HDFS-15165. In Du missed calling getAttributesProvider. Contributed by Bharat Viswanadham.

2020-02-19 11:33:58 -08:00 · 2020-02-19 11:33:58 -08:00 · ec7507162c
parent 3f1aad05f0
commit ec7507162c
2 changed files with 45 additions and 8 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java
@ -206,15 +206,17 @@ void checkPermission(INodesInPath inodesInPath, boolean doCheckOwner,
   */
  void checkPermission(INode inode, int snapshotId, FsAction access)
      throws AccessControlException {
+    byte[][] pathComponents = inode.getPathComponents();
+    INodeAttributes nodeAttributes = getINodeAttrs(pathComponents,
+        pathComponents.length - 1, inode, snapshotId);
    try {
-      byte[][] localComponents = {inode.getLocalNameBytes()};
-      INodeAttributes[] iNodeAttr = {inode.getSnapshotINode(snapshotId)};
+      INodeAttributes[] iNodeAttr = {nodeAttributes};
      AccessControlEnforcer enforcer = getAccessControlEnforcer();
      enforcer.checkPermission(
          fsOwner, supergroup, callerUgi,
          iNodeAttr, // single inode attr in the array
          new INode[]{inode}, // single inode in the array
-          localComponents, snapshotId,
+          pathComponents, snapshotId,
          null, -1, // this will skip checkTraverse() because
          // not checking ancestor here
          false, null, null,
@ -223,7 +225,8 @@ void checkPermission(INode inode, int snapshotId, FsAction access)
          false);
    } catch (AccessControlException ace) {
      throw new AccessControlException(
-          toAccessControlString(inode, inode.getFullPathName(), access));
+          toAccessControlString(nodeAttributes, inode.getFullPathName(),
+              access));
    }
  }

--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeAttributeProvider.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeAttributeProvider.java
@ -19,6 +19,7 @@

 import java.io.IOException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@ -53,6 +54,7 @@ public class TestINodeAttributeProvider {
  private static final Set<String> CALLED = new HashSet<String>();
  private static final short HDFS_PERMISSION = 0777;
  private static final short PROVIDER_PERMISSION = 0770;
+  private static boolean runPermissionCheck = false;

  public static class MyAuthorizationProvider extends INodeAttributeProvider {

@ -70,9 +72,9 @@ public void checkPermission(String fsOwner, String supergroup,
          int ancestorIndex, boolean doCheckOwner, FsAction ancestorAccess,
          FsAction parentAccess, FsAction access, FsAction subAccess,
          boolean ignoreEmptyDir) throws AccessControlException {
-        if (ancestorIndex > 1
+        if ((ancestorIndex > 1
            && inodes[1].getLocalName().equals("user")
-            && inodes[2].getLocalName().equals("acl")) {
+            && inodes[2].getLocalName().equals("acl")) || runPermissionCheck) {
          this.ace.checkPermission(fsOwner, supergroup, ugi, inodeAttrs, inodes,
              pathByNameArr, snapshotId, path, ancestorIndex, doCheckOwner,
              ancestorAccess, parentAccess, access, subAccess, ignoreEmptyDir);
@ -188,8 +190,7 @@ public AccessControlEnforcer getExternalAccessControlEnforcer(
    }

    private boolean useDefault(String[] pathElements) {
-      return (pathElements.length < 2) ||
-          !(pathElements[0].equals("user") && pathElements[1].equals("authz"));
+      return !Arrays.stream(pathElements).anyMatch("authz"::equals);
    }

    private boolean useNullAclFeature(String[] pathElements) {
@ -220,6 +221,7 @@ public void cleanUp() throws IOException {
      miniDFS.shutdown();
      miniDFS = null;
    }
+    runPermissionCheck = false;
    Assert.assertTrue(CALLED.contains("stop"));
  }

@ -438,4 +440,36 @@ public Void run() throws Exception {
      }
    });
  }
+
+
+  @Test
+  // HDFS-15165 - ContentSummary calls should use the provider permissions(if
+  // attribute provider is configured) and not the underlying HDFS permissions.
+  public void testContentSummary() throws Exception {
+    runPermissionCheck = true;
+    FileSystem fs = FileSystem.get(miniDFS.getConfiguration(0));
+    final Path userPath = new Path("/user");
+    final Path authz = new Path("/user/authz");
+    final Path authzChild = new Path("/user/authz/child2");
+    // Create the path /user/authz/child2 where the HDFS permissions are
+    // 777, 700, 700.
+    // The permission provider will give permissions 770 to authz and child2
+    // with the owner foo, group bar.
+    fs.mkdirs(userPath);
+    fs.setPermission(userPath, new FsPermission(0777));
+    fs.mkdirs(authz);
+    fs.setPermission(authz, new FsPermission(0700));
+    fs.mkdirs(authzChild);
+    fs.setPermission(authzChild, new FsPermission(0700));
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting("foo",
+        new String[]{"g1"});
+    ugi.doAs(new PrivilegedExceptionAction<Void>() {
+      @Override
+      public Void run() throws Exception {
+        FileSystem fs = FileSystem.get(miniDFS.getConfiguration(0));
+        fs.getContentSummary(authz);
+        return null;
+      }
+    });
+  }
 }