You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/11 18:43:08 UTC
git commit: KNOX-124 - fixed OR semantics for wildcards
Updated Branches:
refs/heads/master 660a724fe -> 5e056a15d
KNOX-124 - fixed OR semantics for wildcards
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/5e056a15
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/5e056a15
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/5e056a15
Branch: refs/heads/master
Commit: 5e056a15d5b259ac39ef4fa7123969e7692b9b95
Parents: 660a724
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Sep 11 11:34:19 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Sep 11 11:34:19 2013 -0400
----------------------------------------------------------------------
.../gateway/filter/AclsAuthorizationFilter.java | 29 ++++++++++++++++----
1 file changed, 24 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/5e056a15/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
index f31cb0b..ab22db7 100644
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
@@ -45,6 +45,9 @@ public class AclsAuthorizationFilter implements Filter {
private ArrayList<String> users;
private ArrayList<String> groups;
private ArrayList<String> ipaddr;
+ private boolean anyUser = true;
+ private boolean anyGroup = true;
+ private boolean anyIP = true;
private String aclProcessingMode = null;
@Override
@@ -78,12 +81,20 @@ public class AclsAuthorizationFilter implements Filter {
}
users = new ArrayList<String>();
Collections.addAll(users, parts[0].split(","));
-
+ if (!users.contains("*")) {
+ anyUser = false;
+ }
groups = new ArrayList<String>();
Collections.addAll(groups, parts[1].split(","));
-
+ if (!groups.contains("*")) {
+ anyGroup = false;
+ }
+
ipaddr = new ArrayList<String>();
Collections.addAll(ipaddr, parts[2].split(","));
+ if (!ipaddr.contains("*")) {
+ anyIP = false;
+ }
}
else {
log.noAclsFoundForResource(resourceRole);
@@ -148,6 +159,14 @@ public class AclsAuthorizationFilter implements Filter {
log.remoteIPAddressHasAccess(ipAddrAccess);
if (aclProcessingMode.equals("OR")) {
+ // need to interpret '*' as excluded for OR semantics
+ // to make sense and not grant access to everyone by mistake.
+ // exclusion in OR is equivalent to denied
+ // so, let's set each one that contains '*' to false.
+ if (anyUser) userAccess = false;
+ if (anyGroup) groupAccess = false;
+ if (anyIP) ipAddrAccess = false;
+
return (userAccess || groupAccess || ipAddrAccess);
}
else if (aclProcessingMode.equals("AND")) {
@@ -161,7 +180,7 @@ public class AclsAuthorizationFilter implements Filter {
if (remoteAddr == null) {
return false;
}
- if (ipaddr.contains("*")) {
+ if (anyIP) {
allowed = true;
}
else {
@@ -177,7 +196,7 @@ public class AclsAuthorizationFilter implements Filter {
if (user == null) {
return false;
}
- if (users.contains("*")) {
+ if (anyUser) {
allowed = true;
}
else {
@@ -193,7 +212,7 @@ public class AclsAuthorizationFilter implements Filter {
if (userGroups == null) {
return false;
}
- if (groups.contains("*")) {
+ if (anyGroup) {
allowed = true;
}
else {