You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by am...@apache.org on 2010/08/10 10:10:41 UTC
svn commit: r983877 - in /hadoop/common/trunk: CHANGES.txt
src/java/org/apache/hadoop/security/authorize/AccessControlList.java
src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java
Author: amareshwari
Date: Tue Aug 10 08:10:40 2010
New Revision: 983877
URL: http://svn.apache.org/viewvc?rev=983877&view=rev
Log:
HADOOP-6862. Adds api to add/remove user and group to AccessControlList. Contributed by Amareshwari Sriramadasu
Modified:
hadoop/common/trunk/CHANGES.txt
hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/AccessControlList.java
hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java
Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=983877&r1=983876&r2=983877&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Tue Aug 10 08:10:40 2010
@@ -108,6 +108,8 @@ Trunk (unreleased changes)
HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong)
+ HADOOP-6862. Adds api to add/remove user and group to AccessControlList
+ (amareshwari)
OPTIMIZATIONS
BUG FIXES
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/AccessControlList.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/AccessControlList.java?rev=983877&r1=983876&r2=983877&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/AccessControlList.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/AccessControlList.java Tue Aug 10 08:10:40 2010
@@ -17,7 +17,6 @@
*/
package org.apache.hadoop.security.authorize;
-import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
@@ -54,8 +53,7 @@ public class AccessControlList {
public AccessControlList(String aclString) {
users = new TreeSet<String>();
groups = new TreeSet<String>();
- if (aclString.contains(WILDCARD_ACL_VALUE) &&
- aclString.trim().equals(WILDCARD_ACL_VALUE)) {
+ if (isWildCardACLValue(aclString)) {
allAllowed = true;
} else {
String[] userGroupStrings = aclString.split(" ", 2);
@@ -76,11 +74,80 @@ public class AccessControlList {
}
}
+ private boolean isWildCardACLValue(String aclString) {
+ if (aclString.contains(WILDCARD_ACL_VALUE) &&
+ aclString.trim().equals(WILDCARD_ACL_VALUE)) {
+ return true;
+ }
+ return false;
+ }
+
public boolean isAllAllowed() {
return allAllowed;
}
/**
+ * Add user to the names of users allowed for this service.
+ *
+ * @param user
+ * The user name
+ */
+ public void addUser(String user) {
+ if (isWildCardACLValue(user)) {
+ throw new IllegalArgumentException("User " + user + " can not be added");
+ }
+ if (!isAllAllowed()) {
+ users.add(user);
+ }
+ }
+
+ /**
+ * Add group to the names of groups allowed for this service.
+ *
+ * @param group
+ * The group name
+ */
+ public void addGroup(String group) {
+ if (isWildCardACLValue(group)) {
+ throw new IllegalArgumentException("Group " + group + " can not be added");
+ }
+ if (!isAllAllowed()) {
+ groups.add(group);
+ }
+ }
+
+ /**
+ * Remove user from the names of users allowed for this service.
+ *
+ * @param user
+ * The user name
+ */
+ public void removeUser(String user) {
+ if (isWildCardACLValue(user)) {
+ throw new IllegalArgumentException("User " + user + " can not be removed");
+ }
+ if (!isAllAllowed()) {
+ users.remove(user);
+ }
+ }
+
+ /**
+ * Remove group from the names of groups allowed for this service.
+ *
+ * @param group
+ * The group name
+ */
+ public void removeGroup(String group) {
+ if (isWildCardACLValue(group)) {
+ throw new IllegalArgumentException("Group " + group
+ + " can not be removed");
+ }
+ if (!isAllAllowed()) {
+ groups.remove(group);
+ }
+ }
+
+ /**
* Get the names of users allowed for this service.
* @return the set of user names. the set must not be modified.
*/
Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java?rev=983877&r1=983876&r2=983877&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java (original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java Tue Aug 10 08:10:40 2010
@@ -93,6 +93,138 @@ public class TestAccessControlList exten
}
/**
+ * Test addUser/Group and removeUser/Group api.
+ */
+ public void testAddRemoveAPI() {
+ AccessControlList acl;
+ Set<String> users;
+ Set<String> groups;
+ acl = new AccessControlList("");
+ assertEquals(0, acl.getUsers().size());
+ assertEquals(0, acl.getGroups().size());
+ assertEquals("", acl.toString());
+
+ acl.addUser("drwho");
+ users = acl.getUsers();
+ assertEquals(users.size(), 1);
+ assertEquals(users.iterator().next(), "drwho");
+ assertEquals("drwho", acl.toString());
+
+ acl.addGroup("tardis");
+ groups = acl.getGroups();
+ assertEquals(groups.size(), 1);
+ assertEquals(groups.iterator().next(), "tardis");
+ assertEquals("drwho tardis", acl.toString());
+
+ acl.addUser("joe");
+ acl.addGroup("users");
+ users = acl.getUsers();
+ assertEquals(users.size(), 2);
+ Iterator<String> iter = users.iterator();
+ assertEquals(iter.next(), "drwho");
+ assertEquals(iter.next(), "joe");
+ groups = acl.getGroups();
+ assertEquals(groups.size(), 2);
+ iter = groups.iterator();
+ assertEquals(iter.next(), "tardis");
+ assertEquals(iter.next(), "users");
+ assertEquals("drwho,joe tardis,users", acl.toString());
+
+ acl.removeUser("joe");
+ acl.removeGroup("users");
+ users = acl.getUsers();
+ assertEquals(users.size(), 1);
+ assertFalse(users.contains("joe"));
+ groups = acl.getGroups();
+ assertEquals(groups.size(), 1);
+ assertFalse(groups.contains("users"));
+ assertEquals("drwho tardis", acl.toString());
+
+ acl.removeGroup("tardis");
+ groups = acl.getGroups();
+ assertEquals(0, groups.size());
+ assertFalse(groups.contains("tardis"));
+ assertEquals("drwho", acl.toString());
+
+ acl.removeUser("drwho");
+ assertEquals(0, users.size());
+ assertFalse(users.contains("drwho"));
+ assertEquals(0, acl.getGroups().size());
+ assertEquals(0, acl.getUsers().size());
+ assertEquals("", acl.toString());
+ }
+
+ /**
+ * Tests adding/removing wild card as the user/group.
+ */
+ public void testAddRemoveWildCard() {
+ AccessControlList acl = new AccessControlList("drwho tardis");
+
+ Throwable th = null;
+ try {
+ acl.addUser(" * ");
+ } catch (Throwable t) {
+ th = t;
+ }
+ assertNotNull(th);
+ assertTrue(th instanceof IllegalArgumentException);
+
+ th = null;
+ try {
+ acl.addGroup(" * ");
+ } catch (Throwable t) {
+ th = t;
+ }
+ assertNotNull(th);
+ assertTrue(th instanceof IllegalArgumentException);
+ th = null;
+ try {
+ acl.removeUser(" * ");
+ } catch (Throwable t) {
+ th = t;
+ }
+ assertNotNull(th);
+ assertTrue(th instanceof IllegalArgumentException);
+ th = null;
+ try {
+ acl.removeGroup(" * ");
+ } catch (Throwable t) {
+ th = t;
+ }
+ assertNotNull(th);
+ assertTrue(th instanceof IllegalArgumentException);
+ }
+
+ /**
+ * Tests adding user/group to an wild card acl.
+ */
+ public void testAddRemoveToWildCardACL() {
+ AccessControlList acl = new AccessControlList(" * ");
+ assertTrue(acl.isAllAllowed());
+
+ UserGroupInformation drwho =
+ UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
+ new String[] { "aliens" });
+ UserGroupInformation drwho2 =
+ UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG",
+ new String[] { "tardis" });
+
+ acl.addUser("drwho");
+ assertTrue(acl.isAllAllowed());
+ assertFalse(acl.toString().contains("drwho"));
+ acl.addGroup("tardis");
+ assertTrue(acl.isAllAllowed());
+ assertFalse(acl.toString().contains("tardis"));
+
+ acl.removeUser("drwho");
+ assertTrue(acl.isAllAllowed());
+ assertUserAllowed(drwho, acl);
+ acl.removeGroup("tardis");
+ assertTrue(acl.isAllAllowed());
+ assertUserAllowed(drwho2, acl);
+ }
+
+ /**
* Verify the method isUserAllowed()
*/
public void testIsUserAllowed() {