HADOOP-6862. Adds api to add/remove user and group to AccessControlList. Contributed by Amareshwari Sriramadasu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@983877 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -108,6 +108,8 @@ Trunk (unreleased changes)
 
     HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong)
 
+    HADOOP-6862. Adds api to add/remove user and group to AccessControlList
+    (amareshwari)
   OPTIMIZATIONS
 
   BUG FIXES

src/java/org/apache/hadoop/security/authorize/AccessControlList.java

@@ -17,7 +17,6 @@
  */
 package org.apache.hadoop.security.authorize;
 
-import java.util.Iterator;
 import java.util.Set;
 import java.util.TreeSet;
 
@@ -54,8 +53,7 @@ public class AccessControlList {
   public AccessControlList(String aclString) {
     users = new TreeSet<String>();
     groups = new TreeSet<String>();
-    if (aclString.contains(WILDCARD_ACL_VALUE) && 
+    if (isWildCardACLValue(aclString)) {
-        aclString.trim().equals(WILDCARD_ACL_VALUE)) {
       allAllowed = true;
     } else {
       String[] userGroupStrings = aclString.split(" ", 2);
@@ -76,10 +74,79 @@ public class AccessControlList {
     }
   }
   
+  private boolean isWildCardACLValue(String aclString) {
+    if (aclString.contains(WILDCARD_ACL_VALUE) && 
+        aclString.trim().equals(WILDCARD_ACL_VALUE)) {
+      return true;
+    }
+    return false;
+  }
+
   public boolean isAllAllowed() {
     return allAllowed;
   }
   
+  /**
+   * Add user to the names of users allowed for this service.
+   * 
+   * @param user
+   *          The user name
+   */
+  public void addUser(String user) {
+    if (isWildCardACLValue(user)) {
+      throw new IllegalArgumentException("User " + user + " can not be added");
+    }
+    if (!isAllAllowed()) {
+      users.add(user);
+    }
+  }
+
+  /**
+   * Add group to the names of groups allowed for this service.
+   * 
+   * @param group
+   *          The group name
+   */
+  public void addGroup(String group) {
+    if (isWildCardACLValue(group)) {
+      throw new IllegalArgumentException("Group " + group + " can not be added");
+    }
+    if (!isAllAllowed()) {
+      groups.add(group);
+    }
+  }
+
+  /**
+   * Remove user from the names of users allowed for this service.
+   * 
+   * @param user
+   *          The user name
+   */
+  public void removeUser(String user) {
+    if (isWildCardACLValue(user)) {
+      throw new IllegalArgumentException("User " + user + " can not be removed");
+    }
+    if (!isAllAllowed()) {
+      users.remove(user);
+    }
+  }
+
+  /**
+   * Remove group from the names of groups allowed for this service.
+   * 
+   * @param group
+   *          The group name
+   */
+  public void removeGroup(String group) {
+    if (isWildCardACLValue(group)) {
+      throw new IllegalArgumentException("Group " + group
+          + " can not be removed");
+    }
+    if (!isAllAllowed()) {
+      groups.remove(group);
+    }
+  }
+
   /**
    * Get the names of users allowed for this service.
    * @return the set of user names. the set must not be modified.

src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java

@@ -92,6 +92,138 @@ public class TestAccessControlList extends TestCase {
     assertEquals(iter.next(), "users");
   }
 
+  /**
+   * Test addUser/Group and removeUser/Group api.
+   */
+  public void testAddRemoveAPI() {
+    AccessControlList acl;
+    Set<String> users;
+    Set<String> groups;
+    acl = new AccessControlList("");
+    assertEquals(0, acl.getUsers().size());
+    assertEquals(0, acl.getGroups().size());
+    assertEquals("", acl.toString());
+    
+    acl.addUser("drwho");
+    users = acl.getUsers();
+    assertEquals(users.size(), 1);
+    assertEquals(users.iterator().next(), "drwho");
+    assertEquals("drwho", acl.toString());
+    
+    acl.addGroup("tardis");
+    groups = acl.getGroups();
+    assertEquals(groups.size(), 1);
+    assertEquals(groups.iterator().next(), "tardis");
+    assertEquals("drwho tardis", acl.toString());
+    
+    acl.addUser("joe");
+    acl.addGroup("users");
+    users = acl.getUsers();
+    assertEquals(users.size(), 2);
+    Iterator<String> iter = users.iterator();
+    assertEquals(iter.next(), "drwho");
+    assertEquals(iter.next(), "joe");
+    groups = acl.getGroups();
+    assertEquals(groups.size(), 2);
+    iter = groups.iterator();
+    assertEquals(iter.next(), "tardis");
+    assertEquals(iter.next(), "users");
+    assertEquals("drwho,joe tardis,users", acl.toString());
+
+    acl.removeUser("joe");
+    acl.removeGroup("users");
+    users = acl.getUsers();
+    assertEquals(users.size(), 1);
+    assertFalse(users.contains("joe"));
+    groups = acl.getGroups();
+    assertEquals(groups.size(), 1);
+    assertFalse(groups.contains("users"));
+    assertEquals("drwho tardis", acl.toString());
+    
+    acl.removeGroup("tardis");
+    groups = acl.getGroups();
+    assertEquals(0, groups.size());
+    assertFalse(groups.contains("tardis"));
+    assertEquals("drwho", acl.toString());
+    
+    acl.removeUser("drwho");
+    assertEquals(0, users.size());
+    assertFalse(users.contains("drwho"));
+    assertEquals(0, acl.getGroups().size());
+    assertEquals(0, acl.getUsers().size());
+    assertEquals("", acl.toString());
+  }
+  
+  /**
+   * Tests adding/removing wild card as the user/group.
+   */
+  public void testAddRemoveWildCard() {
+    AccessControlList acl = new AccessControlList("drwho tardis");
+    
+    Throwable th = null;
+    try {
+      acl.addUser(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+    
+    th = null;
+    try {
+      acl.addGroup(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+    th = null;
+    try {
+    acl.removeUser(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+    th = null;
+    try {
+    acl.removeGroup(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+  }
+  
+  /**
+   * Tests adding user/group to an wild card acl.
+   */
+  public void testAddRemoveToWildCardACL() {
+    AccessControlList acl = new AccessControlList(" * ");
+    assertTrue(acl.isAllAllowed());
+
+    UserGroupInformation drwho =
+      UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
+          new String[] { "aliens" });
+    UserGroupInformation drwho2 =
+      UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG",
+          new String[] { "tardis" });
+
+    acl.addUser("drwho");
+    assertTrue(acl.isAllAllowed());
+    assertFalse(acl.toString().contains("drwho"));
+    acl.addGroup("tardis");
+    assertTrue(acl.isAllAllowed());
+    assertFalse(acl.toString().contains("tardis"));
+   
+    acl.removeUser("drwho");
+    assertTrue(acl.isAllAllowed());
+    assertUserAllowed(drwho, acl);
+    acl.removeGroup("tardis");
+    assertTrue(acl.isAllAllowed());
+    assertUserAllowed(drwho2, acl);
+  }
+
   /**
    * Verify the method isUserAllowed()
    */