From b2017d9b032af20044fdf60ddbd1575a554ccb79 Mon Sep 17 00:00:00 2001 From: cnauroth Date: Tue, 15 Sep 2015 10:41:50 -0700 Subject: [PATCH] HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu. --- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../hadoop/security/authorize/AccessControlList.java | 2 +- .../hadoop/security/authorize/TestAccessControlList.java | 9 +++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index a7ea0aa171b..fe09120106b 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -776,6 +776,9 @@ Release 2.8.0 - UNRELEASED HADOOP-12324. Better exception reporting in SaslPlainServer. (Mike Yoder via stevel) + HADOOP-12413. AccessControlList should avoid calling getGroupNames in + isUserInList with empty groups. (Zhihai Xu via cnauroth) + OPTIMIZATIONS HADOOP-11785. Reduce the number of listStatus operation in distcp diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java index f19776fc139..b1b474b5a8d 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java @@ -230,7 +230,7 @@ public class AccessControlList implements Writable { public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; - } else { + } else if (!groups.isEmpty()) { for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java index 75b944d2cf8..ddf74d1b1e0 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java @@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.NativeCodeLoader; import org.junit.Test; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.verify; + @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceStability.Evolving public class TestAccessControlList { @@ -449,6 +453,11 @@ public class TestAccessControlList { assertUserAllowed(susan, acl); assertUserAllowed(barbara, acl); assertUserAllowed(ian, acl); + + acl = new AccessControlList(""); + UserGroupInformation spyUser = spy(drwho); + acl.isUserAllowed(spyUser); + verify(spyUser, never()).getGroupNames(); } private void assertUserAllowed(UserGroupInformation ugi,