HADOOP-6862. Adds api to add/remove user and group to AccessControlList. Contributed by Amareshwari Sriramadasu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@983877 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Amareshwari Sri Ramadasu 2010-08-10 08:10:40 +00:00
parent 714e5f7165
commit bd121ed635
3 changed files with 204 additions and 3 deletions

View File

@ -108,6 +108,8 @@ Trunk (unreleased changes)
HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong)
HADOOP-6862. Adds api to add/remove user and group to AccessControlList
(amareshwari)
OPTIMIZATIONS
BUG FIXES

View File

@ -17,7 +17,6 @@
*/
package org.apache.hadoop.security.authorize;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
@ -54,8 +53,7 @@ public class AccessControlList {
public AccessControlList(String aclString) {
users = new TreeSet<String>();
groups = new TreeSet<String>();
if (aclString.contains(WILDCARD_ACL_VALUE) &&
aclString.trim().equals(WILDCARD_ACL_VALUE)) {
if (isWildCardACLValue(aclString)) {
allAllowed = true;
} else {
String[] userGroupStrings = aclString.split(" ", 2);
@ -76,10 +74,79 @@ public class AccessControlList {
}
}
private boolean isWildCardACLValue(String aclString) {
if (aclString.contains(WILDCARD_ACL_VALUE) &&
aclString.trim().equals(WILDCARD_ACL_VALUE)) {
return true;
}
return false;
}
public boolean isAllAllowed() {
return allAllowed;
}
/**
* Add user to the names of users allowed for this service.
*
* @param user
* The user name
*/
public void addUser(String user) {
if (isWildCardACLValue(user)) {
throw new IllegalArgumentException("User " + user + " can not be added");
}
if (!isAllAllowed()) {
users.add(user);
}
}
/**
* Add group to the names of groups allowed for this service.
*
* @param group
* The group name
*/
public void addGroup(String group) {
if (isWildCardACLValue(group)) {
throw new IllegalArgumentException("Group " + group + " can not be added");
}
if (!isAllAllowed()) {
groups.add(group);
}
}
/**
* Remove user from the names of users allowed for this service.
*
* @param user
* The user name
*/
public void removeUser(String user) {
if (isWildCardACLValue(user)) {
throw new IllegalArgumentException("User " + user + " can not be removed");
}
if (!isAllAllowed()) {
users.remove(user);
}
}
/**
* Remove group from the names of groups allowed for this service.
*
* @param group
* The group name
*/
public void removeGroup(String group) {
if (isWildCardACLValue(group)) {
throw new IllegalArgumentException("Group " + group
+ " can not be removed");
}
if (!isAllAllowed()) {
groups.remove(group);
}
}
/**
* Get the names of users allowed for this service.
* @return the set of user names. the set must not be modified.

View File

@ -92,6 +92,138 @@ public class TestAccessControlList extends TestCase {
assertEquals(iter.next(), "users");
}
/**
* Test addUser/Group and removeUser/Group api.
*/
public void testAddRemoveAPI() {
AccessControlList acl;
Set<String> users;
Set<String> groups;
acl = new AccessControlList("");
assertEquals(0, acl.getUsers().size());
assertEquals(0, acl.getGroups().size());
assertEquals("", acl.toString());
acl.addUser("drwho");
users = acl.getUsers();
assertEquals(users.size(), 1);
assertEquals(users.iterator().next(), "drwho");
assertEquals("drwho", acl.toString());
acl.addGroup("tardis");
groups = acl.getGroups();
assertEquals(groups.size(), 1);
assertEquals(groups.iterator().next(), "tardis");
assertEquals("drwho tardis", acl.toString());
acl.addUser("joe");
acl.addGroup("users");
users = acl.getUsers();
assertEquals(users.size(), 2);
Iterator<String> iter = users.iterator();
assertEquals(iter.next(), "drwho");
assertEquals(iter.next(), "joe");
groups = acl.getGroups();
assertEquals(groups.size(), 2);
iter = groups.iterator();
assertEquals(iter.next(), "tardis");
assertEquals(iter.next(), "users");
assertEquals("drwho,joe tardis,users", acl.toString());
acl.removeUser("joe");
acl.removeGroup("users");
users = acl.getUsers();
assertEquals(users.size(), 1);
assertFalse(users.contains("joe"));
groups = acl.getGroups();
assertEquals(groups.size(), 1);
assertFalse(groups.contains("users"));
assertEquals("drwho tardis", acl.toString());
acl.removeGroup("tardis");
groups = acl.getGroups();
assertEquals(0, groups.size());
assertFalse(groups.contains("tardis"));
assertEquals("drwho", acl.toString());
acl.removeUser("drwho");
assertEquals(0, users.size());
assertFalse(users.contains("drwho"));
assertEquals(0, acl.getGroups().size());
assertEquals(0, acl.getUsers().size());
assertEquals("", acl.toString());
}
/**
* Tests adding/removing wild card as the user/group.
*/
public void testAddRemoveWildCard() {
AccessControlList acl = new AccessControlList("drwho tardis");
Throwable th = null;
try {
acl.addUser(" * ");
} catch (Throwable t) {
th = t;
}
assertNotNull(th);
assertTrue(th instanceof IllegalArgumentException);
th = null;
try {
acl.addGroup(" * ");
} catch (Throwable t) {
th = t;
}
assertNotNull(th);
assertTrue(th instanceof IllegalArgumentException);
th = null;
try {
acl.removeUser(" * ");
} catch (Throwable t) {
th = t;
}
assertNotNull(th);
assertTrue(th instanceof IllegalArgumentException);
th = null;
try {
acl.removeGroup(" * ");
} catch (Throwable t) {
th = t;
}
assertNotNull(th);
assertTrue(th instanceof IllegalArgumentException);
}
/**
* Tests adding user/group to an wild card acl.
*/
public void testAddRemoveToWildCardACL() {
AccessControlList acl = new AccessControlList(" * ");
assertTrue(acl.isAllAllowed());
UserGroupInformation drwho =
UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
new String[] { "aliens" });
UserGroupInformation drwho2 =
UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG",
new String[] { "tardis" });
acl.addUser("drwho");
assertTrue(acl.isAllAllowed());
assertFalse(acl.toString().contains("drwho"));
acl.addGroup("tardis");
assertTrue(acl.isAllAllowed());
assertFalse(acl.toString().contains("tardis"));
acl.removeUser("drwho");
assertTrue(acl.isAllAllowed());
assertUserAllowed(drwho, acl);
acl.removeGroup("tardis");
assertTrue(acl.isAllAllowed());
assertUserAllowed(drwho2, acl);
}
/**
* Verify the method isUserAllowed()
*/