This is an automated email from the ASF dual-hosted git repository.
inigoiri pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new c3ca348 HDFS-14620. RBF: Fix 'not a super user' error when disabling
a namespace in kerberos with superuser principal. Contributed by luhuachao.
c3ca348 is described below
commit c3ca348b81bdf6aa0857a1d4d140c6c9d64be490
Author: Inigo Goiri <[email protected]>
AuthorDate: Thu Jul 4 11:21:55 2019 -0700
HDFS-14620. RBF: Fix 'not a super user' error when disabling a namespace in
kerberos with superuser principal. Contributed by luhuachao.
---
.../federation/router/RouterPermissionChecker.java | 2 +-
.../server/federation/router/TestRouterAdmin.java | 52 ++++++++++++----------
2 files changed, 29 insertions(+), 25 deletions(-)
diff --git
a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterPermissionChecker.java
b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterPermissionChecker.java
index cf660d3..eeefeb0 100644
---
a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterPermissionChecker.java
+++
b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterPermissionChecker.java
@@ -121,7 +121,7 @@ public class RouterPermissionChecker extends
FSPermissionChecker {
}
// Is this by the Router user itself?
- if (ugi.getUserName().equals(superUser)) {
+ if (ugi.getShortUserName().equals(superUser)) {
return;
}
diff --git
a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/router/TestRouterAdmin.java
b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/router/TestRouterAdmin.java
index 96ae4e9..8a57224 100644
---
a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/router/TestRouterAdmin.java
+++
b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/router/TestRouterAdmin.java
@@ -19,12 +19,10 @@ package org.apache.hadoop.hdfs.server.federation.router;
import static
org.apache.hadoop.hdfs.server.federation.FederationTestUtils.createNamenodeReport;
import static
org.apache.hadoop.hdfs.server.federation.store.FederationStateStoreTestUtils.synchronizeRecords;
-import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
@@ -60,6 +58,7 @@ import
org.apache.hadoop.hdfs.server.federation.store.protocol.UpdateMountTableE
import org.apache.hadoop.hdfs.server.federation.store.records.MountTable;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.test.Whitebox;
+import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.hadoop.util.Time;
import org.junit.AfterClass;
import org.junit.Before;
@@ -407,30 +406,35 @@ public class TestRouterAdmin {
assertFalse(disableResp.getStatus());
}
- @Test
- public void testNameserviceManagerUnauthorized() throws Exception {
-
- // Try to disable a name service with a random user
- final String username = "baduser";
+ private DisableNameserviceResponse testNameserviceManagerUser(String
username)
+ throws Exception {
UserGroupInformation user =
UserGroupInformation.createRemoteUser(username);
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- RouterClient client = routerContext.getAdminClient();
- NameserviceManager nameservices = client.getNameserviceManager();
- DisableNameserviceRequest disableReq =
- DisableNameserviceRequest.newInstance("ns0");
- try {
- nameservices.disableNameservice(disableReq);
- fail("We should not be able to disable nameservices");
- } catch (IOException ioe) {
- assertExceptionContains(
- username + " is not a super user", ioe);
- }
- return null;
- }
- });
+ return user.doAs((PrivilegedExceptionAction<DisableNameserviceResponse>)
+ () -> {
+ RouterClient client = routerContext.getAdminClient();
+ NameserviceManager nameservices = client.getNameserviceManager();
+ DisableNameserviceRequest disableReq =
+ DisableNameserviceRequest.newInstance("ns0");
+ return nameservices.disableNameservice(disableReq);
+ });
+ }
+
+ @Test
+ public void testNameserviceManagerUnauthorized() throws Exception{
+ String username = "baduser";
+ LambdaTestUtils.intercept(IOException.class,
+ username + " is not a super user",
+ () -> testNameserviceManagerUser(username));
+ }
+
+ @Test
+ public void testNameserviceManagerWithRules() throws Exception{
+ // Try to disable a name service with a kerberos principal name
+ String username = RouterAdminServer.getSuperUser() + "@Example.com";
+ DisableNameserviceResponse disableResp =
+ testNameserviceManagerUser(username);
+ assertTrue(disableResp.getStatus());
}
private Set<String> getDisabledNameservices(NameserviceManager nsManager)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]