From d687f6f68990bfe5fb819e36a91a25aef2c3a63f Mon Sep 17 00:00:00 2001
From: Arpit Agarwal <arp@apache.org>
Date: Tue, 12 Aug 2014 22:30:48 +0000
Subject: [PATCH] HADOOP-10851. NetgroupCache does not remove group
 memberships. (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1617612 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hadoop-common/CHANGES.txt                 |   3 +
 .../apache/hadoop/security/NetgroupCache.java |  17 +--
 .../hadoop/security/TestNetgroupCache.java    | 127 ++++++++++++++++++
 3 files changed, 134 insertions(+), 13 deletions(-)
 create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 08c981e1e58..c72b3de3d82 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -563,6 +563,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-10402. Configuration.getValByRegex does not substitute for
     variables. (Robert Kanter via kasha)
 
+    HADOOP-10851. NetgroupCache does not remove group memberships. (Benoy
+    Antony via Arpit Agarwal)
+
 Release 2.5.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java
index d07ae2bd018..bd9c448da7f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/NetgroupCache.java
@@ -27,12 +27,9 @@ import java.util.concurrent.ConcurrentHashMap;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
 /**
  * Class that caches the netgroups and inverts group-to-user map
- * to user-to-group map, primarily intented for use with
+ * to user-to-group map, primarily intended for use with
  * netgroups (as returned by getent netgrgoup) which only returns
  * group to user mapping.
  */
@@ -69,9 +66,7 @@ public class NetgroupCache {
       }
     }
     if(userToNetgroupsMap.containsKey(user)) {
-      for(String netgroup : userToNetgroupsMap.get(user)) {
-        groups.add(netgroup);
-      }
+      groups.addAll(userToNetgroupsMap.get(user));
     }
   }
 
@@ -99,6 +94,7 @@ public class NetgroupCache {
    */
   public static void clear() {
     netgroupToUsersMap.clear();
+    userToNetgroupsMap.clear();
   }
 
   /**
@@ -108,12 +104,7 @@ public class NetgroupCache {
    * @param users list of users for a given group
    */
   public static void add(String group, List<String> users) {
-    if(!isCached(group)) {
-      netgroupToUsersMap.put(group, new HashSet<String>());
-      for(String user: users) {
-        netgroupToUsersMap.get(group).add(user);
-      }
-    }
+    netgroupToUsersMap.put(group, new HashSet<String>(users));
     netgroupToUsersMapUpdated = true; // at the end to avoid race
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java
new file mode 100644
index 00000000000..bd95422e651
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestNetgroupCache.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.security;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.After;
+import org.junit.Test;
+
+public class TestNetgroupCache {
+
+  private static final String USER1 = "user1";
+  private static final String USER2 = "user2";
+  private static final String USER3 = "user3";
+  private static final String GROUP1 = "group1";
+  private static final String GROUP2 = "group2";
+
+  @After
+  public void teardown() {
+    NetgroupCache.clear();
+  }
+
+  /**
+   * Cache two groups with a set of users.
+   * Test membership correctness.
+   */
+  @Test
+  public void testMembership() {
+    List<String> users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER3);
+    NetgroupCache.add(GROUP2, users);
+    verifyGroupMembership(USER1, 2, GROUP1);
+    verifyGroupMembership(USER1, 2, GROUP2);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    verifyGroupMembership(USER3, 1, GROUP2);
+  }
+
+  /**
+   * Cache a group with a set of users.
+   * Test membership correctness.
+   * Clear cache, remove a user from the group and cache the group
+   * Test membership correctness.
+   */
+  @Test
+  public void testUserRemoval() {
+    List<String> users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    verifyGroupMembership(USER1, 1, GROUP1);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    users.remove(USER2);
+    NetgroupCache.clear();
+    NetgroupCache.add(GROUP1, users);
+    verifyGroupMembership(USER1, 1, GROUP1);
+    verifyGroupMembership(USER2, 0, null);
+  }
+
+  /**
+   * Cache two groups with a set of users.
+   * Test membership correctness.
+   * Clear cache, cache only one group.
+   * Test membership correctness.
+   */
+  @Test
+  public void testGroupRemoval() {
+    List<String> users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER3);
+    NetgroupCache.add(GROUP2, users);
+    verifyGroupMembership(USER1, 2, GROUP1);
+    verifyGroupMembership(USER1, 2, GROUP2);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    verifyGroupMembership(USER3, 1, GROUP2);
+    NetgroupCache.clear();
+    users = new ArrayList<String>();
+    users.add(USER1);
+    users.add(USER2);
+    NetgroupCache.add(GROUP1, users);
+    verifyGroupMembership(USER1, 1, GROUP1);
+    verifyGroupMembership(USER2, 1, GROUP1);
+    verifyGroupMembership(USER3, 0, null);
+  }
+
+  private void verifyGroupMembership(String user, int size, String group) {
+    List<String> groups = new ArrayList<String>();
+    NetgroupCache.getNetgroups(user, groups);
+    assertEquals(size, groups.size());
+    if (size > 0) {
+      boolean present = false;
+      for (String groupEntry:groups) {
+        if (groupEntry.equals(group)) {
+          present = true;
+          break;
+        }
+      }
+      assertTrue(present);
+    }
+  }
+}