HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu.

(cherry picked from commit b2017d9b03)

Conflicts:

	hadoop-common-project/hadoop-common/CHANGES.txt
This commit is contained in:
Jason Lowe 2015-11-06 17:11:33 +00:00
parent fb7be09f20
commit cab916cc7b
3 changed files with 13 additions and 1 deletions

View File

@ -8,6 +8,9 @@ Release 2.6.3 - UNRELEASED
IMPROVEMENTS IMPROVEMENTS
HADOOP-12413. AccessControlList should avoid calling getGroupNames in
isUserInList with empty groups. (Zhihai Xu via cnauroth)
OPTIMIZATIONS OPTIMIZATIONS
BUG FIXES BUG FIXES

View File

@ -230,7 +230,7 @@ public class AccessControlList implements Writable {
public final boolean isUserInList(UserGroupInformation ugi) { public final boolean isUserInList(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getShortUserName())) { if (allAllowed || users.contains(ugi.getShortUserName())) {
return true; return true;
} else { } else if (!groups.isEmpty()) {
for(String group: ugi.getGroupNames()) { for(String group: ugi.getGroupNames()) {
if (groups.contains(group)) { if (groups.contains(group)) {
return true; return true;

View File

@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.NativeCodeLoader; import org.apache.hadoop.util.NativeCodeLoader;
import org.junit.Test; import org.junit.Test;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving @InterfaceStability.Evolving
public class TestAccessControlList { public class TestAccessControlList {
@ -449,6 +453,11 @@ public class TestAccessControlList {
assertUserAllowed(susan, acl); assertUserAllowed(susan, acl);
assertUserAllowed(barbara, acl); assertUserAllowed(barbara, acl);
assertUserAllowed(ian, acl); assertUserAllowed(ian, acl);
acl = new AccessControlList("");
UserGroupInformation spyUser = spy(drwho);
acl.isUserAllowed(spyUser);
verify(spyUser, never()).getGroupNames();
} }
private void assertUserAllowed(UserGroupInformation ugi, private void assertUserAllowed(UserGroupInformation ugi,