hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "BELUGA BEHR (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-12640) Code Review AccessControlList
Date Mon, 14 Dec 2015 21:46:46 GMT
BELUGA BEHR created HADOOP-12640:

             Summary: Code Review AccessControlList
                 Key: HADOOP-12640
                 URL: https://issues.apache.org/jira/browse/HADOOP-12640
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 2.7.1
            Reporter: BELUGA BEHR
            Priority: Minor
         Attachments: AccessControlList.patch, TestAccessControlList.path

After some confusion of my own, in particular with "mapreduce.job.acl-view-job," I have looked
over the AccessControlList implementation and cleaned it up and clarified a few points.

1) I added tests to show that when including an asterisk in either the username or the group
field, it overrides everything and allows all access.

"user1,user2,user3 *" = all access
"* group1,group2" = all access
"* *" = all access
"* " = all access
" *" = all access

2) General clean-up and simplification

The code currently handled spaces in an asymmetric way. The code splits the ACL string on
a single space, but limits the resulting array to a size of two. So, as long as there are
no spaces in the user names section, it works fine, but any spaces subsequent to that did
not matter.

"user1,user2,user3 group1, group2,group3" - works as expected
["user1,user2,user3", "group1, group2,group3"]

"user1, user2,user3 group1,group2,group3" - Did not work as expected
["user1,","user2,user3, group1, group2,group3"]

The submitted patch will split on all spaces and log a warning if there are more than two
elements.  This enforces no spaces with the two comma-separated lists.

This message was sent by Atlassian JIRA

View raw message