Home Explore Help
Register Sign In
liuzhangxing
/
hadoop
forked from apache/hadoop
1
0
Fork 0
Files
Browse Source

commit ee60349cefe4c531e472aad14f07135c4d54fb8f
Author: Vinod Kumar <vinodkv@yahoo-inc.com>
Date: Fri Mar 19 10:03:46 2010 +0530

HADOOP-6634 from https://issues.apache.org/jira/secure/attachment/12439238/HADOOP-6634-20100317-ydist.1.txt

+++ b/YAHOO-CHANGES.txt
+
+ HADOOP-6634. AccessControlList uses full-principal names to verify acls
+ causing queue-acls to fail (vinodkv)


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.20-security-patches@1077339 13f79535-47bb-0310-9956-ffa450edef68

Owen O'Malley 14 years ago
parent
8523694477
commit
e5185a2605
2 changed files with 66 additions and 14 deletions
Unified View Show Diff Stats
  1. 1 1
      src/core/org/apache/hadoop/security/authorize/AccessControlList.java
  2. 65 13
      src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java

+ 1 - 1
src/core/org/apache/hadoop/security/authorize/AccessControlList.java
View File 

@@ -93,7 +93,7 @@ public class AccessControlList {
 
   }
 
   }
 
 
 
   public boolean isUserAllowed(UserGroupInformation ugi) {
 
   public boolean isUserAllowed(UserGroupInformation ugi) {
 
-    if (allAllowed || users.contains(ugi.getUserName())) {
 
+    if (allAllowed || users.contains(ugi.getShortUserName())) {
 
       return true;
 
       return true;
 
     } else {
 
     } else {
 
       for(String group: ugi.getGroupNames()) {
 
       for(String group: ugi.getGroupNames()) {

+ 65 - 13
src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java
View File 

@@ -20,6 +20,7 @@ package org.apache.hadoop.security.authorize;
 
 import java.util.Iterator;
 
 import java.util.Iterator;
 
 import java.util.Set;
 
 import java.util.Set;
 
 
 
+import org.apache.hadoop.security.UserGroupInformation;
 
 import org.apache.hadoop.security.authorize.AccessControlList;
 
 import org.apache.hadoop.security.authorize.AccessControlList;
 
 
 
 
 
@@ -77,19 +78,7 @@ public class TestAccessControlList extends TestCase {
 
     assertEquals(groups.size(), 1);
 
     assertEquals(groups.size(), 1);
 
     assertEquals(groups.iterator().next(), "tardis");
 
     assertEquals(groups.iterator().next(), "tardis");
 
 
 
-    Iterator<String> iter;
 
-    acl = new AccessControlList("drwho,joe tardis,users");
 
-    users = acl.getUsers();
 
-    assertEquals(users.size(), 2);
 
-    iter = users.iterator();
 
-    assertEquals(iter.next(), "drwho");
 
-    assertEquals(iter.next(), "joe");
 
-    groups = acl.getGroups();
 
-    assertEquals(groups.size(), 2);
 
-    iter = groups.iterator();
 
-    assertEquals(iter.next(), "tardis");
 
-    assertEquals(iter.next(), "users");
 
-    
+    Iterator<String> iter;    
     acl = new AccessControlList("drwho,joe tardis, users");
 
     acl = new AccessControlList("drwho,joe tardis, users");
 
     users = acl.getUsers();
 
     users = acl.getUsers();
 
     assertEquals(users.size(), 2);
 
     assertEquals(users.size(), 2);
 
@@ -102,4 +91,67 @@ public class TestAccessControlList extends TestCase {
 
     assertEquals(iter.next(), "tardis");
 
     assertEquals(iter.next(), "tardis");
 
     assertEquals(iter.next(), "users");
 
     assertEquals(iter.next(), "users");
 
   }
 
   }
 
+
 
+  /**
 
+   * Verify the method isUserAllowed()
 
+   */
 
+  public void testIsUserAllowed() {
 
+    AccessControlList acl;
 
+
 
+    UserGroupInformation drwho =
 
+        UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
 
+            new String[] { "aliens", "humanoids", "timelord" });
 
+    UserGroupInformation susan =
 
+        UserGroupInformation.createUserForTesting("susan@APACHE.ORG",
 
+            new String[] { "aliens", "humanoids", "timelord" });
 
+    UserGroupInformation barbara =
 
+        UserGroupInformation.createUserForTesting("barbara@APACHE.ORG",
 
+            new String[] { "humans", "teachers" });
 
+    UserGroupInformation ian =
 
+        UserGroupInformation.createUserForTesting("ian@APACHE.ORG",
 
+            new String[] { "humans", "teachers" });
 
+
 
+    acl = new AccessControlList("drwho humanoids");
 
+    assertUserAllowed(drwho, acl);
 
+    assertUserAllowed(susan, acl);
 
+    assertUserNotAllowed(barbara, acl);
 
+    assertUserNotAllowed(ian, acl);
 
+
 
+    acl = new AccessControlList("drwho");
 
+    assertUserAllowed(drwho, acl);
 
+    assertUserNotAllowed(susan, acl);
 
+    assertUserNotAllowed(barbara, acl);
 
+    assertUserNotAllowed(ian, acl);
 
+
 
+    acl = new AccessControlList("drwho ");
 
+    assertUserAllowed(drwho, acl);
 
+    assertUserNotAllowed(susan, acl);
 
+    assertUserNotAllowed(barbara, acl);
 
+    assertUserNotAllowed(ian, acl);
 
+
 
+    acl = new AccessControlList(" humanoids");
 
+    assertUserAllowed(drwho, acl);
 
+    assertUserAllowed(susan, acl);
 
+    assertUserNotAllowed(barbara, acl);
 
+    assertUserNotAllowed(ian, acl);
 
+
 
+    acl = new AccessControlList("drwho,ian aliens,teachers");
 
+    assertUserAllowed(drwho, acl);
 
+    assertUserAllowed(susan, acl);
 
+    assertUserAllowed(barbara, acl);
 
+    assertUserAllowed(ian, acl);
 
+  }
 
+
 
+  private void assertUserAllowed(UserGroupInformation ugi,
 
+      AccessControlList acl) {
 
+    assertTrue("User " + ugi + " is not granted the access-control!!",
 
+        acl.isUserAllowed(ugi));
 
+  }
 
+
 
+  private void assertUserNotAllowed(UserGroupInformation ugi,
 
+      AccessControlList acl) {
 
+    assertFalse("User " + ugi
 
+        + " is incorrectly granted the access-control!!",
 
+        acl.isUserAllowed(ugi));
 
+  }
 
 }
 
 }