HADOOP-6862. Adds api to add/remove user and group to AccessControlList. Contributed by Amareshwari Sriramadasu
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@983877 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
714e5f7165
commit
bd121ed635
|
@ -108,6 +108,8 @@ Trunk (unreleased changes)
|
|||
|
||||
HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong)
|
||||
|
||||
HADOOP-6862. Adds api to add/remove user and group to AccessControlList
|
||||
(amareshwari)
|
||||
OPTIMIZATIONS
|
||||
|
||||
BUG FIXES
|
||||
|
|
|
@ -17,7 +17,6 @@
|
|||
*/
|
||||
package org.apache.hadoop.security.authorize;
|
||||
|
||||
import java.util.Iterator;
|
||||
import java.util.Set;
|
||||
import java.util.TreeSet;
|
||||
|
||||
|
@ -54,8 +53,7 @@ public class AccessControlList {
|
|||
public AccessControlList(String aclString) {
|
||||
users = new TreeSet<String>();
|
||||
groups = new TreeSet<String>();
|
||||
if (aclString.contains(WILDCARD_ACL_VALUE) &&
|
||||
aclString.trim().equals(WILDCARD_ACL_VALUE)) {
|
||||
if (isWildCardACLValue(aclString)) {
|
||||
allAllowed = true;
|
||||
} else {
|
||||
String[] userGroupStrings = aclString.split(" ", 2);
|
||||
|
@ -76,10 +74,79 @@ public class AccessControlList {
|
|||
}
|
||||
}
|
||||
|
||||
private boolean isWildCardACLValue(String aclString) {
|
||||
if (aclString.contains(WILDCARD_ACL_VALUE) &&
|
||||
aclString.trim().equals(WILDCARD_ACL_VALUE)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
public boolean isAllAllowed() {
|
||||
return allAllowed;
|
||||
}
|
||||
|
||||
/**
|
||||
* Add user to the names of users allowed for this service.
|
||||
*
|
||||
* @param user
|
||||
* The user name
|
||||
*/
|
||||
public void addUser(String user) {
|
||||
if (isWildCardACLValue(user)) {
|
||||
throw new IllegalArgumentException("User " + user + " can not be added");
|
||||
}
|
||||
if (!isAllAllowed()) {
|
||||
users.add(user);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Add group to the names of groups allowed for this service.
|
||||
*
|
||||
* @param group
|
||||
* The group name
|
||||
*/
|
||||
public void addGroup(String group) {
|
||||
if (isWildCardACLValue(group)) {
|
||||
throw new IllegalArgumentException("Group " + group + " can not be added");
|
||||
}
|
||||
if (!isAllAllowed()) {
|
||||
groups.add(group);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove user from the names of users allowed for this service.
|
||||
*
|
||||
* @param user
|
||||
* The user name
|
||||
*/
|
||||
public void removeUser(String user) {
|
||||
if (isWildCardACLValue(user)) {
|
||||
throw new IllegalArgumentException("User " + user + " can not be removed");
|
||||
}
|
||||
if (!isAllAllowed()) {
|
||||
users.remove(user);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove group from the names of groups allowed for this service.
|
||||
*
|
||||
* @param group
|
||||
* The group name
|
||||
*/
|
||||
public void removeGroup(String group) {
|
||||
if (isWildCardACLValue(group)) {
|
||||
throw new IllegalArgumentException("Group " + group
|
||||
+ " can not be removed");
|
||||
}
|
||||
if (!isAllAllowed()) {
|
||||
groups.remove(group);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the names of users allowed for this service.
|
||||
* @return the set of user names. the set must not be modified.
|
||||
|
|
|
@ -92,6 +92,138 @@ public class TestAccessControlList extends TestCase {
|
|||
assertEquals(iter.next(), "users");
|
||||
}
|
||||
|
||||
/**
|
||||
* Test addUser/Group and removeUser/Group api.
|
||||
*/
|
||||
public void testAddRemoveAPI() {
|
||||
AccessControlList acl;
|
||||
Set<String> users;
|
||||
Set<String> groups;
|
||||
acl = new AccessControlList("");
|
||||
assertEquals(0, acl.getUsers().size());
|
||||
assertEquals(0, acl.getGroups().size());
|
||||
assertEquals("", acl.toString());
|
||||
|
||||
acl.addUser("drwho");
|
||||
users = acl.getUsers();
|
||||
assertEquals(users.size(), 1);
|
||||
assertEquals(users.iterator().next(), "drwho");
|
||||
assertEquals("drwho", acl.toString());
|
||||
|
||||
acl.addGroup("tardis");
|
||||
groups = acl.getGroups();
|
||||
assertEquals(groups.size(), 1);
|
||||
assertEquals(groups.iterator().next(), "tardis");
|
||||
assertEquals("drwho tardis", acl.toString());
|
||||
|
||||
acl.addUser("joe");
|
||||
acl.addGroup("users");
|
||||
users = acl.getUsers();
|
||||
assertEquals(users.size(), 2);
|
||||
Iterator<String> iter = users.iterator();
|
||||
assertEquals(iter.next(), "drwho");
|
||||
assertEquals(iter.next(), "joe");
|
||||
groups = acl.getGroups();
|
||||
assertEquals(groups.size(), 2);
|
||||
iter = groups.iterator();
|
||||
assertEquals(iter.next(), "tardis");
|
||||
assertEquals(iter.next(), "users");
|
||||
assertEquals("drwho,joe tardis,users", acl.toString());
|
||||
|
||||
acl.removeUser("joe");
|
||||
acl.removeGroup("users");
|
||||
users = acl.getUsers();
|
||||
assertEquals(users.size(), 1);
|
||||
assertFalse(users.contains("joe"));
|
||||
groups = acl.getGroups();
|
||||
assertEquals(groups.size(), 1);
|
||||
assertFalse(groups.contains("users"));
|
||||
assertEquals("drwho tardis", acl.toString());
|
||||
|
||||
acl.removeGroup("tardis");
|
||||
groups = acl.getGroups();
|
||||
assertEquals(0, groups.size());
|
||||
assertFalse(groups.contains("tardis"));
|
||||
assertEquals("drwho", acl.toString());
|
||||
|
||||
acl.removeUser("drwho");
|
||||
assertEquals(0, users.size());
|
||||
assertFalse(users.contains("drwho"));
|
||||
assertEquals(0, acl.getGroups().size());
|
||||
assertEquals(0, acl.getUsers().size());
|
||||
assertEquals("", acl.toString());
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests adding/removing wild card as the user/group.
|
||||
*/
|
||||
public void testAddRemoveWildCard() {
|
||||
AccessControlList acl = new AccessControlList("drwho tardis");
|
||||
|
||||
Throwable th = null;
|
||||
try {
|
||||
acl.addUser(" * ");
|
||||
} catch (Throwable t) {
|
||||
th = t;
|
||||
}
|
||||
assertNotNull(th);
|
||||
assertTrue(th instanceof IllegalArgumentException);
|
||||
|
||||
th = null;
|
||||
try {
|
||||
acl.addGroup(" * ");
|
||||
} catch (Throwable t) {
|
||||
th = t;
|
||||
}
|
||||
assertNotNull(th);
|
||||
assertTrue(th instanceof IllegalArgumentException);
|
||||
th = null;
|
||||
try {
|
||||
acl.removeUser(" * ");
|
||||
} catch (Throwable t) {
|
||||
th = t;
|
||||
}
|
||||
assertNotNull(th);
|
||||
assertTrue(th instanceof IllegalArgumentException);
|
||||
th = null;
|
||||
try {
|
||||
acl.removeGroup(" * ");
|
||||
} catch (Throwable t) {
|
||||
th = t;
|
||||
}
|
||||
assertNotNull(th);
|
||||
assertTrue(th instanceof IllegalArgumentException);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests adding user/group to an wild card acl.
|
||||
*/
|
||||
public void testAddRemoveToWildCardACL() {
|
||||
AccessControlList acl = new AccessControlList(" * ");
|
||||
assertTrue(acl.isAllAllowed());
|
||||
|
||||
UserGroupInformation drwho =
|
||||
UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
|
||||
new String[] { "aliens" });
|
||||
UserGroupInformation drwho2 =
|
||||
UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG",
|
||||
new String[] { "tardis" });
|
||||
|
||||
acl.addUser("drwho");
|
||||
assertTrue(acl.isAllAllowed());
|
||||
assertFalse(acl.toString().contains("drwho"));
|
||||
acl.addGroup("tardis");
|
||||
assertTrue(acl.isAllAllowed());
|
||||
assertFalse(acl.toString().contains("tardis"));
|
||||
|
||||
acl.removeUser("drwho");
|
||||
assertTrue(acl.isAllAllowed());
|
||||
assertUserAllowed(drwho, acl);
|
||||
acl.removeGroup("tardis");
|
||||
assertTrue(acl.isAllAllowed());
|
||||
assertUserAllowed(drwho2, acl);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify the method isUserAllowed()
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue