You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ep...@apache.org on 2021/10/19 21:10:40 UTC

[hadoop] branch branch-3.3 updated: HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne

This is an automated email from the ASF dual-hosted git repository.

epayne pushed a commit to branch branch-3.3
in repository https://gitbox.apache.org/repos/asf/hadoop.git


The following commit(s) were added to refs/heads/branch-3.3 by this push:
     new 6f45666  HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne
6f45666 is described below

commit 6f45666d0b7c252a8630590ceeb2b6c8d0ff2d89
Author: Szilard Nemeth <sn...@apache.org>
AuthorDate: Wed Sep 8 17:27:22 2021 +0200

    HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne
    
    (cherry picked from commit 5428d36b56fab319ab68258139d6133ded9bbafc)
---
 .../hadoop/security/authorize/AccessControlList.java   | 12 +++++++++---
 .../security/authorize/TestAccessControlList.java      | 18 ++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
index 8af47d6..fab766f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
@@ -55,6 +55,7 @@ public class AccessControlList implements Writable {
   // Indicates an ACL string that represents access to all users
   public static final String WILDCARD_ACL_VALUE = "*";
   private static final int INITIAL_CAPACITY = 256;
+  public static final String USE_REAL_ACLS = "~";
 
   // Set of users who are granted access.
   private Collection<String> users;
@@ -223,9 +224,12 @@ public class AccessControlList implements Writable {
 
   /**
    * Checks if a user represented by the provided {@link UserGroupInformation}
-   * is a member of the Access Control List
+   * is a member of the Access Control List. If user was proxied and
+   * USE_REAL_ACLS + the real user name is in the control list, then treat this
+   * case as if user were in the ACL list.
    * @param ugi UserGroupInformation to check if contained in the ACL
-   * @return true if ugi is member of the list
+   * @return true if ugi is member of the list or if USE_REAL_ACLS + real user
+   * is in the list
    */
   public final boolean isUserInList(UserGroupInformation ugi) {
     if (allAllowed || users.contains(ugi.getShortUserName())) {
@@ -237,7 +241,9 @@ public class AccessControlList implements Writable {
         }
       }
     }
-    return false;
+    UserGroupInformation realUgi = ugi.getRealUser();
+    return realUgi != null &&
+           users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
   }
 
   public boolean isUserAllowed(UserGroupInformation ugi) {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
index 8e1b82b..53ab275 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
@@ -471,4 +471,22 @@ public class TestAccessControlList {
         + " is incorrectly granted the access-control!!",
         acl.isUserAllowed(ugi));
   }
+
+  @Test
+  public void testUseRealUserAclsForProxiedUser() {
+    String realUser = "realUser";
+    AccessControlList acl = new AccessControlList(realUser);
+    UserGroupInformation realUserUgi =
+        UserGroupInformation.createRemoteUser(realUser);
+    UserGroupInformation user1 =
+        UserGroupInformation.createProxyUserForTesting("regularJane",
+            realUserUgi, new String [] {"group1"});
+    assertFalse("User " + user1 + " should not have been granted access.",
+        acl.isUserAllowed(user1));
+
+    acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser);
+
+    assertTrue("User " + user1 + " should have access but was denied.",
+        acl.isUserAllowed(user1));
+  }
 }

---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org