HADOOP-6862. Adds api to add/remove user and group to AccessControlList. Contributed by Amareshwari Sriramadasu

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@983877 13f79535-47bb-0310-9956-ffa450edef68
2010-08-10 08:10:40 +00:00 · 2010-08-10 08:10:40 +00:00 · bd121ed635
parent 714e5f7165
commit bd121ed635
3 changed files with 204 additions and 3 deletions
--- a/CHANGES.txt
+++ b/CHANGES.txt
@ -108,6 +108,8 @@ Trunk (unreleased changes)

    HADOOP-6890. Improve listFiles API introduced by HADOOP-6870. (hairong)

+    HADOOP-6862. Adds api to add/remove user and group to AccessControlList
+    (amareshwari)
  OPTIMIZATIONS

  BUG FIXES
--- a/src/java/org/apache/hadoop/security/authorize/AccessControlList.java
+++ b/src/java/org/apache/hadoop/security/authorize/AccessControlList.java
@ -17,7 +17,6 @@
 */
 package org.apache.hadoop.security.authorize;

-import java.util.Iterator;
 import java.util.Set;
 import java.util.TreeSet;

@ -54,8 +53,7 @@ public class AccessControlList {
  public AccessControlList(String aclString) {
    users = new TreeSet<String>();
    groups = new TreeSet<String>();
-    if (aclString.contains(WILDCARD_ACL_VALUE) && 
-        aclString.trim().equals(WILDCARD_ACL_VALUE)) {
+    if (isWildCardACLValue(aclString)) {
      allAllowed = true;
    } else {
      String[] userGroupStrings = aclString.split(" ", 2);
@ -76,10 +74,79 @@ public AccessControlList(String aclString) {
    }
  }
  
+  private boolean isWildCardACLValue(String aclString) {
+    if (aclString.contains(WILDCARD_ACL_VALUE) && 
+        aclString.trim().equals(WILDCARD_ACL_VALUE)) {
+      return true;
+    }
+    return false;
+  }
+
  public boolean isAllAllowed() {
    return allAllowed;
  }
  
+  /**
+   * Add user to the names of users allowed for this service.
+   * 
+   * @param user
+   *          The user name
+   */
+  public void addUser(String user) {
+    if (isWildCardACLValue(user)) {
+      throw new IllegalArgumentException("User " + user + " can not be added");
+    }
+    if (!isAllAllowed()) {
+      users.add(user);
+    }
+  }
+
+  /**
+   * Add group to the names of groups allowed for this service.
+   * 
+   * @param group
+   *          The group name
+   */
+  public void addGroup(String group) {
+    if (isWildCardACLValue(group)) {
+      throw new IllegalArgumentException("Group " + group + " can not be added");
+    }
+    if (!isAllAllowed()) {
+      groups.add(group);
+    }
+  }
+
+  /**
+   * Remove user from the names of users allowed for this service.
+   * 
+   * @param user
+   *          The user name
+   */
+  public void removeUser(String user) {
+    if (isWildCardACLValue(user)) {
+      throw new IllegalArgumentException("User " + user + " can not be removed");
+    }
+    if (!isAllAllowed()) {
+      users.remove(user);
+    }
+  }
+
+  /**
+   * Remove group from the names of groups allowed for this service.
+   * 
+   * @param group
+   *          The group name
+   */
+  public void removeGroup(String group) {
+    if (isWildCardACLValue(group)) {
+      throw new IllegalArgumentException("Group " + group
+          + " can not be removed");
+    }
+    if (!isAllAllowed()) {
+      groups.remove(group);
+    }
+  }
+
  /**
   * Get the names of users allowed for this service.
   * @return the set of user names. the set must not be modified.
--- a/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java
+++ b/src/test/core/org/apache/hadoop/security/authorize/TestAccessControlList.java
@ -92,6 +92,138 @@ public void testAccessControlList() throws Exception {
    assertEquals(iter.next(), "users");
  }

+  /**
+   * Test addUser/Group and removeUser/Group api.
+   */
+  public void testAddRemoveAPI() {
+    AccessControlList acl;
+    Set<String> users;
+    Set<String> groups;
+    acl = new AccessControlList("");
+    assertEquals(0, acl.getUsers().size());
+    assertEquals(0, acl.getGroups().size());
+    assertEquals("", acl.toString());
+    
+    acl.addUser("drwho");
+    users = acl.getUsers();
+    assertEquals(users.size(), 1);
+    assertEquals(users.iterator().next(), "drwho");
+    assertEquals("drwho", acl.toString());
+    
+    acl.addGroup("tardis");
+    groups = acl.getGroups();
+    assertEquals(groups.size(), 1);
+    assertEquals(groups.iterator().next(), "tardis");
+    assertEquals("drwho tardis", acl.toString());
+    
+    acl.addUser("joe");
+    acl.addGroup("users");
+    users = acl.getUsers();
+    assertEquals(users.size(), 2);
+    Iterator<String> iter = users.iterator();
+    assertEquals(iter.next(), "drwho");
+    assertEquals(iter.next(), "joe");
+    groups = acl.getGroups();
+    assertEquals(groups.size(), 2);
+    iter = groups.iterator();
+    assertEquals(iter.next(), "tardis");
+    assertEquals(iter.next(), "users");
+    assertEquals("drwho,joe tardis,users", acl.toString());
+
+    acl.removeUser("joe");
+    acl.removeGroup("users");
+    users = acl.getUsers();
+    assertEquals(users.size(), 1);
+    assertFalse(users.contains("joe"));
+    groups = acl.getGroups();
+    assertEquals(groups.size(), 1);
+    assertFalse(groups.contains("users"));
+    assertEquals("drwho tardis", acl.toString());
+    
+    acl.removeGroup("tardis");
+    groups = acl.getGroups();
+    assertEquals(0, groups.size());
+    assertFalse(groups.contains("tardis"));
+    assertEquals("drwho", acl.toString());
+    
+    acl.removeUser("drwho");
+    assertEquals(0, users.size());
+    assertFalse(users.contains("drwho"));
+    assertEquals(0, acl.getGroups().size());
+    assertEquals(0, acl.getUsers().size());
+    assertEquals("", acl.toString());
+  }
+  
+  /**
+   * Tests adding/removing wild card as the user/group.
+   */
+  public void testAddRemoveWildCard() {
+    AccessControlList acl = new AccessControlList("drwho tardis");
+    
+    Throwable th = null;
+    try {
+      acl.addUser(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+    
+    th = null;
+    try {
+      acl.addGroup(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+    th = null;
+    try {
+    acl.removeUser(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+    th = null;
+    try {
+    acl.removeGroup(" * ");
+    } catch (Throwable t) {
+      th = t;
+    }
+    assertNotNull(th);
+    assertTrue(th instanceof IllegalArgumentException);
+  }
+  
+  /**
+   * Tests adding user/group to an wild card acl.
+   */
+  public void testAddRemoveToWildCardACL() {
+    AccessControlList acl = new AccessControlList(" * ");
+    assertTrue(acl.isAllAllowed());
+
+    UserGroupInformation drwho =
+      UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
+          new String[] { "aliens" });
+    UserGroupInformation drwho2 =
+      UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG",
+          new String[] { "tardis" });
+
+    acl.addUser("drwho");
+    assertTrue(acl.isAllAllowed());
+    assertFalse(acl.toString().contains("drwho"));
+    acl.addGroup("tardis");
+    assertTrue(acl.isAllAllowed());
+    assertFalse(acl.toString().contains("tardis"));
+   
+    acl.removeUser("drwho");
+    assertTrue(acl.isAllAllowed());
+    assertUserAllowed(drwho, acl);
+    acl.removeGroup("tardis");
+    assertTrue(acl.isAllAllowed());
+    assertUserAllowed(drwho2, acl);
+  }
+
  /**
   * Verify the method isUserAllowed()
   */