public void testConfiguredPolicy() throws Exception { Configuration conf = new Configuration(); conf.set(KEY_1, AccessControlList.WILDCARD_ACL_VALUE); conf.set(KEY_2, USER1 + " " + GROUPS1[0]); ConfiguredPolicy policy = new ConfiguredPolicy(conf, new TestPolicyProvider()); SecurityUtil.setPolicy(policy); Subject user1 = SecurityUtil.getSubject(new UnixUserGroupInformation(USER1, GROUPS1)); // Should succeed ServiceAuthorizationManager.authorize(user1, Protocol1.class); // Should fail Subject user2 = SecurityUtil.getSubject(new UnixUserGroupInformation(USER2, GROUPS2)); boolean failed = false; try { ServiceAuthorizationManager.authorize(user2, Protocol2.class); } catch (AuthorizationException ae) { failed = true; } assertTrue(failed); }
private void initialize(Configuration conf) { aclsEnabled = conf.getBoolean("mapred.acls.enabled", false); String[] queues = conf.getStrings("mapred.queue.names", new String[] {JobConf.DEFAULT_QUEUE_NAME}); addToSet(queueNames, queues); // for every queue, and every operation, get the ACL // if any is specified and store in aclsMap. for (String queue : queues) { for (QueueOperation oper : QueueOperation.values()) { String key = toFullPropertyName(queue, oper.getAclName()); String aclString = conf.get(key, "*"); aclsMap.put(key, new AccessControlList(aclString)); } } }
/** * Construct a new QueueManager using configuration specified in the passed * in {@link org.apache.hadoop.conf.Configuration} object. * * @param conf Configuration object where queue configuration is specified. */ public QueueManager(Configuration conf) { queueNames = new TreeSet<String>(); aclsMap = new HashMap<String, AccessControlList>(); schedulerInfoObjects = new HashMap<String, Object>(); initialize(conf); }
/** * Refresh the acls for the configured queues in the system by reading * it from mapred-queue-acls.xml. * * The previous acls are removed. Previously configured queues and * if or not acl is disabled is retained. * * @throws IOException when queue ACL configuration file is invalid. */ synchronized void refreshAcls(Configuration conf) throws IOException { try { HashMap<String, AccessControlList> newAclsMap = getQueueAcls(conf); aclsMap = newAclsMap; } catch (Throwable t) { String exceptionString = StringUtils.stringifyException(t); LOG.warn("Queue ACLs could not be refreshed because there was an " + "exception in parsing the configuration: "+ exceptionString + ". Existing ACLs are retained."); throw new IOException(exceptionString); } }
private HashMap<String, AccessControlList> getQueueAcls(Configuration conf) { checkDeprecation(conf); conf.addResource(QUEUE_ACLS_FILE_NAME); HashMap<String, AccessControlList> aclsMap = new HashMap<String, AccessControlList>(); for (String queue : queueNames) { for (QueueOperation oper : QueueOperation.values()) { String key = toFullPropertyName(queue, oper.getAclName()); String aclString = conf.get(key, "*"); aclsMap.put(key, new AccessControlList(aclString)); } } return aclsMap; }
/** * Return true if the given {@link QueueManager.QueueOperation} can be * performed by the specified user on the specified job in the given queue. * * An operation is allowed either if the owner of the job is the user * performing the task, all users are provided access for this * operation, or if either the user or any of the groups specified is * provided access. * * If the {@link QueueManager.QueueOperation} is not job specific then the * job parameter is ignored. * * @param queueName Queue on which the operation needs to be performed. * @param job The {@link JobInProgress} on which the operation is being * performed. * @param oper The operation to perform * @param ugi The user and groups who wish to perform the operation. * * @return true if the operation is allowed, false otherwise. */ public synchronized boolean hasAccess(String queueName, JobInProgress job, QueueOperation oper, UserGroupInformation ugi) { if (!aclsEnabled) { return true; } if (LOG.isDebugEnabled()) { LOG.debug("checking access for : " + toFullPropertyName(queueName, oper.getAclName())); } if (oper.isJobOwnerAllowed()) { if (job != null && job.getJobConf().getUser().equals(ugi.getUserName())) { return true; } } AccessControlList acl = aclsMap.get(toFullPropertyName(queueName, oper.getAclName())); if (acl == null) { return false; } // Check the ACL list boolean allowed = acl.allAllowed(); if (!allowed) { // Check the allowed users list if (acl.getUsers().contains(ugi.getUserName())) { allowed = true; } else { // Check the allowed groups list Set<String> allowedGroups = acl.getGroups(); for (String group : ugi.getGroupNames()) { if (allowedGroups.contains(group)) { allowed = true; break; } } } } return allowed; }
@Override public void refresh() { // Get the system property 'hadoop.policy.file' String policyFile = System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE); // Make a copy of the original config, and load the policy file Configuration policyConf = new Configuration(conf); policyConf.addResource(policyFile); Map<Principal, Set<Permission>> newPermissions = new HashMap<Principal, Set<Permission>>(); Set<Permission> newAllowPermissions = new HashSet<Permission>(); // Parse the config file Service[] services = policyProvider.getServices(); if (services != null) { for (Service service : services) { AccessControlList acl = new AccessControlList( policyConf.get(service.getServiceKey(), AccessControlList.WILDCARD_ACL_VALUE) ); if (acl.allAllowed()) { newAllowPermissions.add(service.getPermission()); if (LOG.isDebugEnabled()) { LOG.debug("Policy - " + service.getPermission() + " * "); } } else { for (String user : acl.getUsers()) { addPermission(newPermissions, new User(user), service.getPermission()); } for (String group : acl.getGroups()) { addPermission(newPermissions, new Group(group), service.getPermission()); } } } } // Flip to the newly parsed permissions allowedPermissions = newAllowPermissions; permissions = newPermissions; }
/** * Return true if the given {@link QueueManager.QueueOperation} can be * performed by the specified user on the specified job in the given queue. * * An operation is allowed either if the owner of the job is the user * performing the task, all users are provided access for this * operation, or if either the user or any of the groups specified is * provided access. * * If the {@link QueueManager.QueueOperation} is not job specific then the * job parameter is ignored. * * @param queueName Queue on which the operation needs to be performed. * @param job The {@link JobInProgress} on which the operation is being * performed. * @param oper The operation to perform * @param ugi The user and groups who wish to perform the operation. * * @return true if the operation is allowed, false otherwise. */ public synchronized boolean hasAccess(String queueName, JobInProgress job, QueueOperation oper, UserGroupInformation ugi) { if (!aclsEnabled) { return true; } if (LOG.isDebugEnabled()) { LOG.debug("checking access for : " + toFullPropertyName(queueName, oper.getAclName())); } if (oper.isJobOwnerAllowed()) { if (job.getJobConf().getUser().equals(ugi.getUserName())) { return true; } } AccessControlList acl = aclsMap.get(toFullPropertyName(queueName, oper.getAclName())); if (acl == null) { return false; } // Check the ACL list boolean allowed = acl.allAllowed(); if (!allowed) { // Check the allowed users list if (acl.getUsers().contains(ugi.getUserName())) { allowed = true; } else { // Check the allowed groups list Set<String> allowedGroups = acl.getGroups(); for (String group : ugi.getGroupNames()) { if (allowedGroups.contains(group)) { allowed = true; break; } } } } return allowed; }
