HADOOP-6862. Adds api to add/remove user and group to AccessControlList. Contributed by Amareshwari Sriramadasu
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@983877 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
714e5f7165
commit
bd121ed635
|
@ -108,6 +108,8 @@ Trunk (unreleased changes)
|
||||||
|
|
||||||
HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong)
|
HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong)
|
||||||
|
|
||||||
|
HADOOP-6862. Adds api to add/remove user and group to AccessControlList
|
||||||
|
(amareshwari)
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
BUG FIXES
|
BUG FIXES
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.security.authorize;
|
package org.apache.hadoop.security.authorize;
|
||||||
|
|
||||||
import java.util.Iterator;
|
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.TreeSet;
|
import java.util.TreeSet;
|
||||||
|
|
||||||
|
@ -54,8 +53,7 @@ public class AccessControlList {
|
||||||
public AccessControlList(String aclString) {
|
public AccessControlList(String aclString) {
|
||||||
users = new TreeSet<String>();
|
users = new TreeSet<String>();
|
||||||
groups = new TreeSet<String>();
|
groups = new TreeSet<String>();
|
||||||
if (aclString.contains(WILDCARD_ACL_VALUE) &&
|
if (isWildCardACLValue(aclString)) {
|
||||||
aclString.trim().equals(WILDCARD_ACL_VALUE)) {
|
|
||||||
allAllowed = true;
|
allAllowed = true;
|
||||||
} else {
|
} else {
|
||||||
String[] userGroupStrings = aclString.split(" ", 2);
|
String[] userGroupStrings = aclString.split(" ", 2);
|
||||||
|
@ -76,10 +74,79 @@ public class AccessControlList {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private boolean isWildCardACLValue(String aclString) {
|
||||||
|
if (aclString.contains(WILDCARD_ACL_VALUE) &&
|
||||||
|
aclString.trim().equals(WILDCARD_ACL_VALUE)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
public boolean isAllAllowed() {
|
public boolean isAllAllowed() {
|
||||||
return allAllowed;
|
return allAllowed;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add user to the names of users allowed for this service.
|
||||||
|
*
|
||||||
|
* @param user
|
||||||
|
* The user name
|
||||||
|
*/
|
||||||
|
public void addUser(String user) {
|
||||||
|
if (isWildCardACLValue(user)) {
|
||||||
|
throw new IllegalArgumentException("User " + user + " can not be added");
|
||||||
|
}
|
||||||
|
if (!isAllAllowed()) {
|
||||||
|
users.add(user);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add group to the names of groups allowed for this service.
|
||||||
|
*
|
||||||
|
* @param group
|
||||||
|
* The group name
|
||||||
|
*/
|
||||||
|
public void addGroup(String group) {
|
||||||
|
if (isWildCardACLValue(group)) {
|
||||||
|
throw new IllegalArgumentException("Group " + group + " can not be added");
|
||||||
|
}
|
||||||
|
if (!isAllAllowed()) {
|
||||||
|
groups.add(group);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Remove user from the names of users allowed for this service.
|
||||||
|
*
|
||||||
|
* @param user
|
||||||
|
* The user name
|
||||||
|
*/
|
||||||
|
public void removeUser(String user) {
|
||||||
|
if (isWildCardACLValue(user)) {
|
||||||
|
throw new IllegalArgumentException("User " + user + " can not be removed");
|
||||||
|
}
|
||||||
|
if (!isAllAllowed()) {
|
||||||
|
users.remove(user);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Remove group from the names of groups allowed for this service.
|
||||||
|
*
|
||||||
|
* @param group
|
||||||
|
* The group name
|
||||||
|
*/
|
||||||
|
public void removeGroup(String group) {
|
||||||
|
if (isWildCardACLValue(group)) {
|
||||||
|
throw new IllegalArgumentException("Group " + group
|
||||||
|
+ " can not be removed");
|
||||||
|
}
|
||||||
|
if (!isAllAllowed()) {
|
||||||
|
groups.remove(group);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the names of users allowed for this service.
|
* Get the names of users allowed for this service.
|
||||||
* @return the set of user names. the set must not be modified.
|
* @return the set of user names. the set must not be modified.
|
||||||
|
|
|
@ -92,6 +92,138 @@ public class TestAccessControlList extends TestCase {
|
||||||
assertEquals(iter.next(), "users");
|
assertEquals(iter.next(), "users");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test addUser/Group and removeUser/Group api.
|
||||||
|
*/
|
||||||
|
public void testAddRemoveAPI() {
|
||||||
|
AccessControlList acl;
|
||||||
|
Set<String> users;
|
||||||
|
Set<String> groups;
|
||||||
|
acl = new AccessControlList("");
|
||||||
|
assertEquals(0, acl.getUsers().size());
|
||||||
|
assertEquals(0, acl.getGroups().size());
|
||||||
|
assertEquals("", acl.toString());
|
||||||
|
|
||||||
|
acl.addUser("drwho");
|
||||||
|
users = acl.getUsers();
|
||||||
|
assertEquals(users.size(), 1);
|
||||||
|
assertEquals(users.iterator().next(), "drwho");
|
||||||
|
assertEquals("drwho", acl.toString());
|
||||||
|
|
||||||
|
acl.addGroup("tardis");
|
||||||
|
groups = acl.getGroups();
|
||||||
|
assertEquals(groups.size(), 1);
|
||||||
|
assertEquals(groups.iterator().next(), "tardis");
|
||||||
|
assertEquals("drwho tardis", acl.toString());
|
||||||
|
|
||||||
|
acl.addUser("joe");
|
||||||
|
acl.addGroup("users");
|
||||||
|
users = acl.getUsers();
|
||||||
|
assertEquals(users.size(), 2);
|
||||||
|
Iterator<String> iter = users.iterator();
|
||||||
|
assertEquals(iter.next(), "drwho");
|
||||||
|
assertEquals(iter.next(), "joe");
|
||||||
|
groups = acl.getGroups();
|
||||||
|
assertEquals(groups.size(), 2);
|
||||||
|
iter = groups.iterator();
|
||||||
|
assertEquals(iter.next(), "tardis");
|
||||||
|
assertEquals(iter.next(), "users");
|
||||||
|
assertEquals("drwho,joe tardis,users", acl.toString());
|
||||||
|
|
||||||
|
acl.removeUser("joe");
|
||||||
|
acl.removeGroup("users");
|
||||||
|
users = acl.getUsers();
|
||||||
|
assertEquals(users.size(), 1);
|
||||||
|
assertFalse(users.contains("joe"));
|
||||||
|
groups = acl.getGroups();
|
||||||
|
assertEquals(groups.size(), 1);
|
||||||
|
assertFalse(groups.contains("users"));
|
||||||
|
assertEquals("drwho tardis", acl.toString());
|
||||||
|
|
||||||
|
acl.removeGroup("tardis");
|
||||||
|
groups = acl.getGroups();
|
||||||
|
assertEquals(0, groups.size());
|
||||||
|
assertFalse(groups.contains("tardis"));
|
||||||
|
assertEquals("drwho", acl.toString());
|
||||||
|
|
||||||
|
acl.removeUser("drwho");
|
||||||
|
assertEquals(0, users.size());
|
||||||
|
assertFalse(users.contains("drwho"));
|
||||||
|
assertEquals(0, acl.getGroups().size());
|
||||||
|
assertEquals(0, acl.getUsers().size());
|
||||||
|
assertEquals("", acl.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests adding/removing wild card as the user/group.
|
||||||
|
*/
|
||||||
|
public void testAddRemoveWildCard() {
|
||||||
|
AccessControlList acl = new AccessControlList("drwho tardis");
|
||||||
|
|
||||||
|
Throwable th = null;
|
||||||
|
try {
|
||||||
|
acl.addUser(" * ");
|
||||||
|
} catch (Throwable t) {
|
||||||
|
th = t;
|
||||||
|
}
|
||||||
|
assertNotNull(th);
|
||||||
|
assertTrue(th instanceof IllegalArgumentException);
|
||||||
|
|
||||||
|
th = null;
|
||||||
|
try {
|
||||||
|
acl.addGroup(" * ");
|
||||||
|
} catch (Throwable t) {
|
||||||
|
th = t;
|
||||||
|
}
|
||||||
|
assertNotNull(th);
|
||||||
|
assertTrue(th instanceof IllegalArgumentException);
|
||||||
|
th = null;
|
||||||
|
try {
|
||||||
|
acl.removeUser(" * ");
|
||||||
|
} catch (Throwable t) {
|
||||||
|
th = t;
|
||||||
|
}
|
||||||
|
assertNotNull(th);
|
||||||
|
assertTrue(th instanceof IllegalArgumentException);
|
||||||
|
th = null;
|
||||||
|
try {
|
||||||
|
acl.removeGroup(" * ");
|
||||||
|
} catch (Throwable t) {
|
||||||
|
th = t;
|
||||||
|
}
|
||||||
|
assertNotNull(th);
|
||||||
|
assertTrue(th instanceof IllegalArgumentException);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests adding user/group to an wild card acl.
|
||||||
|
*/
|
||||||
|
public void testAddRemoveToWildCardACL() {
|
||||||
|
AccessControlList acl = new AccessControlList(" * ");
|
||||||
|
assertTrue(acl.isAllAllowed());
|
||||||
|
|
||||||
|
UserGroupInformation drwho =
|
||||||
|
UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
|
||||||
|
new String[] { "aliens" });
|
||||||
|
UserGroupInformation drwho2 =
|
||||||
|
UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG",
|
||||||
|
new String[] { "tardis" });
|
||||||
|
|
||||||
|
acl.addUser("drwho");
|
||||||
|
assertTrue(acl.isAllAllowed());
|
||||||
|
assertFalse(acl.toString().contains("drwho"));
|
||||||
|
acl.addGroup("tardis");
|
||||||
|
assertTrue(acl.isAllAllowed());
|
||||||
|
assertFalse(acl.toString().contains("tardis"));
|
||||||
|
|
||||||
|
acl.removeUser("drwho");
|
||||||
|
assertTrue(acl.isAllAllowed());
|
||||||
|
assertUserAllowed(drwho, acl);
|
||||||
|
acl.removeGroup("tardis");
|
||||||
|
assertTrue(acl.isAllAllowed());
|
||||||
|
assertUserAllowed(drwho2, acl);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verify the method isUserAllowed()
|
* Verify the method isUserAllowed()
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue