HADOOP-15395. DefaultImpersonationProvider fails to parse proxy user config if username has . in it. Contributed by Ajay Kumar.

2018-07-25 21:09:11 +05:30 · 2018-07-25 21:09:11 +05:30 · 5f0b924360
parent 3c4fbc635e
commit 5f0b924360
2 changed files with 102 additions and 2 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java
@ -75,9 +75,9 @@ public class DefaultImpersonationProvider implements ImpersonationProvider {
    //   $configPrefix.[ANY].hosts
    //
    String prefixRegEx = configPrefix.replace(".", "\\.");
-    String usersGroupsRegEx = prefixRegEx + "[^.]*(" +
+    String usersGroupsRegEx = prefixRegEx + "[\\S]*(" +
        Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + ")";
-    String hostsRegEx = prefixRegEx + "[^.]*" + Pattern.quote(CONF_HOSTS);
+    String hostsRegEx = prefixRegEx + "[\\S]*" + Pattern.quote(CONF_HOSTS);

  // get list of users and groups per proxyuser
    Map<String,String> allMatchKeys = 
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestDefaultImpersonationProvider.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestDefaultImpersonationProvider.java
@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.authorize;
+
+import static org.mockito.Mockito.when;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.test.LambdaTestUtils;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.Timeout;
+import org.mockito.Mockito;
+
+/**
+ * Test class for @DefaultImpersonationProvider
+ */
+public class TestDefaultImpersonationProvider {
+
+  private String proxyUser;
+  private String user;
+  private DefaultImpersonationProvider provider;
+  private UserGroupInformation userGroupInformation = Mockito
+      .mock(UserGroupInformation.class);
+  private UserGroupInformation realUserUGI = Mockito
+      .mock(UserGroupInformation.class);
+  private Configuration conf;
+  @Rule
+  public Timeout globalTimeout = new Timeout(10000);
+
+  @Before
+  public void setup() {
+    conf = new Configuration();
+    provider = new DefaultImpersonationProvider();
+
+    // Setup 3 proxy users
+    conf.set("hadoop.proxyuser.fakeuser.groups", "*");
+    conf.set("hadoop.proxyuser.fakeuser.hosts", "*");
+    conf.set("hadoop.proxyuser.test.user.groups", "*");
+    conf.set("hadoop.proxyuser.test.user.hosts", "*");
+    conf.set("hadoop.proxyuser.test user2.groups", "*");
+    conf.set("hadoop.proxyuser.test user2.hosts", "*");
+    provider.setConf(conf);
+    provider.init(ProxyUsers.CONF_HADOOP_PROXYUSER);
+  }
+
+  @Test
+  public void testAuthorizationSuccess() throws AuthorizationException {
+    proxyUser = "fakeuser";
+    user = "dummyUser";
+    when(realUserUGI.getShortUserName()).thenReturn(proxyUser);
+    when(userGroupInformation.getRealUser()).thenReturn(realUserUGI);
+    provider.authorize(userGroupInformation, "2.2.2.2");
+
+    user = "somerandomuser";
+    proxyUser = "test.user";
+    when(realUserUGI.getShortUserName()).thenReturn(proxyUser);
+    when(userGroupInformation.getRealUser()).thenReturn(realUserUGI);
+    provider.authorize(userGroupInformation, "2.2.2.2");
+  }
+
+  @Test
+  public void testAuthorizationFailure() throws Exception {
+    user = "dummyUser";
+    proxyUser = "test user2";
+    when(realUserUGI.getShortUserName()).thenReturn(proxyUser);
+    when(realUserUGI.getUserName()).thenReturn(proxyUser);
+    when(userGroupInformation.getUserName()).thenReturn(user);
+    when(userGroupInformation.getRealUser()).thenReturn(realUserUGI);
+    LambdaTestUtils.intercept(AuthorizationException.class, "User: "
+        + proxyUser + " is not allowed to impersonate " + user, () ->
+        provider.authorize(userGroupInformation, "2.2.2.2"));
+  }
+
+  @After
+  public void clear() {
+    provider = null;
+    conf = null;
+    userGroupInformation = null;
+    realUserUGI = null;
+  }
+
+}