HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity. Contributed by Vinayakumar B.

(cherry picked from commit 163bb55067)
2014-11-11 13:29:55 -08:00 · 2014-11-11 13:29:55 -08:00 · 7e1e0cbbb8
parent 6cbd3aa2e8
commit 7e1e0cbbb8
3 changed files with 39 additions and 2 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@ -161,6 +161,9 @@ Release 2.7.0 - UNRELEASED
    HDFS-7387. NFS may only do partial commit due to a race between COMMIT and write
    (brandonli)
    HDFS-7389. Named user ACL cannot stop the user from accessing the FS entity.
    (Vinayakumar B via cnauroth)
 Release 2.6.0 - 2014-11-15
  INCOMPATIBLE CHANGES
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
@ -327,6 +327,7 @@ private void checkAccessAcl(INode inode, int snapshotId, FsAction access,
              return;
            }
            foundMatch = true;
            break;
          }
        } else if (type == AclEntryType.GROUP) {
          // Use group entry (unnamed or named) with mask from permission bits
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/FSAclBaseTest.java
@ -65,6 +65,9 @@ public abstract class FSAclBaseTest {
  private static final UserGroupInformation SUPERGROUP_MEMBER =
    UserGroupInformation.createUserForTesting("super", new String[] {
      DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT });
  // group member
  private static final UserGroupInformation BOB = UserGroupInformation
      .createUserForTesting("bob", new String[] { "groupY", "groupZ" });
  protected static MiniDFSCluster cluster;
  protected static Configuration conf;
@ -74,7 +77,7 @@ public abstract class FSAclBaseTest {
  @Rule
  public ExpectedException exception = ExpectedException.none();
-  private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember;
+  private FileSystem fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember, fsAsBob;
  @AfterClass
  public static void shutdown() {
@ -93,7 +96,7 @@ public void setUp() throws Exception {
  @After
  public void destroyFileSystems() {
    IOUtils.cleanup(null, fs, fsAsBruce, fsAsDiana, fsAsSupergroupMember);
-    fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = null;
+    fs = fsAsBruce = fsAsDiana = fsAsSupergroupMember = fsAsBob = null;
  }
  @Test
@ -1283,6 +1286,35 @@ public void testAccess() throws IOException, InterruptedException {
    } catch (FileNotFoundException e) {
      // expected
    }
    // Add a named group entry with only READ access
    fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
        aclEntry(ACCESS, GROUP, "groupY", READ)));
    // Now bob should have read access, but not write
    fsAsBob.access(p1, READ);
    try {
      fsAsBob.access(p1, WRITE);
      fail("The access call should have failed.");
    } catch (AccessControlException e) {
      // expected;
    }
    // Add another named group entry with WRITE access
    fsAsBruce.modifyAclEntries(p1, Lists.newArrayList(
        aclEntry(ACCESS, GROUP, "groupZ", WRITE)));
    // Now bob should have write access
    fsAsBob.access(p1, WRITE);
    // Add a named user entry to deny bob
    fsAsBruce.modifyAclEntries(p1,
        Lists.newArrayList(aclEntry(ACCESS, USER, "bob", NONE)));
    try {
      fsAsBob.access(p1, READ);
      fail("The access call should have failed.");
    } catch (AccessControlException e) {
      // expected;
    }
  }
  /**
@ -1316,6 +1348,7 @@ private void initFileSystems() throws Exception {
    fs = createFileSystem();
    fsAsBruce = createFileSystem(BRUCE);
    fsAsDiana = createFileSystem(DIANA);
    fsAsBob = createFileSystem(BOB);
    fsAsSupergroupMember = createFileSystem(SUPERGROUP_MEMBER);
  }