You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by in...@apache.org on 2019/04/16 17:34:41 UTC
[hadoop] branch trunk updated: HDFS-14418. Remove redundant super
user priveledge checks from namenode. Contributed by Ayush Saxena.
This is an automated email from the ASF dual-hosted git repository.
inigoiri pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new be6c801 HDFS-14418. Remove redundant super user priveledge checks from namenode. Contributed by Ayush Saxena.
be6c801 is described below
commit be6c8014e66be919388269b70cb2966c35b8c578
Author: Inigo Goiri <in...@apache.org>
AuthorDate: Tue Apr 16 10:34:31 2019 -0700
HDFS-14418. Remove redundant super user priveledge checks from namenode. Contributed by Ayush Saxena.
---
.../hadoop/hdfs/server/namenode/FSNamesystem.java | 3 --
.../hdfs/server/namenode/NameNodeRpcServer.java | 1 -
.../hadoop/hdfs/TestDistributedFileSystem.java | 55 ++++++++++++++++++++++
3 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
index 82015b2..9389719 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@@ -7397,7 +7397,6 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
Metadata metadata = FSDirEncryptionZoneOp.ensureKeyIsInitialized(dir,
keyName, src);
final FSPermissionChecker pc = getPermissionChecker();
- checkSuperuserPrivilege(pc);
checkOperation(OperationCategory.WRITE);
final FileStatus resultingStat;
writeLock();
@@ -7459,7 +7458,6 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
boolean success = false;
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
- checkSuperuserPrivilege(pc);
readLock();
try {
checkOperation(OperationCategory.READ);
@@ -7497,7 +7495,6 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean,
boolean success = false;
checkOperation(OperationCategory.READ);
final FSPermissionChecker pc = getPermissionChecker();
- checkSuperuserPrivilege(pc);
readLock();
try {
checkOperation(OperationCategory.READ);
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 525d9c8..7a2a81c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -1331,7 +1331,6 @@ public class NameNodeRpcServer implements NamenodeProtocols {
@Override // NamenodeProtocol
public CheckpointSignature rollEditLog() throws IOException {
checkNNStartup();
- namesystem.checkSuperuserPrivilege();
return namesystem.rollEditLog();
}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java
index 60ff614..8ad7085 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java
@@ -97,6 +97,7 @@ import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi;
import org.apache.hadoop.hdfs.server.namenode.ErasureCodingPolicyManager;
import org.apache.hadoop.hdfs.web.WebHdfsConstants;
import org.apache.hadoop.io.erasurecode.ECSchema;
+import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.net.DNSToSwitchMapping;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.net.ScriptBasedMapping;
@@ -104,6 +105,7 @@ import org.apache.hadoop.net.StaticMapping;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.test.GenericTestUtils;
+import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.hadoop.test.Whitebox;
import org.apache.hadoop.util.DataChecksum;
import org.apache.hadoop.util.Time;
@@ -1805,6 +1807,59 @@ public class TestDistributedFileSystem {
}
@Test
+ public void testSuperUserPrivilege() throws Exception {
+ HdfsConfiguration conf = new HdfsConfiguration();
+ File tmpDir = GenericTestUtils.getTestDir(UUID.randomUUID().toString());
+ final Path jksPath = new Path(tmpDir.toString(), "test.jks");
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH,
+ JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri());
+
+ try (MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).build()) {
+ cluster.waitActive();
+ final DistributedFileSystem dfs = cluster.getFileSystem();
+ Path dir = new Path("/testPrivilege");
+ dfs.mkdirs(dir);
+
+ final KeyProvider provider =
+ cluster.getNameNode().getNamesystem().getProvider();
+ final KeyProvider.Options options = KeyProvider.options(conf);
+ provider.createKey("key", options);
+ provider.flush();
+
+ // Create a non-super user.
+ UserGroupInformation user = UserGroupInformation.createUserForTesting(
+ "Non_SuperUser", new String[] {"Non_SuperGroup"});
+
+ DistributedFileSystem userfs = (DistributedFileSystem) user.doAs(
+ (PrivilegedExceptionAction<FileSystem>) () -> FileSystem.get(conf));
+
+ LambdaTestUtils.intercept(AccessControlException.class,
+ "Superuser privilege is required",
+ () -> userfs.createEncryptionZone(dir, "key"));
+
+ RemoteException re = LambdaTestUtils.intercept(RemoteException.class,
+ "Superuser privilege is required",
+ () -> userfs.listEncryptionZones().hasNext());
+ assertTrue(re.unwrapRemoteException() instanceof AccessControlException);
+
+ re = LambdaTestUtils.intercept(RemoteException.class,
+ "Superuser privilege is required",
+ () -> userfs.listReencryptionStatus().hasNext());
+ assertTrue(re.unwrapRemoteException() instanceof AccessControlException);
+
+ LambdaTestUtils.intercept(AccessControlException.class,
+ "Superuser privilege is required",
+ () -> user.doAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ cluster.getNameNode().getRpcServer().rollEditLog();
+ return null;
+ }
+ }));
+ }
+ }
+
+ @Test
public void testRemoveErasureCodingPolicy() throws Exception {
Configuration conf = getTestConfiguration();
MiniDFSCluster cluster = null;
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org