[jira] [Updated] (HDFS-5623) NameNode: add tests for skipping ACL enforcement when permission checks are disabled, user is superuser or user is member of supergroup.

Chris Nauroth (JIRA) Mon, 24 Feb 2014 15:14:30 -0800

     [ 
https://issues.apache.org/jira/browse/HDFS-5623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Chris Nauroth updated HDFS-5623:
--------------------------------

    Attachment: HDFS-5623.1.patch

I'm attaching a patch.  Summary:
# {{FSAclBaseTest}}: Add new tests covering skipping ACL enforcement when 
permissions are disabled, skipping ACL enforcement for super-user and members 
of the super-group, making sure that only the owner of the file can change the 
ACL, and getting a file's ACL requires traverse access along the full path.
# {{AclTestHelpers}}, {{TestAclWithSnapshot}}: Refactored some helper methods 
that were useful in the new tests.  This wasn't really required for 
{{assertDirPermissionDenied}} and {{assertDirPermissionGranted}}, but I did it 
anyway for consistency with {{assertFilePermissionDenied}} and 
{{assertFilePermissionGranted}}, which I really did need for the new tests.
# {{TestNameNodeAcl}}, {{TestWebHDFSAcl}}: The subclasses of {{FSAclBaseTest}} 
needed some refactoring to support creation of {{FileSystem}} instances as a 
specific user.
# {{FSNamesystem}}: These tests uncovered one bug.  
{{FSNamesystem#getAclStatus}} was not enforcing traverse access on the ancestor 
path.  I'm including the fix in this patch.  The check for 
{{isPermissionEnabled}} here is consistent with {{getFileInfo}}, which 
similarly returns the permission bits.

Aside from that one bug, all tests passed as I expected.

> NameNode: add tests for skipping ACL enforcement when permission checks are 
> disabled, user is superuser or user is member of supergroup.
> ----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-5623
>                 URL: https://issues.apache.org/jira/browse/HDFS-5623
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: namenode
>    Affects Versions: HDFS ACLs (HDFS-4685)
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HDFS-5623.1.patch
>
>
> The existing permission checks are skipped under the following conditions:
> * {{dfs.permissions.enabled}} is set to false.  (There are several exceptions 
> stated in the documentation.)
> * The user is the super-user.
> * The user is a member of the super-user group.
> Add tests verifying that ACL enforcement is also skipped for all of these 
> cases.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

[jira] [Updated] (HDFS-5623) NameNode: add tests for skipping ACL enforcement when permission checks are disabled, user is superuser or user is member of supergroup.

Reply via email to