[jira] [Commented] (HADOOP-12640) Code Review AccessControlList

[Wilfred Spiegelenburg (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-12640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16660098#comment-16660098
 ] 

Wilfred Spiegelenburg commented on HADOOP-12640:
------------------------------------------------

I ran into this jira because of the test failures introduced via  HADOOP-15836. 
This change could break the ACLs.

The split for the string used in the buildACLFromString uses a greedy 
qualifier. This would change the path through the split and not use a simple 
non regular expression splitter. It now compiles the pattern and uses that to 
build the ACL. It does not change the outcome but it is more expensive.

It also includes two behavioural changes
# the way empty values are interpreted at the moment when a string is converted 
into an ACL. If I use this string as as the input as an example: {code}",joe 
tardis,,users"{code} Currently that gives me one user {{"joe"}} and groups 
{{"tardis"}} and {{"users"}} With your code change I get back two extra empty 
entries: one in the users and one in the groups. This might cause behavioural 
changes.
# The other behavioural change is that a {{null}} string used to throw a NPE. 
It now is silently ignored and is turned into a "block everything" ACL. 

> Code Review AccessControlList
> -----------------------------
>
>                 Key: HADOOP-12640
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12640
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.2.0
>            Reporter: BELUGA BEHR
>            Assignee: BELUGA BEHR
>            Priority: Minor
>         Attachments: AccessControlList.patch, AccessControlList.patch, 
> HADOOP-12640.1.patch
>
>
> After some confusion of my own, in particular with 
> "mapreduce.job.acl-view-job," I have looked over the AccessControlList 
> implementation and cleaned it up and clarified a few points.
> 1) I added tests to demonstrate the existing behavior of including an 
> asterisk in either the username or the group field, it overrides everything 
> and allows all access.
> "user1,user2,user3 *" = all access
> "* group1,group2" = all access
> "* *" = all access
> "* " = all access
> " *" = all access
> 2) General clean-up and simplification



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org