HADOOP-13361. Modify hadoop_verify_user to be consistent with hadoop_subcommand_opts (ie more granularity)
Signed-off-by: Allen Wittenauer <a...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/ab578fb2 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/ab578fb2 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/ab578fb2 Branch: refs/heads/HADOOP-13341 Commit: ab578fb2dead6422b368123dca4ebb8b31cfa9f7 Parents: 9bae198 Author: Allen Wittenauer <a...@apache.org> Authored: Tue Aug 30 13:55:04 2016 -0700 Committer: Allen Wittenauer <a...@apache.org> Committed: Fri Sep 9 04:07:43 2016 -0700 ---------------------------------------------------------------------- .../hadoop-common/src/main/bin/hadoop | 4 +- .../src/main/bin/hadoop-functions.sh | 24 +++++++-- .../hadoop-common/src/main/conf/hadoop-env.sh | 3 +- .../src/test/scripts/hadoop_verify_user.bats | 53 ++++++++++++++++++++ .../hadoop-hdfs/src/main/bin/hdfs | 4 +- hadoop-mapreduce-project/bin/mapred | 4 +- hadoop-yarn-project/hadoop-yarn/bin/yarn | 4 +- 7 files changed, 82 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/ab578fb2/hadoop-common-project/hadoop-common/src/main/bin/hadoop ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop b/hadoop-common-project/hadoop-common/src/main/bin/hadoop index 9b682e6..450543d 100755 --- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop +++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop @@ -190,6 +190,8 @@ fi HADOOP_SUBCMD=$1 shift +hadoop_verify_user "${HADOOP_SHELL_EXECNAME}" "${HADOOP_SUBCMD}" + HADOOP_SUBCMD_ARGS=("$@") if declare -f hadoop_subcommand_"${HADOOP_SUBCMD}" >/dev/null 2>&1; then @@ -199,8 +201,6 @@ else hadoopcmd_case "${HADOOP_SUBCMD}" "${HADOOP_SUBCMD_ARGS[@]}" fi -hadoop_verify_user "${HADOOP_SUBCMD}" - hadoop_add_client_opts if [[ ${HADOOP_WORKER_MODE} = true ]]; then http://git-wip-us.apache.org/repos/asf/hadoop/blob/ab578fb2/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh index db868bd..91546d4 100755 --- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh +++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh @@ -1984,12 +1984,26 @@ function hadoop_secure_daemon_handler ## @return will exit on failure conditions function hadoop_verify_user { - local command=$1 - local uservar="HADOOP_${command}_USER" + declare program=$1 + declare command=$2 + declare uprogram + declare ucommand + declare uvar - if [[ -n ${!uservar} ]]; then - if [[ ${!uservar} != "${USER}" ]]; then - hadoop_error "ERROR: ${command} can only be executed by ${!uservar}." + if [[ -z "${BASH_VERSINFO[0]}" ]] \ + || [[ "${BASH_VERSINFO[0]}" -lt 4 ]]; then + uprogram=$(echo "${program}" | tr '[:lower:]' '[:upper:]') + ucommand=$(echo "${command}" | tr '[:lower:]' '[:upper:]') + else + uprogram=${program^^} + ucommand=${command^^} + fi + + uvar="${uprogram}_${ucommand}_USER" + + if [[ -n ${!uvar} ]]; then + if [[ ${!uvar} != "${USER}" ]]; then + hadoop_error "ERROR: ${command} can only be executed by ${!uvar}." exit 1 fi fi http://git-wip-us.apache.org/repos/asf/hadoop/blob/ab578fb2/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh index 4656f4d..a78f3f6 100644 --- a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh +++ b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh @@ -417,6 +417,7 @@ esac # # To prevent accidents, shell commands be (superficially) locked # to only allow certain users to execute certain subcommands. +# It uses the format of (command)_(subcommand)_USER. # # For example, to limit who can execute the namenode command, -# export HADOOP_namenode_USER=hdfs +# export HDFS_NAMENODE_USER=hdfs http://git-wip-us.apache.org/repos/asf/hadoop/blob/ab578fb2/hadoop-common-project/hadoop-common/src/test/scripts/hadoop_verify_user.bats ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/scripts/hadoop_verify_user.bats b/hadoop-common-project/hadoop-common/src/test/scripts/hadoop_verify_user.bats new file mode 100644 index 0000000..ac9fa9f --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/test/scripts/hadoop_verify_user.bats @@ -0,0 +1,53 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +load hadoop-functions_test_helper + +@test "hadoop_verify_user (hadoop: no setting)" { + run hadoop_verify_user hadoop test + [ "${status}" = "0" ] +} + +@test "hadoop_verify_user (yarn: no setting)" { + run hadoop_verify_user yarn test + [ "${status}" = "0" ] +} + +@test "hadoop_verify_user (hadoop: allow)" { + HADOOP_TEST_USER=${USER} + run hadoop_verify_user hadoop test + [ "${status}" = "0" ] +} + +@test "hadoop_verify_user (yarn: allow)" { + YARN_TEST_USER=${USER} + run hadoop_verify_user yarn test + [ "${status}" = "0" ] +} + +# colon isn't a valid username, so let's use it +# this should fail regardless of who the user is +# that is running the test code +@test "hadoop_verify_user (hadoop: disallow)" { + HADOOP_TEST_USER=: + run hadoop_verify_user hadoop test + [ "${status}" = "1" ] +} + +@test "hadoop_verify_user (yarn: disallow)" { + YARN_TEST_USER=: + run hadoop_verify_user yarn test + [ "${status}" = "1" ] +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/ab578fb2/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs index 566bd7f..6d6088f 100755 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs @@ -246,6 +246,8 @@ fi HADOOP_SUBCMD=$1 shift +hadoop_verify_user "${HADOOP_SHELL_EXECNAME}" "${HADOOP_SUBCMD}" + HADOOP_SUBCMD_ARGS=("$@") if declare -f hdfs_subcommand_"${HADOOP_SUBCMD}" >/dev/null 2>&1; then @@ -255,8 +257,6 @@ else hdfscmd_case "${HADOOP_SUBCMD}" "${HADOOP_SUBCMD_ARGS[@]}" fi -hadoop_verify_user "${HADOOP_SUBCMD}" - hadoop_add_client_opts if [[ ${HADOOP_WORKER_MODE} = true ]]; then http://git-wip-us.apache.org/repos/asf/hadoop/blob/ab578fb2/hadoop-mapreduce-project/bin/mapred ---------------------------------------------------------------------- diff --git a/hadoop-mapreduce-project/bin/mapred b/hadoop-mapreduce-project/bin/mapred index 3243d20..c566d5a 100755 --- a/hadoop-mapreduce-project/bin/mapred +++ b/hadoop-mapreduce-project/bin/mapred @@ -131,6 +131,8 @@ fi HADOOP_SUBCMD=$1 shift +hadoop_verify_user "${HADOOP_SHELL_EXECNAME}" "${HADOOP_SUBCMD}" + HADOOP_SUBCMD_ARGS=("$@") if declare -f mapred_subcommand_"${HADOOP_SUBCMD}" >/dev/null 2>&1; then @@ -140,8 +142,6 @@ else mapredcmd_case "${HADOOP_SUBCMD}" "${HADOOP_SUBCMD_ARGS[@]}" fi -hadoop_verify_user "${HADOOP_SUBCMD}" - hadoop_add_client_opts if [[ ${HADOOP_SLAVE_MODE} = true ]]; then http://git-wip-us.apache.org/repos/asf/hadoop/blob/ab578fb2/hadoop-yarn-project/hadoop-yarn/bin/yarn ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/bin/yarn b/hadoop-yarn-project/hadoop-yarn/bin/yarn index d2a8a50..804fd1a 100755 --- a/hadoop-yarn-project/hadoop-yarn/bin/yarn +++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn @@ -228,6 +228,8 @@ fi HADOOP_SUBCMD=$1 shift +hadoop_verify_user "${HADOOP_SHELL_EXECNAME}" "${HADOOP_SUBCMD}" + HADOOP_SUBCMD_ARGS=("$@") if declare -f yarn_subcommand_"${HADOOP_SUBCMD}" >/dev/null 2>&1; then @@ -237,8 +239,6 @@ else yarncmd_case "${HADOOP_SUBCMD}" "${HADOOP_SUBCMD_ARGS[@]}" fi -hadoop_verify_user "${HADOOP_SUBCMD}" - # It's unclear if YARN_CLIENT_OPTS is actually a useful # thing to have separate from HADOOP_CLIENT_OPTS. Someone # might use it, so let's not deprecate it and just override --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org