You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "BELUGA BEHR (JIRA)" <ji...@apache.org> on 2015/12/14 22:46:46 UTC
[jira] [Created] (HADOOP-12640) Code Review AccessControlList
BELUGA BEHR created HADOOP-12640:
------------------------------------
Summary: Code Review AccessControlList
Key: HADOOP-12640
URL: https://issues.apache.org/jira/browse/HADOOP-12640
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.7.1
Reporter: BELUGA BEHR
Priority: Minor
Attachments: AccessControlList.patch, TestAccessControlList.path
After some confusion of my own, in particular with "mapreduce.job.acl-view-job," I have looked over the AccessControlList implementation and cleaned it up and clarified a few points.
1) I added tests to show that when including an asterisk in either the username or the group field, it overrides everything and allows all access.
"user1,user2,user3 *" = all access
"* group1,group2" = all access
"* *" = all access
"* " = all access
" *" = all access
2) General clean-up and simplification
3) NOT-BACKWARDS COMPATIBLE
The code currently handled spaces in an asymmetric way. The code splits the ACL string on a single space, but limits the resulting array to a size of two. So, as long as there are no spaces in the user names section, it works fine, but any spaces subsequent to that did not matter.
"user1,user2,user3 group1, group2,group3" - works as expected
["user1,user2,user3", "group1, group2,group3"]
"user1, user2,user3 group1,group2,group3" - Did not work as expected
["user1,","user2,user3, group1, group2,group3"]
The submitted patch will split on all spaces and log a warning if there are more than two elements. This enforces no spaces with the two comma-separated lists.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)