hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cnaur...@apache.org
Subject hadoop git commit: HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. Contributed by Vinayakumar B.
Date Tue, 11 Nov 2014 21:33:55 GMT
Repository: hadoop
Updated Branches:
  refs/heads/branch-2 6cbd3aa2e -> 7e1e0cbbb


HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. Contributed by
Vinayakumar B.

(cherry picked from commit 163bb55067bde71246b4030a08256ba9a8182dc8)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/7e1e0cbb
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/7e1e0cbb
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/7e1e0cbb

Branch: refs/heads/branch-2
Commit: 7e1e0cbbb81f8ad9bea2c1cbec53001f23d94ed8
Parents: 6cbd3aa
Author: cnauroth <cnauroth@apache.org>
Authored: Tue Nov 11 13:29:55 2014 -0800
Committer: cnauroth <cnauroth@apache.org>
Committed: Tue Nov 11 13:32:26 2014 -0800

----------------------------------------------------------------------
 hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt     |  3 ++
 .../server/namenode/FSPermissionChecker.java    |  1 +
 .../hdfs/server/namenode/FSAclBaseTest.java     | 37 ++++++++++++++++++--
 3 files changed, 39 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/7e1e0cbb/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
index a5e919b..2162c9a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -161,6 +161,9 @@ Release 2.7.0 - UNRELEASED
     HDFS-7387. NFS may only do partial commit due to a race between COMMIT and write
     (brandonli)
 
+    HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity.
+    (Vinayakumar B via cnauroth)
+
 Release 2.6.0 - 2014-11-15
 
   INCOMPATIBLE CHANGES

http://git-wip-us.apache.org/repos/asf/hadoop/blob/7e1e0cbb/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
index 2c48051..f994f6b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
@@ -327,6 +327,7 @@ class FSPermissionChecker {
               return;
             }
             foundMatch = true;
+            break;
           }
         } else if (type == AclEntryType.GROUP) {
           // Use group entry (unnamed or named) with mask from permission bits

http://git-wip-us.apache.org/repos/asf/hadoop/blob/7e1e0cbb/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
index adca0aa..5066feb 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
@@ -65,6 +65,9 @@ public abstract class FSAclBaseTest {
   private static final UserGroupInformation SUPERGROUP_MEMBER =
     UserGroupInformation.createUserForTesting("super", new String[] {
       DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT });
+  // group member
+  private static final UserGroupInformation BOB = UserGroupInformation
+      .createUserForTesting("bob", new String[] { "groupY", "groupZ" });
 
   protected static MiniDFSCluster cluster;
   protected static Configuration conf;
@@ -74,7 +77,7 @@ public abstract class FSAclBaseTest {
   @Rule
   public ExpectedException exception = ExpectedException.none();
 
-  private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember;
+  private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember, fsAsBob;
 
   @AfterClass
   public static void shutdown() {
@@ -93,7 +96,7 @@ public abstract class FSAclBaseTest {
   @After
   public void destroyFileSystems() {
     IOUtils.cleanup(null, fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember);
-    fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = null;
+    fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = fsAsBob = null;
   }
 
   @Test
@@ -1283,6 +1286,35 @@ public abstract class FSAclBaseTest {
     } catch (FileNotFoundException e) {
       // expected
     }
+
+    // Add a named group entry with only READ access
+    fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
+        aclEntry(ACCESS, GROUP, "groupY", READ)));
+    // Now bob should have read access, but not write
+    fsAsBob.access(p1, READ);
+    try {
+      fsAsBob.access(p1, WRITE);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected;
+    }
+
+    // Add another named group entry with WRITE access
+    fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
+        aclEntry(ACCESS, GROUP, "groupZ", WRITE)));
+    // Now bob should have write access
+    fsAsBob.access(p1, WRITE);
+
+    // Add a named user entry to deny bob
+    fsAsBruce.modifyAclEntries(p1,
+        Lists.newArrayList(aclEntry(ACCESS, USER, "bob", NONE)));
+
+    try {
+      fsAsBob.access(p1, READ);
+      fail("The access call should have failed.");
+    } catch (AccessControlException e) {
+      // expected;
+    }
   }
 
   /**
@@ -1316,6 +1348,7 @@ public abstract class FSAclBaseTest {
     fs = createFileSystem();
     fsAsBruce = createFileSystem(BRUCE);
     fsAsDiana = createFileSystem(DIANA);
+    fsAsBob = createFileSystem(BOB);
     fsAsSupergroupMember = createFileSystem(SUPERGROUP_MEMBER);
   }
 


Mime
View raw message