HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu.
(cherry picked from commit b2017d9b032af20044fdf60ddbd1575a554ccb79) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/be9354d0 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/be9354d0 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/be9354d0 Branch: refs/heads/branch-2 Commit: be9354d010f403642290a94f31b831734b7364f6 Parents: 3531823 Author: cnauroth <[email protected]> Authored: Tue Sep 15 10:41:50 2015 -0700 Committer: cnauroth <[email protected]> Committed: Tue Sep 15 10:42:02 2015 -0700 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../apache/hadoop/security/authorize/AccessControlList.java | 2 +- .../hadoop/security/authorize/TestAccessControlList.java | 9 +++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/be9354d0/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 9993c31..c562639 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -264,6 +264,9 @@ Release 2.8.0 - UNRELEASED HADOOP-12324. Better exception reporting in SaslPlainServer. (Mike Yoder via stevel) + HADOOP-12413. AccessControlList should avoid calling getGroupNames in + isUserInList with empty groups. (Zhihai Xu via cnauroth) + OPTIMIZATIONS HADOOP-11785. Reduce the number of listStatus operation in distcp http://git-wip-us.apache.org/repos/asf/hadoop/blob/be9354d0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java index f19776f..b1b474b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java @@ -230,7 +230,7 @@ public class AccessControlList implements Writable { public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; - } else { + } else if (!groups.isEmpty()) { for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; http://git-wip-us.apache.org/repos/asf/hadoop/blob/be9354d0/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java index a1509a5..933b165 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java @@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.NativeCodeLoader; import org.junit.Test; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.verify; + @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceStability.Evolving public class TestAccessControlList { @@ -449,6 +453,11 @@ public class TestAccessControlList { assertUserAllowed(susan, acl); assertUserAllowed(barbara, acl); assertUserAllowed(ian, acl); + + acl = new AccessControlList(""); + UserGroupInformation spyUser = spy(drwho); + acl.isUserAllowed(spyUser); + verify(spyUser, never()).getGroupNames(); } private void assertUserAllowed(UserGroupInformation ugi,
