This is an automated email from the ASF dual-hosted git repository. inigoiri pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push: new be6c801 HDFS-14418. Remove redundant super user priveledge checks from namenode. Contributed by Ayush Saxena. be6c801 is described below commit be6c8014e66be919388269b70cb2966c35b8c578 Author: Inigo Goiri <inigo...@apache.org> AuthorDate: Tue Apr 16 10:34:31 2019 -0700 HDFS-14418. Remove redundant super user priveledge checks from namenode. Contributed by Ayush Saxena. --- .../hadoop/hdfs/server/namenode/FSNamesystem.java | 3 -- .../hdfs/server/namenode/NameNodeRpcServer.java | 1 - .../hadoop/hdfs/TestDistributedFileSystem.java | 55 ++++++++++++++++++++++ 3 files changed, 55 insertions(+), 4 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java index 82015b2..9389719 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java @@ -7397,7 +7397,6 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean, Metadata metadata = FSDirEncryptionZoneOp.ensureKeyIsInitialized(dir, keyName, src); final FSPermissionChecker pc = getPermissionChecker(); - checkSuperuserPrivilege(pc); checkOperation(OperationCategory.WRITE); final FileStatus resultingStat; writeLock(); @@ -7459,7 +7458,6 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean, boolean success = false; checkOperation(OperationCategory.READ); final FSPermissionChecker pc = getPermissionChecker(); - checkSuperuserPrivilege(pc); readLock(); try { checkOperation(OperationCategory.READ); @@ -7497,7 +7495,6 @@ public class FSNamesystem implements Namesystem, FSNamesystemMBean, boolean success = false; checkOperation(OperationCategory.READ); final FSPermissionChecker pc = getPermissionChecker(); - checkSuperuserPrivilege(pc); readLock(); try { checkOperation(OperationCategory.READ); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java index 525d9c8..7a2a81c 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java @@ -1331,7 +1331,6 @@ public class NameNodeRpcServer implements NamenodeProtocols { @Override // NamenodeProtocol public CheckpointSignature rollEditLog() throws IOException { checkNNStartup(); - namesystem.checkSuperuserPrivilege(); return namesystem.rollEditLog(); } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java index 60ff614..8ad7085 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDistributedFileSystem.java @@ -97,6 +97,7 @@ import org.apache.hadoop.hdfs.server.datanode.fsdataset.FsVolumeSpi; import org.apache.hadoop.hdfs.server.namenode.ErasureCodingPolicyManager; import org.apache.hadoop.hdfs.web.WebHdfsConstants; import org.apache.hadoop.io.erasurecode.ECSchema; +import org.apache.hadoop.ipc.RemoteException; import org.apache.hadoop.net.DNSToSwitchMapping; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.net.ScriptBasedMapping; @@ -104,6 +105,7 @@ import org.apache.hadoop.net.StaticMapping; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.test.GenericTestUtils; +import org.apache.hadoop.test.LambdaTestUtils; import org.apache.hadoop.test.Whitebox; import org.apache.hadoop.util.DataChecksum; import org.apache.hadoop.util.Time; @@ -1805,6 +1807,59 @@ public class TestDistributedFileSystem { } @Test + public void testSuperUserPrivilege() throws Exception { + HdfsConfiguration conf = new HdfsConfiguration(); + File tmpDir = GenericTestUtils.getTestDir(UUID.randomUUID().toString()); + final Path jksPath = new Path(tmpDir.toString(), "test.jks"); + conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, + JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri()); + + try (MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).build()) { + cluster.waitActive(); + final DistributedFileSystem dfs = cluster.getFileSystem(); + Path dir = new Path("/testPrivilege"); + dfs.mkdirs(dir); + + final KeyProvider provider = + cluster.getNameNode().getNamesystem().getProvider(); + final KeyProvider.Options options = KeyProvider.options(conf); + provider.createKey("key", options); + provider.flush(); + + // Create a non-super user. + UserGroupInformation user = UserGroupInformation.createUserForTesting( + "Non_SuperUser", new String[] {"Non_SuperGroup"}); + + DistributedFileSystem userfs = (DistributedFileSystem) user.doAs( + (PrivilegedExceptionAction<FileSystem>) () -> FileSystem.get(conf)); + + LambdaTestUtils.intercept(AccessControlException.class, + "Superuser privilege is required", + () -> userfs.createEncryptionZone(dir, "key")); + + RemoteException re = LambdaTestUtils.intercept(RemoteException.class, + "Superuser privilege is required", + () -> userfs.listEncryptionZones().hasNext()); + assertTrue(re.unwrapRemoteException() instanceof AccessControlException); + + re = LambdaTestUtils.intercept(RemoteException.class, + "Superuser privilege is required", + () -> userfs.listReencryptionStatus().hasNext()); + assertTrue(re.unwrapRemoteException() instanceof AccessControlException); + + LambdaTestUtils.intercept(AccessControlException.class, + "Superuser privilege is required", + () -> user.doAs(new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + cluster.getNameNode().getRpcServer().rollEditLog(); + return null; + } + })); + } + } + + @Test public void testRemoveErasureCodingPolicy() throws Exception { Configuration conf = getTestConfiguration(); MiniDFSCluster cluster = null; --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org