diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockPoolTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockPoolTokenSecretManager.java index 4d3915e3fa3..bbd3750cbb9 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockPoolTokenSecretManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockPoolTokenSecretManager.java @@ -106,6 +106,26 @@ public class BlockPoolTokenSecretManager extends storageTypes); } + /** + * See {@link BlockTokenSecretManager#checkAccess(BlockTokenIdentifier, + * String, ExtendedBlock, BlockTokenIdentifier.AccessMode)}. + */ + public void checkAccess(BlockTokenIdentifier id, String userId, + ExtendedBlock block, AccessMode mode) + throws InvalidToken { + get(block.getBlockPoolId()).checkAccess(id, userId, block, mode); + } + + /** + * See {@link BlockTokenSecretManager#checkAccess(Token, String, + * ExtendedBlock, BlockTokenIdentifier.AccessMode)}. + */ + public void checkAccess(Token token, + String userId, ExtendedBlock block, AccessMode mode) + throws InvalidToken { + get(block.getBlockPoolId()).checkAccess(token, userId, block, mode); + } + /** * See {@link BlockTokenSecretManager#checkAccess(Token, String, * ExtendedBlock, BlockTokenIdentifier.AccessMode, diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java index 85fef13bd37..3b2e8d2ddd0 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java @@ -390,6 +390,26 @@ public class BlockTokenSecretManager extends } } + /** Check if access should be allowed. userID is not checked if null */ + public void checkAccess(Token token, String userId, + ExtendedBlock block, BlockTokenIdentifier.AccessMode mode) + throws InvalidToken { + BlockTokenIdentifier id = new BlockTokenIdentifier(); + try { + id.readFields(new DataInputStream(new ByteArrayInputStream(token + .getIdentifier()))); + } catch (IOException e) { + throw new InvalidToken( + "Unable to de-serialize block token identifier for user=" + userId + + ", block=" + block + ", access mode=" + mode); + } + checkAccess(id, userId, block, mode); + if (!Arrays.equals(retrievePassword(id), token.getPassword())) { + throw new InvalidToken("Block token with " + id + + " doesn't have the correct token password"); + } + } + private static boolean isExpired(long expiryDate) { return Time.now() > expiryDate; } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java index 4bdd34c2af5..9c537a432f5 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java @@ -217,9 +217,14 @@ public class TestBlockToken { Token t, ExtendedBlock blk, BlockTokenIdentifier.AccessMode mode, StorageType[] storageTypes, String[] storageIds) throws IOException { - if(storageIds == null) { + if (storageIds == null) { // Test overloaded checkAccess method. m.checkAccess(t.decodeIdentifier(), null, blk, mode, storageTypes); + + if (storageTypes == null) { + // Test overloaded checkAccess method. + m.checkAccess(t, null, blk, mode); + } } m.checkAccess(t, null, blk, mode, storageTypes, storageIds); } @@ -807,6 +812,7 @@ public class TestBlockToken { sm.checkAccess(id, null, block3, mode, storageTypes, null); sm.checkAccess(id, null, block3, mode, storageTypes); + sm.checkAccess(id, null, block3, mode); } @Test