HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Contributed by Zhihai Xu. (cherry picked from commit b2017d9b032af20044fdf60ddbd1575a554ccb79)
(cherry picked from commit 098c2df0c09b0b24121a8d4663168a5f58799aef) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/3c1b25b5 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/3c1b25b5 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/3c1b25b5 Branch: refs/heads/branch-2.7.2 Commit: 3c1b25b5fb49b8e9c8c9e1b3367b8bb7e609356d Parents: 17ad3b1 Author: cnauroth <cnaur...@apache.org> Authored: Tue Sep 15 10:41:50 2015 -0700 Committer: Vinod Kumar Vavilapalli (I am also known as @tshooter.) <vino...@apache.org> Committed: Wed Jan 13 11:52:18 2016 -0800 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../apache/hadoop/security/authorize/AccessControlList.java | 2 +- .../hadoop/security/authorize/TestAccessControlList.java | 9 +++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/3c1b25b5/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index d694868..7eecc12 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -811,6 +811,9 @@ Release 2.6.3 - UNRELEASED IMPROVEMENTS + HADOOP-12413. AccessControlList should avoid calling getGroupNames in + isUserInList with empty groups. (Zhihai Xu via cnauroth) + OPTIMIZATIONS BUG FIXES http://git-wip-us.apache.org/repos/asf/hadoop/blob/3c1b25b5/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java index f19776f..b1b474b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java @@ -230,7 +230,7 @@ public class AccessControlList implements Writable { public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; - } else { + } else if (!groups.isEmpty()) { for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; http://git-wip-us.apache.org/repos/asf/hadoop/blob/3c1b25b5/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java index 926e3b9..82942fc 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java @@ -37,6 +37,10 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.NativeCodeLoader; import org.junit.Test; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.verify; + @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceStability.Evolving public class TestAccessControlList { @@ -449,6 +453,11 @@ public class TestAccessControlList { assertUserAllowed(susan, acl); assertUserAllowed(barbara, acl); assertUserAllowed(ian, acl); + + acl = new AccessControlList(""); + UserGroupInformation spyUser = spy(drwho); + acl.isUserAllowed(spyUser); + verify(spyUser, never()).getGroupNames(); } private void assertUserAllowed(UserGroupInformation ugi,
