diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirAttrOp.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirAttrOp.java index 7575f5ec339..ef618e9e176 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirAttrOp.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirAttrOp.java @@ -90,7 +90,7 @@ public class FSDirAttrOp { if (username != null && !pc.getUser().equals(username)) { throw new AccessControlException("Non-super user cannot change owner"); } - if (group != null && !pc.containsGroup(group)) { + if (group != null && !pc.isMemberOfGroup(group)) { throw new AccessControlException("User does not belong to " + group); } } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java index 726319fa705..c9b1c76b360 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java @@ -17,10 +17,7 @@ */ package org.apache.hadoop.hdfs.server.namenode; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashSet; -import java.util.Set; +import java.util.Collection; import java.util.Stack; import org.apache.commons.logging.Log; @@ -81,7 +78,7 @@ class FSPermissionChecker implements AccessControlEnforcer { private final UserGroupInformation callerUgi; private final String user; - private final Set groups; + private final Collection groups; private final boolean isSuper; private final INodeAttributeProvider attributeProvider; @@ -92,15 +89,13 @@ class FSPermissionChecker implements AccessControlEnforcer { this.fsOwner = fsOwner; this.supergroup = supergroup; this.callerUgi = callerUgi; - HashSet s = - new HashSet(Arrays.asList(callerUgi.getGroupNames())); - groups = Collections.unmodifiableSet(s); + this.groups = callerUgi.getGroups(); user = callerUgi.getShortUserName(); isSuper = user.equals(fsOwner) || groups.contains(supergroup); this.attributeProvider = attributeProvider; } - public boolean containsGroup(String group) { + public boolean isMemberOfGroup(String group) { return groups.contains(group); } @@ -108,10 +103,6 @@ class FSPermissionChecker implements AccessControlEnforcer { return user; } - public Set getGroups() { - return groups; - } - public boolean isSuperUser() { return isSuper; } @@ -337,7 +328,7 @@ class FSPermissionChecker implements AccessControlEnforcer { final FsAction checkAction; if (getUser().equals(inode.getUserName())) { //user class checkAction = mode.getUserAction(); - } else if (getGroups().contains(inode.getGroupName())) { //group class + } else if (isMemberOfGroup(inode.getGroupName())) { //group class checkAction = mode.getGroupAction(); } else { //other class checkAction = mode.getOtherAction(); @@ -407,7 +398,7 @@ class FSPermissionChecker implements AccessControlEnforcer { // member of multiple groups that have entries that grant access, then // it doesn't matter which is chosen, so exit early after first match. String group = name == null ? inode.getGroupName() : name; - if (getGroups().contains(group)) { + if (isMemberOfGroup(group)) { FsAction masked = AclEntryStatusFormat.getPermission(entry).and( mode.getGroupAction()); if (masked.implies(access)) { @@ -470,7 +461,7 @@ class FSPermissionChecker implements AccessControlEnforcer { && mode.getUserAction().implies(access)) { return; } - if (getGroups().contains(pool.getGroupName()) + if (isMemberOfGroup(pool.getGroupName()) && mode.getGroupAction().implies(access)) { return; }