Repository: hadoop Updated Branches: refs/heads/branch-2 95f34ce46 -> 0aa52d408
HDFS-12614. FSPermissionChecker#getINodeAttrs() throws NPE when INodeAttributesProvider configured. Contributed by Manoj Govindassamy. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/0aa52d40 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/0aa52d40 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/0aa52d40 Branch: refs/heads/branch-2 Commit: 0aa52d4085f8c77dbfd9d913011c347882573ad9 Parents: 95f34ce Author: Kihwal Lee <kih...@apache.org> Authored: Thu Mar 8 14:20:09 2018 -0600 Committer: Kihwal Lee <kih...@apache.org> Committed: Thu Mar 8 14:22:17 2018 -0600 ---------------------------------------------------------------------- .../server/namenode/FSPermissionChecker.java | 12 +++- .../namenode/TestINodeAttributeProvider.java | 63 +++++++++++++++----- 2 files changed, 57 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/0aa52d40/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java index 22f9b99..8c53308 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.java @@ -271,8 +271,16 @@ public class FSPermissionChecker implements AccessControlEnforcer { INodeAttributes inodeAttrs = inode.getSnapshotINode(snapshotId); if (getAttributesProvider() != null) { String[] elements = new String[pathIdx + 1]; - for (int i = 0; i < elements.length; i++) { - elements[i] = DFSUtil.bytes2String(pathByNameArr[i]); + /** + * {@link INode#getPathComponents(String)} returns a null component + * for the root only path "/". Assign an empty string if so. + */ + if (pathByNameArr.length == 1 && pathByNameArr[0] == null) { + elements[0] = ""; + } else { + for (int i = 0; i < elements.length; i++) { + elements[i] = DFSUtil.bytes2String(pathByNameArr[i]); + } } inodeAttrs = getAttributesProvider().getAttributes(elements, inodeAttrs); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/0aa52d40/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeAttributeProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeAttributeProvider.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeAttributeProvider.java index bbc5fa0..5495692 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeAttributeProvider.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestINodeAttributeProvider.java @@ -313,31 +313,62 @@ public class TestINodeAttributeProvider { testBypassProviderHelper(users, HDFS_PERMISSION, true); } - @Test - public void testCustomProvider() throws Exception { + private void verifyFileStatus(UserGroupInformation ugi) throws IOException { FileSystem fs = FileSystem.get(miniDFS.getConfiguration(0)); - fs.mkdirs(new Path("/user/xxx")); - FileStatus status = fs.getFileStatus(new Path("/user/xxx")); - Assert.assertEquals(System.getProperty("user.name"), status.getOwner()); + + FileStatus status = fs.getFileStatus(new Path("/")); + LOG.info("Path '/' is owned by: " + + status.getOwner() + ":" + status.getGroup()); + + Path userDir = new Path("/user/" + ugi.getShortUserName()); + fs.mkdirs(userDir); + status = fs.getFileStatus(userDir); + Assert.assertEquals(ugi.getShortUserName(), status.getOwner()); Assert.assertEquals("supergroup", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); - fs.mkdirs(new Path("/user/authz")); - Path p = new Path("/user/authz"); - status = fs.getFileStatus(p); + + Path authzDir = new Path("/user/authz"); + fs.mkdirs(authzDir); + status = fs.getFileStatus(authzDir); Assert.assertEquals("foo", status.getOwner()); Assert.assertEquals("bar", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0770), status.getPermission()); - AclStatus aclStatus = fs.getAclStatus(p); + + AclStatus aclStatus = fs.getAclStatus(authzDir); Assert.assertEquals(1, aclStatus.getEntries().size()); - Assert.assertEquals(AclEntryType.GROUP, aclStatus.getEntries().get(0) - .getType()); - Assert.assertEquals("xxx", aclStatus.getEntries().get(0) - .getName()); - Assert.assertEquals(FsAction.ALL, aclStatus.getEntries().get(0) - .getPermission()); - Map<String, byte[]> xAttrs = fs.getXAttrs(p); + Assert.assertEquals(AclEntryType.GROUP, + aclStatus.getEntries().get(0).getType()); + Assert.assertEquals("xxx", + aclStatus.getEntries().get(0).getName()); + Assert.assertEquals(FsAction.ALL, + aclStatus.getEntries().get(0).getPermission()); + Map<String, byte[]> xAttrs = fs.getXAttrs(authzDir); Assert.assertTrue(xAttrs.containsKey("user.test")); Assert.assertEquals(2, xAttrs.get("user.test").length); } + /** + * With the custom provider configured, verify file status attributes. + * A superuser can bypass permission check while resolving paths. So, + * verify file status for both superuser and non-superuser. + */ + @Test + public void testCustomProvider() throws Exception { + final UserGroupInformation[] users = new UserGroupInformation[]{ + UserGroupInformation.createUserForTesting( + System.getProperty("user.name"), new String[]{"supergroup"}), + UserGroupInformation.createUserForTesting( + "normaluser", new String[]{"normalusergroup"}), + }; + + for (final UserGroupInformation user : users) { + user.doAs(new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + verifyFileStatus(user); + return null; + } + }); + } + } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
