You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by cn...@apache.org on 2015/09/15 19:44:05 UTC
[1/2] hadoop git commit: HADOOP-12413. AccessControlList should avoid
calling getGroupNames in isUserInList with empty groups. Contributed by
Zhihai Xu.
Repository: hadoop
Updated Branches:
refs/heads/branch-2 3531823fc -> be9354d01
refs/heads/trunk 083b44c13 -> b2017d9b0
HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/b2017d9b
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/b2017d9b
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/b2017d9b
Branch: refs/heads/trunk
Commit: b2017d9b032af20044fdf60ddbd1575a554ccb79
Parents: 083b44c
Author: cnauroth <cn...@apache.org>
Authored: Tue Sep 15 10:41:50 2015 -0700
Committer: cnauroth <cn...@apache.org>
Committed: Tue Sep 15 10:41:50 2015 -0700
----------------------------------------------------------------------
hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++
.../apache/hadoop/security/authorize/AccessControlList.java | 2 +-
.../hadoop/security/authorize/TestAccessControlList.java | 9 +++++++++
3 files changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2017d9b/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index a7ea0aa..fe09120 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -776,6 +776,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-12324. Better exception reporting in SaslPlainServer.
(Mike Yoder via stevel)
+ HADOOP-12413. AccessControlList should avoid calling getGroupNames in
+ isUserInList with empty groups. (Zhihai Xu via cnauroth)
+
OPTIMIZATIONS
HADOOP-11785. Reduce the number of listStatus operation in distcp
http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2017d9b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
index f19776f..b1b474b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
@@ -230,7 +230,7 @@ public class AccessControlList implements Writable {
public final boolean isUserInList(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getShortUserName())) {
return true;
- } else {
+ } else if (!groups.isEmpty()) {
for(String group: ugi.getGroupNames()) {
if (groups.contains(group)) {
return true;
http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2017d9b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
index 75b944d..ddf74d1 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
@@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.NativeCodeLoader;
import org.junit.Test;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
public class TestAccessControlList {
@@ -449,6 +453,11 @@ public class TestAccessControlList {
assertUserAllowed(susan, acl);
assertUserAllowed(barbara, acl);
assertUserAllowed(ian, acl);
+
+ acl = new AccessControlList("");
+ UserGroupInformation spyUser = spy(drwho);
+ acl.isUserAllowed(spyUser);
+ verify(spyUser, never()).getGroupNames();
}
private void assertUserAllowed(UserGroupInformation ugi,
[2/2] hadoop git commit: HADOOP-12413. AccessControlList should avoid
calling getGroupNames in isUserInList with empty groups. Contributed by
Zhihai Xu.
Posted by cn...@apache.org.
HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu.
(cherry picked from commit b2017d9b032af20044fdf60ddbd1575a554ccb79)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/be9354d0
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/be9354d0
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/be9354d0
Branch: refs/heads/branch-2
Commit: be9354d010f403642290a94f31b831734b7364f6
Parents: 3531823
Author: cnauroth <cn...@apache.org>
Authored: Tue Sep 15 10:41:50 2015 -0700
Committer: cnauroth <cn...@apache.org>
Committed: Tue Sep 15 10:42:02 2015 -0700
----------------------------------------------------------------------
hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++
.../apache/hadoop/security/authorize/AccessControlList.java | 2 +-
.../hadoop/security/authorize/TestAccessControlList.java | 9 +++++++++
3 files changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/be9354d0/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 9993c31..c562639 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -264,6 +264,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-12324. Better exception reporting in SaslPlainServer.
(Mike Yoder via stevel)
+ HADOOP-12413. AccessControlList should avoid calling getGroupNames in
+ isUserInList with empty groups. (Zhihai Xu via cnauroth)
+
OPTIMIZATIONS
HADOOP-11785. Reduce the number of listStatus operation in distcp
http://git-wip-us.apache.org/repos/asf/hadoop/blob/be9354d0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
index f19776f..b1b474b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
@@ -230,7 +230,7 @@ public class AccessControlList implements Writable {
public final boolean isUserInList(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getShortUserName())) {
return true;
- } else {
+ } else if (!groups.isEmpty()) {
for(String group: ugi.getGroupNames()) {
if (groups.contains(group)) {
return true;
http://git-wip-us.apache.org/repos/asf/hadoop/blob/be9354d0/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
index a1509a5..933b165 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
@@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.NativeCodeLoader;
import org.junit.Test;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
public class TestAccessControlList {
@@ -449,6 +453,11 @@ public class TestAccessControlList {
assertUserAllowed(susan, acl);
assertUserAllowed(barbara, acl);
assertUserAllowed(ian, acl);
+
+ acl = new AccessControlList("");
+ UserGroupInformation spyUser = spy(drwho);
+ acl.isUserAllowed(spyUser);
+ verify(spyUser, never()).getGroupNames();
}
private void assertUserAllowed(UserGroupInformation ugi,