You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "BELUGA BEHR (JIRA)" <ji...@apache.org> on 2015/12/14 22:46:46 UTC

[jira] [Created] (HADOOP-12640) Code Review AccessControlList

BELUGA BEHR created HADOOP-12640:
------------------------------------

             Summary: Code Review AccessControlList
                 Key: HADOOP-12640
                 URL: https://issues.apache.org/jira/browse/HADOOP-12640
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 2.7.1
            Reporter: BELUGA BEHR
            Priority: Minor
         Attachments: AccessControlList.patch, TestAccessControlList.path

After some confusion of my own, in particular with "mapreduce.job.acl-view-job," I have looked over the AccessControlList implementation and cleaned it up and clarified a few points.

1) I added tests to show that when including an asterisk in either the username or the group field, it overrides everything and allows all access.

"user1,user2,user3 *" = all access
"* group1,group2" = all access
"* *" = all access
"* " = all access
" *" = all access

2) General clean-up and simplification

3) NOT-BACKWARDS COMPATIBLE
The code currently handled spaces in an asymmetric way. The code splits the ACL string on a single space, but limits the resulting array to a size of two. So, as long as there are no spaces in the user names section, it works fine, but any spaces subsequent to that did not matter.

"user1,user2,user3 group1, group2,group3" - works as expected
["user1,user2,user3", "group1, group2,group3"]

"user1, user2,user3 group1,group2,group3" - Did not work as expected
["user1,","user2,user3, group1, group2,group3"]

The submitted patch will split on all spaces and log a warning if there are more than two elements.  This enforces no spaces with the two comma-separated lists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)