hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject svn commit: r1077339 - in /hadoop/common/branches/branch-0.20-security-patches/src: core/org/apache/hadoop/security/authorize/AccessControlList.java test/org/apache/hadoop/security/authorize/TestAccessControlList.java
Date Fri, 04 Mar 2011 04:05:06 GMT
Author: omalley
Date: Fri Mar  4 04:05:06 2011
New Revision: 1077339

URL: http://svn.apache.org/viewvc?rev=1077339&view=rev
Log:
commit ee60349cefe4c531e472aad14f07135c4d54fb8f
Author: Vinod Kumar <vinodkv@yahoo-inc.com>
Date:   Fri Mar 19 10:03:46 2010 +0530

    HADOOP-6634 from https://issues.apache.org/jira/secure/attachment/12439238/HADOOP-6634-20100317-ydist.1.txt
    
    +++ b/YAHOO-CHANGES.txt
    +
    +    HADOOP-6634. AccessControlList uses full-principal names to verify acls
    +    causing queue-acls to fail (vinodkv)

Modified:
    hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java
    hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java

Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java?rev=1077339&r1=1077338&r2=1077339&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/AccessControlList.java
Fri Mar  4 04:05:06 2011
@@ -93,7 +93,7 @@ public class AccessControlList {
   }
 
   public boolean isUserAllowed(UserGroupInformation ugi) {
-    if (allAllowed || users.contains(ugi.getUserName())) {
+    if (allAllowed || users.contains(ugi.getShortUserName())) {
       return true;
     } else {
       for(String group: ugi.getGroupNames()) {

Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java?rev=1077339&r1=1077338&r2=1077339&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/authorize/TestAccessControlList.java
Fri Mar  4 04:05:06 2011
@@ -20,6 +20,7 @@ package org.apache.hadoop.security.autho
 import java.util.Iterator;
 import java.util.Set;
 
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AccessControlList;
 
 
@@ -77,19 +78,7 @@ public class TestAccessControlList exten
     assertEquals(groups.size(), 1);
     assertEquals(groups.iterator().next(), "tardis");
 
-    Iterator<String> iter;
-    acl = new AccessControlList("drwho,joe tardis,users");
-    users = acl.getUsers();
-    assertEquals(users.size(), 2);
-    iter = users.iterator();
-    assertEquals(iter.next(), "drwho");
-    assertEquals(iter.next(), "joe");
-    groups = acl.getGroups();
-    assertEquals(groups.size(), 2);
-    iter = groups.iterator();
-    assertEquals(iter.next(), "tardis");
-    assertEquals(iter.next(), "users");
-    
+    Iterator<String> iter;    
     acl = new AccessControlList("drwho,joe tardis, users");
     users = acl.getUsers();
     assertEquals(users.size(), 2);
@@ -102,4 +91,67 @@ public class TestAccessControlList exten
     assertEquals(iter.next(), "tardis");
     assertEquals(iter.next(), "users");
   }
+
+  /**
+   * Verify the method isUserAllowed()
+   */
+  public void testIsUserAllowed() {
+    AccessControlList acl;
+
+    UserGroupInformation drwho =
+        UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
+            new String[] { "aliens", "humanoids", "timelord" });
+    UserGroupInformation susan =
+        UserGroupInformation.createUserForTesting("susan@APACHE.ORG",
+            new String[] { "aliens", "humanoids", "timelord" });
+    UserGroupInformation barbara =
+        UserGroupInformation.createUserForTesting("barbara@APACHE.ORG",
+            new String[] { "humans", "teachers" });
+    UserGroupInformation ian =
+        UserGroupInformation.createUserForTesting("ian@APACHE.ORG",
+            new String[] { "humans", "teachers" });
+
+    acl = new AccessControlList("drwho humanoids");
+    assertUserAllowed(drwho, acl);
+    assertUserAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList("drwho");
+    assertUserAllowed(drwho, acl);
+    assertUserNotAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList("drwho ");
+    assertUserAllowed(drwho, acl);
+    assertUserNotAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList(" humanoids");
+    assertUserAllowed(drwho, acl);
+    assertUserAllowed(susan, acl);
+    assertUserNotAllowed(barbara, acl);
+    assertUserNotAllowed(ian, acl);
+
+    acl = new AccessControlList("drwho,ian aliens,teachers");
+    assertUserAllowed(drwho, acl);
+    assertUserAllowed(susan, acl);
+    assertUserAllowed(barbara, acl);
+    assertUserAllowed(ian, acl);
+  }
+
+  private void assertUserAllowed(UserGroupInformation ugi,
+      AccessControlList acl) {
+    assertTrue("User " + ugi + " is not granted the access-control!!",
+        acl.isUserAllowed(ugi));
+  }
+
+  private void assertUserNotAllowed(UserGroupInformation ugi,
+      AccessControlList acl) {
+    assertFalse("User " + ugi
+        + " is incorrectly granted the access-control!!",
+        acl.isUserAllowed(ugi));
+  }
 }



Mime
View raw message