HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu.
(cherry picked from commit b2017d9b03
)
Conflicts:
hadoop-common-project/hadoop-common/CHANGES.txt
This commit is contained in:
parent
fb7be09f20
commit
cab916cc7b
|
@ -8,6 +8,9 @@ Release 2.6.3 - UNRELEASED
|
||||||
|
|
||||||
IMPROVEMENTS
|
IMPROVEMENTS
|
||||||
|
|
||||||
|
HADOOP-12413. AccessControlList should avoid calling getGroupNames in
|
||||||
|
isUserInList with empty groups. (Zhihai Xu via cnauroth)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
BUG FIXES
|
BUG FIXES
|
||||||
|
|
|
@ -230,7 +230,7 @@ public class AccessControlList implements Writable {
|
||||||
public final boolean isUserInList(UserGroupInformation ugi) {
|
public final boolean isUserInList(UserGroupInformation ugi) {
|
||||||
if (allAllowed || users.contains(ugi.getShortUserName())) {
|
if (allAllowed || users.contains(ugi.getShortUserName())) {
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else if (!groups.isEmpty()) {
|
||||||
for(String group: ugi.getGroupNames()) {
|
for(String group: ugi.getGroupNames()) {
|
||||||
if (groups.contains(group)) {
|
if (groups.contains(group)) {
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.util.NativeCodeLoader;
|
import org.apache.hadoop.util.NativeCodeLoader;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
|
import static org.mockito.Mockito.never;
|
||||||
|
import static org.mockito.Mockito.spy;
|
||||||
|
import static org.mockito.Mockito.verify;
|
||||||
|
|
||||||
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
|
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
|
||||||
@InterfaceStability.Evolving
|
@InterfaceStability.Evolving
|
||||||
public class TestAccessControlList {
|
public class TestAccessControlList {
|
||||||
|
@ -449,6 +453,11 @@ public class TestAccessControlList {
|
||||||
assertUserAllowed(susan, acl);
|
assertUserAllowed(susan, acl);
|
||||||
assertUserAllowed(barbara, acl);
|
assertUserAllowed(barbara, acl);
|
||||||
assertUserAllowed(ian, acl);
|
assertUserAllowed(ian, acl);
|
||||||
|
|
||||||
|
acl = new AccessControlList("");
|
||||||
|
UserGroupInformation spyUser = spy(drwho);
|
||||||
|
acl.isUserAllowed(spyUser);
|
||||||
|
verify(spyUser, never()).getGroupNames();
|
||||||
}
|
}
|
||||||
|
|
||||||
private void assertUserAllowed(UserGroupInformation ugi,
|
private void assertUserAllowed(UserGroupInformation ugi,
|
||||||
|
|
Loading…
Reference in New Issue