BELUGA BEHR created HADOOP-12640:
------------------------------------
Summary: Code Review AccessControlList
Key: HADOOP-12640
URL: https://issues.apache.org/jira/browse/HADOOP-12640
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.7.1
Reporter: BELUGA BEHR
Priority: Minor
Attachments: AccessControlList.patch, TestAccessControlList.path
After some confusion of my own, in particular with
"mapreduce.job.acl-view-job," I have looked over the AccessControlList
implementation and cleaned it up and clarified a few points.
1) I added tests to show that when including an asterisk in either the username
or the group field, it overrides everything and allows all access.
"user1,user2,user3 *" = all access
"* group1,group2" = all access
"* *" = all access
"* " = all access
" *" = all access
2) General clean-up and simplification
3) NOT-BACKWARDS COMPATIBLE
The code currently handled spaces in an asymmetric way. The code splits the ACL
string on a single space, but limits the resulting array to a size of two. So,
as long as there are no spaces in the user names section, it works fine, but
any spaces subsequent to that did not matter.
"user1,user2,user3 group1, group2,group3" - works as expected
["user1,user2,user3", "group1, group2,group3"]
"user1, user2,user3 group1,group2,group3" - Did not work as expected
["user1,","user2,user3, group1, group2,group3"]
The submitted patch will split on all spaces and log a warning if there are
more than two elements. This enforces no spaces with the two comma-separated
lists.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
