|
|
@@ -55,6 +55,7 @@ public class AccessControlList implements Writable {
|
|
|
// Indicates an ACL string that represents access to all users
|
|
|
public static final String WILDCARD_ACL_VALUE = "*";
|
|
|
private static final int INITIAL_CAPACITY = 256;
|
|
|
+ public static final String USE_REAL_ACLS = "~";
|
|
|
|
|
|
// Set of users who are granted access.
|
|
|
private Collection<String> users;
|
|
|
@@ -223,9 +224,12 @@ public class AccessControlList implements Writable {
|
|
|
|
|
|
/**
|
|
|
* Checks if a user represented by the provided {@link UserGroupInformation}
|
|
|
- * is a member of the Access Control List
|
|
|
+ * is a member of the Access Control List. If user was proxied and
|
|
|
+ * USE_REAL_ACLS + the real user name is in the control list, then treat this
|
|
|
+ * case as if user were in the ACL list.
|
|
|
* @param ugi UserGroupInformation to check if contained in the ACL
|
|
|
- * @return true if ugi is member of the list
|
|
|
+ * @return true if ugi is member of the list or if USE_REAL_ACLS + real user
|
|
|
+ * is in the list
|
|
|
*/
|
|
|
public final boolean isUserInList(UserGroupInformation ugi) {
|
|
|
if (allAllowed || users.contains(ugi.getShortUserName())) {
|
|
|
@@ -237,7 +241,9 @@ public class AccessControlList implements Writable {
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
- return false;
|
|
|
+ UserGroupInformation realUgi = ugi.getRealUser();
|
|
|
+ return realUgi != null &&
|
|
|
+ users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
|
|
|
}
|
|
|
|
|
|
public boolean isUserAllowed(UserGroupInformation ugi) {
|
Szilard Nemeth