You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by cn...@apache.org on 2014/11/11 22:32:05 UTC
hadoop git commit: HDFS-7389. Named user ACL cannot stop the user
from accessing the FS entity. Contributed by Vinayakumar B.
Repository: hadoop
Updated Branches:
refs/heads/trunk 456b97381 -> 163bb5506
HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. Contributed by Vinayakumar B.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/163bb550
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/163bb550
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/163bb550
Branch: refs/heads/trunk
Commit: 163bb55067bde71246b4030a08256ba9a8182dc8
Parents: 456b973
Author: cnauroth <cn...@apache.org>
Authored: Tue Nov 11 13:29:55 2014 -0800
Committer: cnauroth <cn...@apache.org>
Committed: Tue Nov 11 13:29:55 2014 -0800
----------------------------------------------------------------------
hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 3 ++
.../server/namenode/FSPermissionChecker.java | 1 +
.../hdfs/server/namenode/FSAclBaseTest.java | 37 ++++++++++++++++++--
3 files changed, 39 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/163bb550/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index b183731..07762bf 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -413,6 +413,9 @@ Release 2.7.0 - UNRELEASED
HDFS-7387. NFS may only do partial commit due to a race between COMMIT and write
(brandonli)
+ HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity.
+ (Vinayakumar B via cnauroth)
+
Release 2.6.0 - 2014-11-15
INCOMPATIBLE CHANGES
http://git-wip-us.apache.org/repos/asf/hadoop/blob/163bb550/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
index 2c48051..f994f6b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
@@ -327,6 +327,7 @@ class FSPermissionChecker {
return;
}
foundMatch = true;
+ break;
}
} else if (type == AclEntryType.GROUP) {
// Use group entry (unnamed or named) with mask from permission bits
http://git-wip-us.apache.org/repos/asf/hadoop/blob/163bb550/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
index adca0aa..5066feb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
@@ -65,6 +65,9 @@ public abstract class FSAclBaseTest {
private static final UserGroupInformation SUPERGROUP_MEMBER =
UserGroupInformation.createUserForTesting("super", new String[] {
DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT });
+ // group member
+ private static final UserGroupInformation BOB = UserGroupInformation
+ .createUserForTesting("bob", new String[] { "groupY", "groupZ" });
protected static MiniDFSCluster cluster;
protected static Configuration conf;
@@ -74,7 +77,7 @@ public abstract class FSAclBaseTest {
@Rule
public ExpectedException exception = ExpectedException.none();
- private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember;
+ private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember, fsAsBob;
@AfterClass
public static void shutdown() {
@@ -93,7 +96,7 @@ public abstract class FSAclBaseTest {
@After
public void destroyFileSystems() {
IOUtils.cleanup(null, fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember);
- fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = null;
+ fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = fsAsBob = null;
}
@Test
@@ -1283,6 +1286,35 @@ public abstract class FSAclBaseTest {
} catch (FileNotFoundException e) {
// expected
}
+
+ // Add a named group entry with only READ access
+ fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
+ aclEntry(ACCESS, GROUP, "groupY", READ)));
+ // Now bob should have read access, but not write
+ fsAsBob.access(p1, READ);
+ try {
+ fsAsBob.access(p1, WRITE);
+ fail("The access call should have failed.");
+ } catch (AccessControlException e) {
+ // expected;
+ }
+
+ // Add another named group entry with WRITE access
+ fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
+ aclEntry(ACCESS, GROUP, "groupZ", WRITE)));
+ // Now bob should have write access
+ fsAsBob.access(p1, WRITE);
+
+ // Add a named user entry to deny bob
+ fsAsBruce.modifyAclEntries(p1,
+ Lists.newArrayList(aclEntry(ACCESS, USER, "bob", NONE)));
+
+ try {
+ fsAsBob.access(p1, READ);
+ fail("The access call should have failed.");
+ } catch (AccessControlException e) {
+ // expected;
+ }
}
/**
@@ -1316,6 +1348,7 @@ public abstract class FSAclBaseTest {
fs = createFileSystem();
fsAsBruce = createFileSystem(BRUCE);
fsAsDiana = createFileSystem(DIANA);
+ fsAsBob = createFileSystem(BOB);
fsAsSupergroupMember = createFileSystem(SUPERGROUP_MEMBER);
}