This is an automated email from the ASF dual-hosted git repository.
mani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/yunikorn-core.git
The following commit(s) were added to refs/heads/master by this push:
new d515fe0e [YUNIKORN-2656] Validate user name (#889)
d515fe0e is described below
commit d515fe0ec25bee3491c22809aee955872bf2b078
Author: Manikandan R <[email protected]>
AuthorDate: Wed Jun 12 14:57:31 2024 +0530
[YUNIKORN-2656] Validate user name (#889)
Closes: #889
Signed-off-by: Manikandan R <[email protected]>
---
pkg/common/configs/configvalidator.go | 2 +-
pkg/common/configs/configvalidator_test.go | 1 -
pkg/common/security/usergroup.go | 6 ++++++
pkg/common/security/usergroup_test.go | 14 ++++++++++++++
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/pkg/common/configs/configvalidator.go
b/pkg/common/configs/configvalidator.go
index 390b39b0..0f3a774b 100644
--- a/pkg/common/configs/configvalidator.go
+++ b/pkg/common/configs/configvalidator.go
@@ -73,7 +73,7 @@ var QueueNameRegExp =
regexp.MustCompile(`^[a-zA-Z0-9_-]{1,64}$`)
// User and group name check: systems allow different things POSIX is the base
but we need to be lenient and allow more.
// allow upper and lower case, add the @ and . (dot) and officially no length.
-var UserRegExp = regexp.MustCompile(`^[_a-zA-Z][a-zA-Z0-9:_.@-]*[$]?$`)
+var UserRegExp = regexp.MustCompile(`^[_a-zA-Z][a-zA-Z0-9:#/_.@-]*[$]?$`)
// Groups should have a slightly more restrictive regexp (no @ . or $ at the
end)
var GroupRegExp = regexp.MustCompile(`^[_a-zA-Z][a-zA-Z0-9:_.-]*$`)
diff --git a/pkg/common/configs/configvalidator_test.go
b/pkg/common/configs/configvalidator_test.go
index 02fddd1e..da7263ec 100644
--- a/pkg/common/configs/configvalidator_test.go
+++ b/pkg/common/configs/configvalidator_test.go
@@ -742,7 +742,6 @@ func TestUserName(t *testing.T) {
rejectedUserNames := []string{
"username rejected",
"",
- "rejected#",
"rejected!name",
"!rejected",
" rejected ",
diff --git a/pkg/common/security/usergroup.go b/pkg/common/security/usergroup.go
index ac181ebb..f1c8454f 100644
--- a/pkg/common/security/usergroup.go
+++ b/pkg/common/security/usergroup.go
@@ -28,6 +28,7 @@ import (
"go.uber.org/zap"
"github.com/apache/yunikorn-core/pkg/common"
+ "github.com/apache/yunikorn-core/pkg/common/configs"
"github.com/apache/yunikorn-core/pkg/locking"
"github.com/apache/yunikorn-core/pkg/log"
"github.com/apache/yunikorn-scheduler-interface/lib/go/si"
@@ -153,6 +154,11 @@ func (c *UserGroupCache) ConvertUGI(ugi
*si.UserGroupInformation, force bool) (U
return ug, err
}
}
+
+ if !configs.UserRegExp.MatchString(ugi.User) {
+ return UserGroup{}, fmt.Errorf("invalid username, it contains
invalid characters")
+ }
+
// If groups are already present we should just convert
newUG := UserGroup{User: ugi.User}
newUG.Groups = append(newUG.Groups, ugi.Groups...)
diff --git a/pkg/common/security/usergroup_test.go
b/pkg/common/security/usergroup_test.go
index 9eef2c6e..c1c9873e 100644
--- a/pkg/common/security/usergroup_test.go
+++ b/pkg/common/security/usergroup_test.go
@@ -237,4 +237,18 @@ func TestConvertUGI(t *testing.T) {
if ug.Groups[0] != group {
t.Errorf("groups not initialised correctly on convert: expected
'%s' got '%s'", group, ug.Groups[0])
}
+ // try valid username with groups
+ ugi.User = "validuserABCD1234@://#"
+ ugi.Groups = []string{group}
+ ug, err = testCache.ConvertUGI(ugi, false)
+ if err != nil {
+ t.Errorf("valid username with groups, convert should not have
failed: %v", err)
+ }
+ // try invalid username with groups
+ ugi.User = "invaliduser><+"
+ ugi.Groups = []string{group}
+ ug, err = testCache.ConvertUGI(ugi, false)
+ if err == nil {
+ t.Errorf("invalid username, convert should have failed: %v",
err)
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
