You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:16:17 UTC
svn commit: r1077450 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
core/org/apache/hadoop/http/ core/org/apache/hadoop/security/authorize/
mapred/org/apache/hadoop/mapred/ test/org/apache/hadoop/mapred/
test/org/apache/hadoop/security/...
Author: omalley
Date: Fri Mar 4 04:16:16 2011
New Revision: 1077450
URL: http://svn.apache.org/viewvc?rev=1077450&view=rev
Log:
commit 67b921c185ec43c8a74e4703dd9703abb3f2abcc
Author: Vinod Kumar <vi...@yahoo-inc.com>
Date: Fri May 7 23:13:24 2010 +0530
HADOOP-6715. From https://issues.apache.org/jira/secure/attachment/12443982/6715.20S.6.patch
+++ b/YAHOO-CHANGES.txt
+ HADOOP-6715. AccessControlList.toString() returns empty string when
+ we set acl to "*". (gravi via vinodkv)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/http/HttpServer.java
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobStatus.java
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobACLs.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobHistory.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/http/HttpServer.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/http/HttpServer.java?rev=1077450&r1=1077449&r2=1077450&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/http/HttpServer.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/http/HttpServer.java Fri Mar 4 04:16:16 2011
@@ -650,8 +650,8 @@ public class HttpServer implements Filte
if (!adminsAcl.isUserAllowed(remoteUserUGI)) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
+ remoteUser + " is unauthorized to access this page. "
- + "Only \"" + adminsAcl.toString()
- + "\" can access this page.");
+ + "AccessControlList for accessing this page : "
+ + adminsAcl.toString());
return false;
}
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java?rev=1077450&r1=1077449&r2=1077450&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java Fri Mar 4 04:16:16 2011
@@ -17,18 +17,24 @@
*/
package org.apache.hadoop.security.authorize;
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.IOException;
import java.util.Set;
import java.util.TreeSet;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.io.Writable;
import org.apache.hadoop.security.UserGroupInformation;
/**
* Class representing a configured access control list.
*/
-public class AccessControlList {
+public class AccessControlList implements Writable {
// Indicates an ACL string that represents access to all users
public static final String WILDCARD_ACL_VALUE = "*";
+ private static final int INITIAL_CAPACITY = 256;
// Set of users who are granted access.
private Set<String> users;
@@ -47,12 +53,18 @@ public class AccessControlList {
* @param aclString String representation of the ACL
*/
public AccessControlList(String aclString) {
+ buildACL(aclString);
+ }
+
+ // build ACL from the given string
+ private void buildACL(String aclString) {
users = new TreeSet<String>();
groups = new TreeSet<String>();
if (aclString.contains(WILDCARD_ACL_VALUE) &&
aclString.trim().equals(WILDCARD_ACL_VALUE)) {
allAllowed = true;
} else {
+ allAllowed = false;
String[] userGroupStrings = aclString.split(" ", 2);
if (userGroupStrings.length >= 1) {
@@ -70,7 +82,7 @@ public class AccessControlList {
}
}
}
-
+
public boolean isAllAllowed() {
return allAllowed;
}
@@ -119,28 +131,83 @@ public class AccessControlList {
@Override
public String toString() {
- StringBuilder sb = new StringBuilder();
- boolean first = true;
- for(String user: users) {
- if (!first) {
- sb.append(",");
- } else {
- first = false;
+ String str = null;
+
+ if (allAllowed) {
+ str = "All users are allowed";
+ }
+ else if (users.isEmpty() && groups.isEmpty()) {
+ str = "No users are allowed";
+ }
+ else {
+ String usersStr = null;
+ String groupsStr = null;
+ if (!users.isEmpty()) {
+ usersStr = users.toString();
+ }
+ if (!groups.isEmpty()) {
+ groupsStr = groups.toString();
+ }
+
+ if (!users.isEmpty() && !groups.isEmpty()) {
+ str = "Users " + usersStr + " and members of the groups "
+ + groupsStr + " are allowed";
}
- sb.append(user);
+ else if (!users.isEmpty()) {
+ str = "Users " + usersStr + " are allowed";
+ }
+ else {// users is empty array and groups is nonempty
+ str = "Members of the groups "
+ + groupsStr + " are allowed";
+ }
+ }
+
+ return str;
+ }
+
+ // Serializes the AccessControlList object
+ public void write(DataOutput out) throws IOException {
+ StringBuilder sb = new StringBuilder(INITIAL_CAPACITY);
+ if (allAllowed) {
+ sb.append('*');
}
- if (!groups.isEmpty()) {
+ else {
+ sb.append(getUsersString());
sb.append(" ");
+ sb.append(getGroupsString());
}
- first = true;
- for(String group: groups) {
+ Text.writeString(out, sb.toString());
+ }
+
+ // Deserialize
+ public void readFields(DataInput in) throws IOException {
+ String aclString = Text.readString(in);
+ buildACL(aclString);
+ }
+
+ // Returns comma-separated concatenated single String of the set 'users'
+ private String getUsersString() {
+ return getString(users);
+ }
+
+ // Returns comma-separated concatenated single String of the set 'groups'
+ private String getGroupsString() {
+ return getString(groups);
+ }
+
+ // Returns comma-separated concatenated single String of all strings of
+ // the given set
+ private String getString(Set<String> strings) {
+ StringBuilder sb = new StringBuilder(INITIAL_CAPACITY);
+ boolean first = true;
+ for(String str: strings) {
if (!first) {
sb.append(",");
} else {
first = false;
}
- sb.append(group);
+ sb.append(str);
}
- return sb.toString();
+ return sb.toString();
}
}
\ No newline at end of file
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobStatus.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobStatus.java?rev=1077450&r1=1077449&r2=1077450&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobStatus.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobStatus.java Fri Mar 4 04:16:16 2011
@@ -341,7 +341,7 @@ public class JobStatus implements Writab
out.writeInt(jobACLs.size());
for (Entry<JobACL, AccessControlList> entry : jobACLs.entrySet()) {
WritableUtils.writeEnum(out, entry.getKey());
- Text.writeString(out, entry.getValue().toString());
+ entry.getValue().write(out);
}
}
@@ -361,8 +361,9 @@ public class JobStatus implements Writab
int numACLs = in.readInt();
for (int i = 0; i < numACLs; i++) {
JobACL aclType = WritableUtils.readEnum(in, JobACL.class);
- String acl = Text.readString(in);
- this.jobACLs.put(aclType, new AccessControlList(acl));
+ AccessControlList acl = new AccessControlList(" ");
+ acl.readFields(in);
+ this.jobACLs.put(aclType, acl);
}
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java?rev=1077450&r1=1077449&r2=1077450&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java Fri Mar 4 04:16:16 2011
@@ -91,7 +91,6 @@ import org.apache.hadoop.security.Refres
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
-import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobACLs.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobACLs.java?rev=1077450&r1=1077449&r2=1077450&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobACLs.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobACLs.java Fri Mar 4 04:16:16 2011
@@ -374,7 +374,7 @@ public class TestJobACLs {
// Set the job up.
final JobConf myConf = mr.createJobConf();
- myConf.set(JobContext.JOB_ACL_VIEW_JOB, "user2");
+ myConf.set(JobContext.JOB_ACL_VIEW_JOB, "user2 group2");
// Submit the job as user1
RunningJob job = submitJobAsUser(myConf, jobSubmitter);
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobHistory.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobHistory.java?rev=1077450&r1=1077449&r2=1077450&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobHistory.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestJobHistory.java Fri Mar 4 04:16:16 2011
@@ -34,7 +34,6 @@ import junit.framework.TestCase;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.mapred.JobHistory.*;
@@ -44,6 +43,8 @@ import org.apache.hadoop.mapreduce.TaskT
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AccessControlList;
+
/**
* Tests the JobHistory files - to catch any changes to JobHistory that can
* cause issues for the execution of JobTracker.RecoveryManager, HistoryViewer.
@@ -803,10 +804,14 @@ public class TestJobHistory extends Test
// Also JobACLs should be correct
if (mr.getJobTrackerRunner().getJobTracker().areACLsEnabled()) {
- assertEquals(conf.get(JobACL.VIEW_JOB.getAclName()),
- jobInfo.getJobACLs().get(JobACL.VIEW_JOB).toString());
- assertEquals(conf.get(JobACL.MODIFY_JOB.getAclName()),
- jobInfo.getJobACLs().get(JobACL.MODIFY_JOB).toString());
+ AccessControlList acl = new AccessControlList(
+ conf.get(JobACL.VIEW_JOB.getAclName(), " "));
+ assertTrue(acl.toString().equals(
+ jobInfo.getJobACLs().get(JobACL.VIEW_JOB).toString()));
+ acl = new AccessControlList(
+ conf.get(JobACL.MODIFY_JOB.getAclName(), " "));
+ assertTrue(acl.toString().equals(
+ jobInfo.getJobACLs().get(JobACL.MODIFY_JOB).toString()));
}
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java?rev=1077450&r1=1077449&r2=1077450&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java Fri Mar 4 04:16:16 2011
@@ -43,6 +43,32 @@ public class TestAccessControlList exten
acl = new AccessControlList("* ");
assertTrue(acl.isAllAllowed());
}
+
+ // check if AccessControlList.toString() works as expected
+ public void testToString() {
+ AccessControlList acl;
+
+ acl = new AccessControlList("*");
+ assertTrue(acl.toString().equals("All users are allowed"));
+
+ acl = new AccessControlList(" ");
+ assertTrue(acl.toString().equals("No users are allowed"));
+
+ acl = new AccessControlList("user1,user2");
+ assertTrue(acl.toString().equals("Users [user1, user2] are allowed"));
+
+ acl = new AccessControlList("user1,user2 ");// with space
+ assertTrue(acl.toString().equals("Users [user1, user2] are allowed"));
+
+ acl = new AccessControlList(" group1,group2");
+ assertTrue(acl.toString().equals(
+ "Members of the groups [group1, group2] are allowed"));
+
+ acl = new AccessControlList("user1,user2 group1,group2");
+ assertTrue(acl.toString().equals(
+ "Users [user1, user2] and " +
+ "members of the groups [group1, group2] are allowed"));
+ }
public void testAccessControlList() throws Exception {
AccessControlList acl;