Repository: hadoop Updated Branches: refs/heads/branch-2.7 616ed9084 -> 098c2df0c
HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu. (cherry picked from commit b2017d9b032af20044fdf60ddbd1575a554ccb79) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/098c2df0 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/098c2df0 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/098c2df0 Branch: refs/heads/branch-2.7 Commit: 098c2df0c09b0b24121a8d4663168a5f58799aef Parents: 616ed90 Author: cnauroth <cnaur...@apache.org> Authored: Tue Sep 15 10:41:50 2015 -0700 Committer: Jason Lowe <jl...@apache.org> Committed: Fri Nov 6 16:54:55 2015 +0000 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../apache/hadoop/security/authorize/AccessControlList.java | 2 +- .../hadoop/security/authorize/TestAccessControlList.java | 9 +++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/098c2df0/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 561d8a2..a54bb39 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -8,6 +8,9 @@ Release 2.7.3 - UNRELEASED IMPROVEMENTS + HADOOP-12413. AccessControlList should avoid calling getGroupNames in + isUserInList with empty groups. (Zhihai Xu via cnauroth) + OPTIMIZATIONS BUG FIXES http://git-wip-us.apache.org/repos/asf/hadoop/blob/098c2df0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java index f19776f..b1b474b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java @@ -230,7 +230,7 @@ public class AccessControlList implements Writable { public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; - } else { + } else if (!groups.isEmpty()) { for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; http://git-wip-us.apache.org/repos/asf/hadoop/blob/098c2df0/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java index 926e3b9..82942fc 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java @@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.NativeCodeLoader; import org.junit.Test; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.verify; + @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceStability.Evolving public class TestAccessControlList { @@ -449,6 +453,11 @@ public class TestAccessControlList { assertUserAllowed(susan, acl); assertUserAllowed(barbara, acl); assertUserAllowed(ian, acl); + + acl = new AccessControlList(""); + UserGroupInformation spyUser = spy(drwho); + acl.isUserAllowed(spyUser); + verify(spyUser, never()).getGroupNames(); } private void assertUserAllowed(UserGroupInformation ugi,
