1 | /** |
---|
2 | * Licensed to the Apache Software Foundation (ASF) under one |
---|
3 | * or more contributor license agreements. See the NOTICE file |
---|
4 | * distributed with this work for additional information |
---|
5 | * regarding copyright ownership. The ASF licenses this file |
---|
6 | * to you under the Apache License, Version 2.0 (the |
---|
7 | * "License"); you may not use this file except in compliance |
---|
8 | * with the License. You may obtain a copy of the License at |
---|
9 | * |
---|
10 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
11 | * |
---|
12 | * Unless required by applicable law or agreed to in writing, software |
---|
13 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
15 | * See the License for the specific language governing permissions and |
---|
16 | * limitations under the License. |
---|
17 | */ |
---|
18 | package org.apache.hadoop.security; |
---|
19 | |
---|
20 | import java.io.IOException; |
---|
21 | import java.util.Random; |
---|
22 | |
---|
23 | import org.apache.commons.logging.Log; |
---|
24 | import org.apache.commons.logging.LogFactory; |
---|
25 | import org.apache.commons.logging.impl.Log4JLogger; |
---|
26 | import org.apache.hadoop.conf.Configuration; |
---|
27 | import org.apache.hadoop.hdfs.MiniDFSCluster; |
---|
28 | import org.apache.hadoop.fs.*; |
---|
29 | import org.apache.hadoop.fs.permission.*; |
---|
30 | import org.apache.hadoop.util.StringUtils; |
---|
31 | import org.apache.log4j.Level; |
---|
32 | |
---|
33 | import junit.framework.TestCase; |
---|
34 | |
---|
35 | /** Unit tests for permission */ |
---|
36 | public class TestPermission extends TestCase { |
---|
37 | public static final Log LOG = LogFactory.getLog(TestPermission.class); |
---|
38 | |
---|
39 | { |
---|
40 | ((Log4JLogger)UserGroupInformation.LOG).getLogger().setLevel(Level.ALL); |
---|
41 | } |
---|
42 | |
---|
43 | final private static Path ROOT_PATH = new Path("/data"); |
---|
44 | final private static Path CHILD_DIR1 = new Path(ROOT_PATH, "child1"); |
---|
45 | final private static Path CHILD_DIR2 = new Path(ROOT_PATH, "child2"); |
---|
46 | final private static Path CHILD_FILE1 = new Path(ROOT_PATH, "file1"); |
---|
47 | final private static Path CHILD_FILE2 = new Path(ROOT_PATH, "file2"); |
---|
48 | |
---|
49 | final private static int FILE_LEN = 100; |
---|
50 | final private static Random RAN = new Random(); |
---|
51 | final private static String USER_NAME = "user" + RAN.nextInt(); |
---|
52 | final private static String[] GROUP_NAMES = {"group1", "group2"}; |
---|
53 | |
---|
54 | static FsPermission checkPermission(FileSystem fs, |
---|
55 | String path, FsPermission expected) throws IOException { |
---|
56 | FileStatus s = fs.getFileStatus(new Path(path)); |
---|
57 | LOG.info(s.getPath() + ": " + s.isDir() + " " + s.getPermission() |
---|
58 | + ":" + s.getOwner() + ":" + s.getGroup()); |
---|
59 | if (expected != null) { |
---|
60 | assertEquals(expected, s.getPermission()); |
---|
61 | assertEquals(expected.toShort(), s.getPermission().toShort()); |
---|
62 | } |
---|
63 | return s.getPermission(); |
---|
64 | } |
---|
65 | |
---|
66 | public void testCreate() throws Exception { |
---|
67 | Configuration conf = new Configuration(); |
---|
68 | conf.setBoolean("dfs.permissions", true); |
---|
69 | conf.setInt(FsPermission.UMASK_LABEL, 0); |
---|
70 | MiniDFSCluster cluster = null; |
---|
71 | FileSystem fs = null; |
---|
72 | |
---|
73 | try { |
---|
74 | cluster = new MiniDFSCluster(conf, 3, true, null); |
---|
75 | cluster.waitActive(); |
---|
76 | fs = FileSystem.get(conf); |
---|
77 | FsPermission rootPerm = checkPermission(fs, "/", null); |
---|
78 | FsPermission inheritPerm = FsPermission.createImmutable( |
---|
79 | (short)(rootPerm.toShort() | 0300)); |
---|
80 | |
---|
81 | FsPermission dirPerm = new FsPermission((short)0777); |
---|
82 | fs.mkdirs(new Path("/a1/a2/a3"), dirPerm); |
---|
83 | checkPermission(fs, "/a1", inheritPerm); |
---|
84 | checkPermission(fs, "/a1/a2", inheritPerm); |
---|
85 | checkPermission(fs, "/a1/a2/a3", dirPerm); |
---|
86 | |
---|
87 | FsPermission filePerm = new FsPermission((short)0444); |
---|
88 | FSDataOutputStream out = fs.create(new Path("/b1/b2/b3.txt"), filePerm, |
---|
89 | true, conf.getInt("io.file.buffer.size", 4096), |
---|
90 | fs.getDefaultReplication(), fs.getDefaultBlockSize(), null); |
---|
91 | out.write(123); |
---|
92 | out.close(); |
---|
93 | checkPermission(fs, "/b1", inheritPerm); |
---|
94 | checkPermission(fs, "/b1/b2", inheritPerm); |
---|
95 | checkPermission(fs, "/b1/b2/b3.txt", filePerm); |
---|
96 | |
---|
97 | conf.setInt(FsPermission.UMASK_LABEL, 0022); |
---|
98 | FsPermission permission = |
---|
99 | FsPermission.createImmutable((short)0666); |
---|
100 | FileSystem.mkdirs(fs, new Path("/c1"), new FsPermission(permission)); |
---|
101 | FileSystem.create(fs, new Path("/c1/c2.txt"), |
---|
102 | new FsPermission(permission)); |
---|
103 | checkPermission(fs, "/c1", permission); |
---|
104 | checkPermission(fs, "/c1/c2.txt", permission); |
---|
105 | } finally { |
---|
106 | try { |
---|
107 | if(fs != null) fs.close(); |
---|
108 | } catch(Exception e) { |
---|
109 | LOG.error(StringUtils.stringifyException(e)); |
---|
110 | } |
---|
111 | try { |
---|
112 | if(cluster != null) cluster.shutdown(); |
---|
113 | } catch(Exception e) { |
---|
114 | LOG.error(StringUtils.stringifyException(e)); |
---|
115 | } |
---|
116 | } |
---|
117 | } |
---|
118 | |
---|
119 | public void testFilePermision() throws Exception { |
---|
120 | Configuration conf = new Configuration(); |
---|
121 | conf.setBoolean("dfs.permissions", true); |
---|
122 | MiniDFSCluster cluster = new MiniDFSCluster(conf, 3, true, null); |
---|
123 | cluster.waitActive(); |
---|
124 | |
---|
125 | try { |
---|
126 | FileSystem nnfs = FileSystem.get(conf); |
---|
127 | // test permissions on files that do not exist |
---|
128 | assertFalse(nnfs.exists(CHILD_FILE1)); |
---|
129 | try { |
---|
130 | nnfs.setOwner(CHILD_FILE1, "foo", "bar"); |
---|
131 | assertTrue(false); |
---|
132 | } |
---|
133 | catch(java.io.FileNotFoundException e) { |
---|
134 | LOG.info("GOOD: got " + e); |
---|
135 | } |
---|
136 | try { |
---|
137 | nnfs.setPermission(CHILD_FILE1, new FsPermission((short)0777)); |
---|
138 | assertTrue(false); |
---|
139 | } |
---|
140 | catch(java.io.FileNotFoundException e) { |
---|
141 | LOG.info("GOOD: got " + e); |
---|
142 | } |
---|
143 | // following dir/file creations are legal |
---|
144 | nnfs.mkdirs(CHILD_DIR1); |
---|
145 | FSDataOutputStream out = nnfs.create(CHILD_FILE1); |
---|
146 | byte data[] = new byte[FILE_LEN]; |
---|
147 | RAN.nextBytes(data); |
---|
148 | out.write(data); |
---|
149 | out.close(); |
---|
150 | nnfs.setPermission(CHILD_FILE1, new FsPermission((short)0700)); |
---|
151 | |
---|
152 | // following read is legal |
---|
153 | byte dataIn[] = new byte[FILE_LEN]; |
---|
154 | FSDataInputStream fin = nnfs.open(CHILD_FILE1); |
---|
155 | int bytesRead = fin.read(dataIn); |
---|
156 | assertTrue(bytesRead == FILE_LEN); |
---|
157 | for(int i=0; i<FILE_LEN; i++) { |
---|
158 | assertEquals(data[i], dataIn[i]); |
---|
159 | } |
---|
160 | |
---|
161 | //////////////////////////////////////////////////////////////// |
---|
162 | // test illegal file/dir creation |
---|
163 | UnixUserGroupInformation userGroupInfo = new UnixUserGroupInformation( |
---|
164 | USER_NAME, GROUP_NAMES ); |
---|
165 | UnixUserGroupInformation.saveToConf(conf, |
---|
166 | UnixUserGroupInformation.UGI_PROPERTY_NAME, userGroupInfo); |
---|
167 | FileSystem userfs = FileSystem.get(conf); |
---|
168 | |
---|
169 | // make sure mkdir of a existing directory that is not owned by |
---|
170 | // this user does not throw an exception. |
---|
171 | userfs.mkdirs(CHILD_DIR1); |
---|
172 | |
---|
173 | // illegal mkdir |
---|
174 | assertTrue(!canMkdirs(userfs, CHILD_DIR2)); |
---|
175 | |
---|
176 | // illegal file creation |
---|
177 | assertTrue(!canCreate(userfs, CHILD_FILE2)); |
---|
178 | |
---|
179 | // illegal file open |
---|
180 | assertTrue(!canOpen(userfs, CHILD_FILE1)); |
---|
181 | |
---|
182 | nnfs.setPermission(ROOT_PATH, new FsPermission((short)0755)); |
---|
183 | nnfs.setPermission(CHILD_DIR1, new FsPermission((short)0777)); |
---|
184 | nnfs.setPermission(new Path("/"), new FsPermission((short)0777)); |
---|
185 | final Path RENAME_PATH = new Path("/foo/bar"); |
---|
186 | userfs.mkdirs(RENAME_PATH); |
---|
187 | assertTrue(canRename(userfs, RENAME_PATH, CHILD_DIR1)); |
---|
188 | } finally { |
---|
189 | if(cluster != null) cluster.shutdown(); |
---|
190 | } |
---|
191 | } |
---|
192 | |
---|
193 | static boolean canMkdirs(FileSystem fs, Path p) throws IOException { |
---|
194 | try { |
---|
195 | fs.mkdirs(p); |
---|
196 | return true; |
---|
197 | } catch(AccessControlException e) { |
---|
198 | return false; |
---|
199 | } |
---|
200 | } |
---|
201 | |
---|
202 | static boolean canCreate(FileSystem fs, Path p) throws IOException { |
---|
203 | try { |
---|
204 | fs.create(p); |
---|
205 | return true; |
---|
206 | } catch(AccessControlException e) { |
---|
207 | return false; |
---|
208 | } |
---|
209 | } |
---|
210 | |
---|
211 | static boolean canOpen(FileSystem fs, Path p) throws IOException { |
---|
212 | try { |
---|
213 | fs.open(p); |
---|
214 | return true; |
---|
215 | } catch(AccessControlException e) { |
---|
216 | return false; |
---|
217 | } |
---|
218 | } |
---|
219 | |
---|
220 | static boolean canRename(FileSystem fs, Path src, Path dst |
---|
221 | ) throws IOException { |
---|
222 | try { |
---|
223 | fs.rename(src, dst); |
---|
224 | return true; |
---|
225 | } catch(AccessControlException e) { |
---|
226 | return false; |
---|
227 | } |
---|
228 | } |
---|
229 | } |
---|