You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ep...@apache.org on 2021/10/21 17:37:11 UTC
[hadoop] branch branch-3.2 updated: HADOOP-17857. Check real user
ACLs in addition to proxied user ACLs. Contributed by Eric Payne
This is an automated email from the ASF dual-hosted git repository.
epayne pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.2 by this push:
new 7ebc18e HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne
7ebc18e is described below
commit 7ebc18e8fe224ce8ebae2a3c7e4e273252b4d052
Author: Szilard Nemeth <sn...@apache.org>
AuthorDate: Wed Sep 8 17:27:22 2021 +0200
HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne
(cherry picked from commit 5428d36b56fab319ab68258139d6133ded9bbafc)
---
.../hadoop/security/authorize/AccessControlList.java | 12 +++++++++---
.../security/authorize/TestAccessControlList.java | 18 ++++++++++++++++++
2 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
index 4f27a77..02fa616 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
@@ -55,6 +55,7 @@ public class AccessControlList implements Writable {
// Indicates an ACL string that represents access to all users
public static final String WILDCARD_ACL_VALUE = "*";
private static final int INITIAL_CAPACITY = 256;
+ public static final String USE_REAL_ACLS = "~";
// Set of users who are granted access.
private Collection<String> users;
@@ -223,9 +224,12 @@ public class AccessControlList implements Writable {
/**
* Checks if a user represented by the provided {@link UserGroupInformation}
- * is a member of the Access Control List
+ * is a member of the Access Control List. If user was proxied and
+ * USE_REAL_ACLS + the real user name is in the control list, then treat this
+ * case as if user were in the ACL list.
* @param ugi UserGroupInformation to check if contained in the ACL
- * @return true if ugi is member of the list
+ * @return true if ugi is member of the list or if USE_REAL_ACLS + real user
+ * is in the list
*/
public final boolean isUserInList(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getShortUserName())) {
@@ -237,7 +241,9 @@ public class AccessControlList implements Writable {
}
}
}
- return false;
+ UserGroupInformation realUgi = ugi.getRealUser();
+ return realUgi != null &&
+ users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
}
public boolean isUserAllowed(UserGroupInformation ugi) {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
index 7039001..2492c62 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
@@ -472,4 +472,22 @@ public class TestAccessControlList {
+ " is incorrectly granted the access-control!!",
acl.isUserAllowed(ugi));
}
+
+ @Test
+ public void testUseRealUserAclsForProxiedUser() {
+ String realUser = "realUser";
+ AccessControlList acl = new AccessControlList(realUser);
+ UserGroupInformation realUserUgi =
+ UserGroupInformation.createRemoteUser(realUser);
+ UserGroupInformation user1 =
+ UserGroupInformation.createProxyUserForTesting("regularJane",
+ realUserUgi, new String [] {"group1"});
+ assertFalse("User " + user1 + " should not have been granted access.",
+ acl.isUserAllowed(user1));
+
+ acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser);
+
+ assertTrue("User " + user1 + " should have access but was denied.",
+ acl.isUserAllowed(user1));
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org