();
+    } catch(IllegalArgumentException e) {
+      LOG.info("EXPECTED: " + e);
+    }
+
+    try {
+      new FsActionParam("rwxx");
+      Assert.fail();
+    } catch(IllegalArgumentException e) {
+      LOG.info("EXPECTED: " + e);
+    }
+
+    try {
+      new FsActionParam("xwr");
+      Assert.fail();
+    } catch(IllegalArgumentException e) {
+      LOG.info("EXPECTED: " + e);
+    }
+
+    try {
+      new FsActionParam("r-w");
+      Assert.fail();
+    } catch(IllegalArgumentException e) {
+      LOG.info("EXPECTED: " + e);
+    }
+  }
 }