diff --git a/CHANGES.txt b/CHANGES.txt index 4930d870f08..30775bd0b7d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -108,6 +108,8 @@ Trunk (unreleased changes) HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong) + HADOOP-6862. Adds api to add/remove user and group to AccessControlList + (amareshwari) OPTIMIZATIONS BUG FIXES diff --git a/src/java/org/apache/hadoop/security/authorize/AccessControlList.java b/src/java/org/apache/hadoop/security/authorize/AccessControlList.java index 78290d72110..6a60d2b6159 100644 --- a/src/java/org/apache/hadoop/security/authorize/AccessControlList.java +++ b/src/java/org/apache/hadoop/security/authorize/AccessControlList.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.security.authorize; -import java.util.Iterator; import java.util.Set; import java.util.TreeSet; @@ -54,8 +53,7 @@ public class AccessControlList { public AccessControlList(String aclString) { users = new TreeSet(); groups = new TreeSet(); - if (aclString.contains(WILDCARD_ACL_VALUE) && - aclString.trim().equals(WILDCARD_ACL_VALUE)) { + if (isWildCardACLValue(aclString)) { allAllowed = true; } else { String[] userGroupStrings = aclString.split(" ", 2); @@ -76,10 +74,79 @@ public class AccessControlList { } } + private boolean isWildCardACLValue(String aclString) { + if (aclString.contains(WILDCARD_ACL_VALUE) && + aclString.trim().equals(WILDCARD_ACL_VALUE)) { + return true; + } + return false; + } + public boolean isAllAllowed() { return allAllowed; } + /** + * Add user to the names of users allowed for this service. + * + * @param user + * The user name + */ + public void addUser(String user) { + if (isWildCardACLValue(user)) { + throw new IllegalArgumentException("User " + user + " can not be added"); + } + if (!isAllAllowed()) { + users.add(user); + } + } + + /** + * Add group to the names of groups allowed for this service. + * + * @param group + * The group name + */ + public void addGroup(String group) { + if (isWildCardACLValue(group)) { + throw new IllegalArgumentException("Group " + group + " can not be added"); + } + if (!isAllAllowed()) { + groups.add(group); + } + } + + /** + * Remove user from the names of users allowed for this service. + * + * @param user + * The user name + */ + public void removeUser(String user) { + if (isWildCardACLValue(user)) { + throw new IllegalArgumentException("User " + user + " can not be removed"); + } + if (!isAllAllowed()) { + users.remove(user); + } + } + + /** + * Remove group from the names of groups allowed for this service. + * + * @param group + * The group name + */ + public void removeGroup(String group) { + if (isWildCardACLValue(group)) { + throw new IllegalArgumentException("Group " + group + + " can not be removed"); + } + if (!isAllAllowed()) { + groups.remove(group); + } + } + /** * Get the names of users allowed for this service. * @return the set of user names. the set must not be modified. diff --git a/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java b/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java index 581e434da86..fa51b0e2e2f 100644 --- a/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java +++ b/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java @@ -92,6 +92,138 @@ public class TestAccessControlList extends TestCase { assertEquals(iter.next(), "users"); } + /** + * Test addUser/Group and removeUser/Group api. + */ + public void testAddRemoveAPI() { + AccessControlList acl; + Set users; + Set groups; + acl = new AccessControlList(""); + assertEquals(0, acl.getUsers().size()); + assertEquals(0, acl.getGroups().size()); + assertEquals("", acl.toString()); + + acl.addUser("drwho"); + users = acl.getUsers(); + assertEquals(users.size(), 1); + assertEquals(users.iterator().next(), "drwho"); + assertEquals("drwho", acl.toString()); + + acl.addGroup("tardis"); + groups = acl.getGroups(); + assertEquals(groups.size(), 1); + assertEquals(groups.iterator().next(), "tardis"); + assertEquals("drwho tardis", acl.toString()); + + acl.addUser("joe"); + acl.addGroup("users"); + users = acl.getUsers(); + assertEquals(users.size(), 2); + Iterator iter = users.iterator(); + assertEquals(iter.next(), "drwho"); + assertEquals(iter.next(), "joe"); + groups = acl.getGroups(); + assertEquals(groups.size(), 2); + iter = groups.iterator(); + assertEquals(iter.next(), "tardis"); + assertEquals(iter.next(), "users"); + assertEquals("drwho,joe tardis,users", acl.toString()); + + acl.removeUser("joe"); + acl.removeGroup("users"); + users = acl.getUsers(); + assertEquals(users.size(), 1); + assertFalse(users.contains("joe")); + groups = acl.getGroups(); + assertEquals(groups.size(), 1); + assertFalse(groups.contains("users")); + assertEquals("drwho tardis", acl.toString()); + + acl.removeGroup("tardis"); + groups = acl.getGroups(); + assertEquals(0, groups.size()); + assertFalse(groups.contains("tardis")); + assertEquals("drwho", acl.toString()); + + acl.removeUser("drwho"); + assertEquals(0, users.size()); + assertFalse(users.contains("drwho")); + assertEquals(0, acl.getGroups().size()); + assertEquals(0, acl.getUsers().size()); + assertEquals("", acl.toString()); + } + + /** + * Tests adding/removing wild card as the user/group. + */ + public void testAddRemoveWildCard() { + AccessControlList acl = new AccessControlList("drwho tardis"); + + Throwable th = null; + try { + acl.addUser(" * "); + } catch (Throwable t) { + th = t; + } + assertNotNull(th); + assertTrue(th instanceof IllegalArgumentException); + + th = null; + try { + acl.addGroup(" * "); + } catch (Throwable t) { + th = t; + } + assertNotNull(th); + assertTrue(th instanceof IllegalArgumentException); + th = null; + try { + acl.removeUser(" * "); + } catch (Throwable t) { + th = t; + } + assertNotNull(th); + assertTrue(th instanceof IllegalArgumentException); + th = null; + try { + acl.removeGroup(" * "); + } catch (Throwable t) { + th = t; + } + assertNotNull(th); + assertTrue(th instanceof IllegalArgumentException); + } + + /** + * Tests adding user/group to an wild card acl. + */ + public void testAddRemoveToWildCardACL() { + AccessControlList acl = new AccessControlList(" * "); + assertTrue(acl.isAllAllowed()); + + UserGroupInformation drwho = + UserGroupInformation.createUserForTesting("drwho@APACHE.ORG", + new String[] { "aliens" }); + UserGroupInformation drwho2 = + UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG", + new String[] { "tardis" }); + + acl.addUser("drwho"); + assertTrue(acl.isAllAllowed()); + assertFalse(acl.toString().contains("drwho")); + acl.addGroup("tardis"); + assertTrue(acl.isAllAllowed()); + assertFalse(acl.toString().contains("tardis")); + + acl.removeUser("drwho"); + assertTrue(acl.isAllAllowed()); + assertUserAllowed(drwho, acl); + acl.removeGroup("tardis"); + assertTrue(acl.isAllAllowed()); + assertUserAllowed(drwho2, acl); + } + /** * Verify the method isUserAllowed() */