HDFS-15053. RBF: Add permission check for safemode operation. Contributed by Xiaoqiao He.

This commit is contained in:
Ayush Saxena 2019-12-14 17:57:23 +05:30
parent 7fe924b1c0
commit 72aee114f8
2 changed files with 48 additions and 9 deletions

View File

@ -241,6 +241,13 @@ public class RouterAdminServer extends AbstractService
return this.adminAddress; return this.adminAddress;
} }
void checkSuperuserPrivilege() throws AccessControlException {
RouterPermissionChecker pc = RouterAdminServer.getPermissionChecker();
if (pc != null) {
pc.checkSuperuserPrivilege();
}
}
@Override @Override
protected void serviceInit(Configuration configuration) throws Exception { protected void serviceInit(Configuration configuration) throws Exception {
this.conf = configuration; this.conf = configuration;
@ -392,6 +399,7 @@ public class RouterAdminServer extends AbstractService
@Override @Override
public EnterSafeModeResponse enterSafeMode(EnterSafeModeRequest request) public EnterSafeModeResponse enterSafeMode(EnterSafeModeRequest request)
throws IOException { throws IOException {
checkSuperuserPrivilege();
boolean success = false; boolean success = false;
RouterSafemodeService safeModeService = this.router.getSafemodeService(); RouterSafemodeService safeModeService = this.router.getSafemodeService();
if (safeModeService != null) { if (safeModeService != null) {
@ -412,6 +420,7 @@ public class RouterAdminServer extends AbstractService
@Override @Override
public LeaveSafeModeResponse leaveSafeMode(LeaveSafeModeRequest request) public LeaveSafeModeResponse leaveSafeMode(LeaveSafeModeRequest request)
throws IOException { throws IOException {
checkSuperuserPrivilege();
boolean success = false; boolean success = false;
RouterSafemodeService safeModeService = this.router.getSafemodeService(); RouterSafemodeService safeModeService = this.router.getSafemodeService();
if (safeModeService != null) { if (safeModeService != null) {
@ -508,11 +517,7 @@ public class RouterAdminServer extends AbstractService
@Override @Override
public DisableNameserviceResponse disableNameservice( public DisableNameserviceResponse disableNameservice(
DisableNameserviceRequest request) throws IOException { DisableNameserviceRequest request) throws IOException {
checkSuperuserPrivilege();
RouterPermissionChecker pc = getPermissionChecker();
if (pc != null) {
pc.checkSuperuserPrivilege();
}
String nsId = request.getNameServiceId(); String nsId = request.getNameServiceId();
boolean success = false; boolean success = false;
@ -545,10 +550,7 @@ public class RouterAdminServer extends AbstractService
@Override @Override
public EnableNameserviceResponse enableNameservice( public EnableNameserviceResponse enableNameservice(
EnableNameserviceRequest request) throws IOException { EnableNameserviceRequest request) throws IOException {
RouterPermissionChecker pc = getPermissionChecker(); checkSuperuserPrivilege();
if (pc != null) {
pc.checkSuperuserPrivilege();
}
String nsId = request.getNameServiceId(); String nsId = request.getNameServiceId();
DisabledNameserviceStore store = getDisabledNameserviceStore(); DisabledNameserviceStore store = getDisabledNameserviceStore();

View File

@ -862,6 +862,43 @@ public class TestRouterAdminCLI {
assertTrue(out.toString().contains("false")); assertTrue(out.toString().contains("false"));
} }
@Test
public void testSafeModePermission() throws Exception {
// ensure the Router become RUNNING state
waitState(RouterServiceState.RUNNING);
assertFalse(routerContext.getRouter().getSafemodeService().isInSafeMode());
UserGroupInformation superUser = UserGroupInformation.createRemoteUser(
UserGroupInformation.getCurrentUser().getShortUserName());
UserGroupInformation remoteUser = UserGroupInformation
.createRemoteUser(TEST_USER);
try {
// use normal user as current user to test
UserGroupInformation.setLoginUser(remoteUser);
assertEquals(-1,
ToolRunner.run(admin, new String[]{"-safemode", "enter"}));
// set back login user
UserGroupInformation.setLoginUser(superUser);
assertEquals(0,
ToolRunner.run(admin, new String[]{"-safemode", "enter"}));
// use normal user as current user to test
UserGroupInformation.setLoginUser(remoteUser);
assertEquals(-1,
ToolRunner.run(admin, new String[]{"-safemode", "leave"}));
// set back login user
UserGroupInformation.setLoginUser(superUser);
assertEquals(0,
ToolRunner.run(admin, new String[]{"-safemode", "leave"}));
} finally {
// set back login user to make sure it doesn't pollute other unit tests
// even this one fails.
UserGroupInformation.setLoginUser(superUser);
}
}
@Test @Test
public void testCreateInvalidEntry() throws Exception { public void testCreateInvalidEntry() throws Exception {
String[] argv = new String[] { String[] argv = new String[] {