HADOOP-17857. Check real user ACLs in addition to proxied user ACLs. Contributed by Eric Payne

2021-09-08 17:27:22 +02:00 · 2021-09-08 17:27:22 +02:00 · 5428d36b56
parent 5e166898aa
commit 5428d36b56
2 changed files with 27 additions and 3 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
@ -56,6 +56,7 @@ public class AccessControlList implements Writable {
  // Indicates an ACL string that represents access to all users
  public static final String WILDCARD_ACL_VALUE = "*";
  private static final int INITIAL_CAPACITY = 256;
+  public static final String USE_REAL_ACLS = "~";

  // Set of users who are granted access.
  private Collection<String> users;
@ -224,9 +225,12 @@ public class AccessControlList implements Writable {

  /**
   * Checks if a user represented by the provided {@link UserGroupInformation}
-   * is a member of the Access Control List
+   * is a member of the Access Control List. If user was proxied and
+   * USE_REAL_ACLS + the real user name is in the control list, then treat this
+   * case as if user were in the ACL list.
   * @param ugi UserGroupInformation to check if contained in the ACL
-   * @return true if ugi is member of the list
+   * @return true if ugi is member of the list or if USE_REAL_ACLS + real user
+   * is in the list
   */
  public final boolean isUserInList(UserGroupInformation ugi) {
    if (allAllowed || users.contains(ugi.getShortUserName())) {
@ -239,7 +243,9 @@ public class AccessControlList implements Writable {
        }
      }
    }
-    return false;
+    UserGroupInformation realUgi = ugi.getRealUser();
+    return realUgi != null &&
+           users.contains(USE_REAL_ACLS + realUgi.getShortUserName());
  }

  public boolean isUserAllowed(UserGroupInformation ugi) {
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
@ -471,4 +471,22 @@ public class TestAccessControlList {
        + " is incorrectly granted the access-control!!",
        acl.isUserAllowed(ugi));
  }
+
+  @Test
+  public void testUseRealUserAclsForProxiedUser() {
+    String realUser = "realUser";
+    AccessControlList acl = new AccessControlList(realUser);
+    UserGroupInformation realUserUgi =
+        UserGroupInformation.createRemoteUser(realUser);
+    UserGroupInformation user1 =
+        UserGroupInformation.createProxyUserForTesting("regularJane",
+            realUserUgi, new String [] {"group1"});
+    assertFalse("User " + user1 + " should not have been granted access.",
+        acl.isUserAllowed(user1));
+
+    acl = new AccessControlList(AccessControlList.USE_REAL_ACLS + realUser);
+
+    assertTrue("User " + user1 + " should have access but was denied.",
+        acl.isUserAllowed(user1));
+  }
 }