Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getShortUserName()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#getShortUserName() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ClientRMService.java    From big-c with Apache License 2.0 6 votes vote down vote up
private String checkReservationACLs(String queueName, String auditConstant)
    throws YarnException {
  UserGroupInformation callerUGI;
  try {
    callerUGI = UserGroupInformation.getCurrentUser();
  } catch (IOException ie) {
    RMAuditLogger.logFailure("UNKNOWN", auditConstant, queueName,
        "ClientRMService", "Error getting UGI");
    throw RPCUtil.getRemoteException(ie);
  }
  // Check if user has access on the managed queue
  if (!queueACLsManager.checkAccess(callerUGI, QueueACL.SUBMIT_APPLICATIONS,
      queueName)) {
    RMAuditLogger.logFailure(
        callerUGI.getShortUserName(),
        auditConstant,
        "User doesn't have permissions to "
            + QueueACL.SUBMIT_APPLICATIONS.toString(), "ClientRMService",
        AuditConstants.UNAUTHORIZED_USER);
    throw RPCUtil.getRemoteException(new AccessControlException("User "
        + callerUGI.getShortUserName() + " cannot perform operation "
        + QueueACL.SUBMIT_APPLICATIONS.name() + " on queue" + queueName));
  }
  return callerUGI.getShortUserName();
}
 
Example 2
Source File: ClientRMService.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private String checkReservationACLs(String queueName, String auditConstant)
    throws YarnException {
  UserGroupInformation callerUGI;
  try {
    callerUGI = UserGroupInformation.getCurrentUser();
  } catch (IOException ie) {
    RMAuditLogger.logFailure("UNKNOWN", auditConstant, queueName,
        "ClientRMService", "Error getting UGI");
    throw RPCUtil.getRemoteException(ie);
  }
  // Check if user has access on the managed queue
  if (!queueACLsManager.checkAccess(callerUGI, QueueACL.SUBMIT_APPLICATIONS,
      queueName)) {
    RMAuditLogger.logFailure(
        callerUGI.getShortUserName(),
        auditConstant,
        "User doesn't have permissions to "
            + QueueACL.SUBMIT_APPLICATIONS.toString(), "ClientRMService",
        AuditConstants.UNAUTHORIZED_USER);
    throw RPCUtil.getRemoteException(new AccessControlException("User "
        + callerUGI.getShortUserName() + " cannot perform operation "
        + QueueACL.SUBMIT_APPLICATIONS.name() + " on queue" + queueName));
  }
  return callerUGI.getShortUserName();
}
 
Example 3
Source File: TestContainerManagerRecovery.java    From big-c with Apache License 2.0 6 votes vote down vote up
private StartContainersResponse startContainer(Context context,
    final ContainerManagerImpl cm, ContainerId cid,
    ContainerLaunchContext clc, LogAggregationContext logAggregationContext)
        throws Exception {
  UserGroupInformation user = UserGroupInformation.createRemoteUser(
      cid.getApplicationAttemptId().toString());
  StartContainerRequest scReq = StartContainerRequest.newInstance(
      clc, TestContainerManager.createContainerToken(cid, 0,
          context.getNodeId(), user.getShortUserName(),
          context.getContainerTokenSecretManager(), logAggregationContext));
  final List<StartContainerRequest> scReqList =
      new ArrayList<StartContainerRequest>();
  scReqList.add(scReq);
  NMTokenIdentifier nmToken = new NMTokenIdentifier(
      cid.getApplicationAttemptId(), context.getNodeId(),
      user.getShortUserName(),
      context.getNMTokenSecretManager().getCurrentKey().getKeyId());
  user.addTokenIdentifier(nmToken);
  return user.doAs(new PrivilegedExceptionAction<StartContainersResponse>() {
    @Override
    public StartContainersResponse run() throws Exception {
      return cm.startContainers(
          StartContainersRequest.newInstance(scReqList));
    }
  });
}
 
Example 4
Source File: TestACLManager.java    From tez with Apache License 2.0 6 votes vote down vote up
@Test(timeout = 5000)
public void testAdminWildCardCheck() {
  Configuration conf = new Configuration(false);
  String yarnAdminACLs = " *  ";
  conf.set(YarnConfiguration.YARN_ADMIN_ACL, yarnAdminACLs);

  UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups);
  UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups);

  ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf);
  Assert.assertTrue(aclManager.checkAMViewAccess(a1));
  Assert.assertTrue(aclManager.checkAMViewAccess(u1));
  Assert.assertTrue(aclManager.checkAMModifyAccess(a1));
  Assert.assertTrue(aclManager.checkAMModifyAccess(u1));
  Assert.assertTrue(aclManager.checkDAGViewAccess(a1));
  Assert.assertTrue(aclManager.checkDAGViewAccess(u1));
  Assert.assertTrue(aclManager.checkDAGModifyAccess(a1));
  Assert.assertTrue(aclManager.checkDAGModifyAccess(u1));
}
 
Example 5
Source File: JobACLsManager.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * If authorization is enabled, checks whether the user (in the callerUGI)
 * is authorized to perform the operation specified by 'jobOperation' on
 * the job by checking if the user is jobOwner or part of job ACL for the
 * specific job operation.
 * <ul>
 * <li>The owner of the job can do any operation on the job</li>
 * <li>For all other users/groups job-acls are checked</li>
 * </ul>
 * @param callerUGI
 * @param jobOperation
 * @param jobOwner
 * @param jobACL
 */
public boolean checkAccess(UserGroupInformation callerUGI,
    JobACL jobOperation, String jobOwner, AccessControlList jobACL) {

  if (LOG.isDebugEnabled()) {
    LOG.debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: "
        + jobOperation.toString() + " user: " + callerUGI.getShortUserName());
  }
  String user = callerUGI.getShortUserName();
  if (!areACLsEnabled()) {
    return true;
  }

  // Allow Job-owner for any operation on the job
  if (isMRAdmin(callerUGI)
      || user.equals(jobOwner)
      || jobACL.isUserAllowed(callerUGI)) {
    return true;
  }

  return false;
}
 
Example 6
Source File: KMSAuditLogger.java    From ranger with Apache License 2.0 6 votes vote down vote up
/**
 * @param op
 *          The operation being audited (either {@link KMS.KMSOp} or
 *          {@link Type} N.B this is passed as an {@link Object} to allow
 *          either enum to be passed in.
 * @param ugi
 *          The user's security context
 * @param keyName
 *          The String name of the key if applicable
 * @param remoteHost
 *          The hostname of the requesting service
 * @param msg
 *          Any extra details for auditing
 */
AuditEvent(Object op, UserGroupInformation ugi, String keyName,
    String remoteHost, String msg) {
  this.keyName = keyName;
  if (ugi == null) {
    this.user = null;
    this.impersonator = null;
  } else {
    this.user = ugi.getShortUserName();
    if (ugi.getAuthenticationMethod()
        == UserGroupInformation.AuthenticationMethod.PROXY) {
      this.impersonator = ugi.getRealUser().getUserName();
    } else {
      this.impersonator = null;
    }
  }
  this.remoteHost = remoteHost;
  this.op = op;
  this.extraMsg = msg;
}
 
Example 7
Source File: NameNodeRpcServer.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override // ClientProtocol
public void createSymlink(String target, String link, FsPermission dirPerms,
    boolean createParent) throws IOException {
  checkNNStartup();
  CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
  if (cacheEntry != null && cacheEntry.isSuccess()) {
    return; // Return previous response
  }

  /* We enforce the MAX_PATH_LENGTH limit even though a symlink target
   * URI may refer to a non-HDFS file system. 
   */
  if (!checkPathLength(link)) {
    throw new IOException("Symlink path exceeds " + MAX_PATH_LENGTH +
                          " character limit");
                          
  }

  final UserGroupInformation ugi = getRemoteUser();

  boolean success = false;
  try {
    PermissionStatus perm = new PermissionStatus(ugi.getShortUserName(),
        null, dirPerms);
    namesystem.createSymlink(target, link, perm, createParent,
        cacheEntry != null);
    success = true;
  } finally {
    RetryCache.setState(cacheEntry, success);
  }
}
 
Example 8
Source File: LocalJobRunner.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * @see org.apache.hadoop.mapreduce.protocol.ClientProtocol#getStagingAreaDir()
 */
public String getStagingAreaDir() throws IOException {
  Path stagingRootDir = new Path(conf.get(JTConfig.JT_STAGING_AREA_ROOT, 
      "/tmp/hadoop/mapred/staging"));
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  String user;
  randid = rand.nextInt(Integer.MAX_VALUE);
  if (ugi != null) {
    user = ugi.getShortUserName() + randid;
  } else {
    user = "dummy" + randid;
  }
  return fs.makeQualified(new Path(stagingRootDir, user+"/.staging")).toString();
}
 
Example 9
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
	if (LOG.isDebugEnabled()) {
		LOG.debug("RangerHiveAuthorizer.getCurrentRoleNames()");
	}
	UserGroupInformation ugi = getCurrentUserGroupInfo();
	boolean result = false;
	if (ugi == null) {
		throw new HiveAuthzPluginException("User information not available");
	}
	List<String> ret = new ArrayList<String>();
	String user = ugi.getShortUserName();
	List<String> userNames = Arrays.asList(user);
	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
	try {
		if (LOG.isDebugEnabled()) {
			LOG.debug("<== getCurrentRoleNames() for user " + user);
		}
		for (String role : getCurrentRoles()) {
			ret.add(role);
		}
		result = true;
	} catch (Exception excp) {
		throw new HiveAuthzPluginException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, user, userNames,
				HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, ret, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}
	return ret;
}
 
Example 10
Source File: ClientRMService.java    From big-c with Apache License 2.0 5 votes vote down vote up
private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token)
    throws IOException {
  UserGroupInformation user = UserGroupInformation.getCurrentUser();
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  // we can always renew our own tokens
  return loginUser.getUserName().equals(user.getUserName())
      ? token.decodeIdentifier().getRenewer().toString()
      : user.getShortUserName();
}
 
Example 11
Source File: TezClientUtils.java    From tez with Apache License 2.0 5 votes vote down vote up
/**
 * Verify or create the Staging area directory on the configured Filesystem
 * @param stagingArea Staging area directory path
 * @return the FileSytem for the staging area directory
 * @throws IOException
 */
public static FileSystem ensureStagingDirExists(Configuration conf,
    Path stagingArea)
    throws IOException {
  FileSystem fs = stagingArea.getFileSystem(conf);
  String realUser;
  String currentUser;
  UserGroupInformation ugi = UserGroupInformation.getLoginUser();
  realUser = ugi.getShortUserName();
  currentUser = UserGroupInformation.getCurrentUser().getShortUserName();
  if (fs.exists(stagingArea)) {
    FileStatus fsStatus = fs.getFileStatus(stagingArea);
    String owner = fsStatus.getOwner();
    if (!(owner.equals(currentUser) || owner.equals(realUser))) {
      throw new IOException("The ownership on the staging directory "
          + stagingArea + " is not as expected. " + "It is owned by " + owner
          + ". The directory must " + "be owned by the submitter "
          + currentUser + " or " + "by " + realUser);
    }
    if (!fsStatus.getPermission().equals(TezCommonUtils.TEZ_AM_DIR_PERMISSION)) {
      LOG.info("Permissions on staging directory " + stagingArea + " are "
          + "incorrect: " + fsStatus.getPermission()
          + ". Fixing permissions " + "to correct value "
          + TezCommonUtils.TEZ_AM_DIR_PERMISSION);
      fs.setPermission(stagingArea, TezCommonUtils.TEZ_AM_DIR_PERMISSION);
    }
  } else {
    TezCommonUtils.mkDirForAM(fs, stagingArea);
  }
  return fs;
}
 
Example 12
Source File: TestDFSShell.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test (timeout = 30000)
public void testLsr() throws Exception {
  final Configuration conf = new HdfsConfiguration();
  MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
  DistributedFileSystem dfs = cluster.getFileSystem();

  try {
    final String root = createTree(dfs, "lsr");
    dfs.mkdirs(new Path(root, "zzz"));
    
    runLsr(new FsShell(conf), root, 0);
    
    final Path sub = new Path(root, "sub");
    dfs.setPermission(sub, new FsPermission((short)0));

    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    final String tmpusername = ugi.getShortUserName() + "1";
    UserGroupInformation tmpUGI = UserGroupInformation.createUserForTesting(
        tmpusername, new String[] {tmpusername});
    String results = tmpUGI.doAs(new PrivilegedExceptionAction<String>() {
      @Override
      public String run() throws Exception {
        return runLsr(new FsShell(conf), root, 1);
      }
    });
    assertTrue(results.contains("zzz"));
  } finally {
    cluster.shutdown();
  }
}
 
Example 13
Source File: TestACLManager.java    From tez with Apache License 2.0 5 votes vote down vote up
@Test(timeout = 5000)
public void testACLsDisabled() {
  Configuration conf = new Configuration(false);
  conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, false);
  String viewACLs = "a2,u2  ";
  String modifyACLs = "a2,u2 ";
  conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
  conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);

  UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups);
  UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups);

  ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf);
  Assert.assertTrue(aclManager.checkAMViewAccess(a1));
  Assert.assertTrue(aclManager.checkAMViewAccess(u1));
  Assert.assertTrue(aclManager.checkAMModifyAccess(a1));
  Assert.assertTrue(aclManager.checkAMModifyAccess(u1));
  Assert.assertTrue(aclManager.checkDAGViewAccess(a1));
  Assert.assertTrue(aclManager.checkDAGViewAccess(u1));
  Assert.assertTrue(aclManager.checkDAGModifyAccess(a1));
  Assert.assertTrue(aclManager.checkDAGModifyAccess(u1));

  ACLManager dagAclManager = new ACLManager(aclManager, "dagUser", null);
  Assert.assertTrue(dagAclManager.checkAMViewAccess(a1));
  Assert.assertTrue(dagAclManager.checkAMViewAccess(u1));
  Assert.assertTrue(dagAclManager.checkAMModifyAccess(a1));
  Assert.assertTrue(dagAclManager.checkAMModifyAccess(u1));
  Assert.assertTrue(dagAclManager.checkDAGViewAccess(a1));
  Assert.assertTrue(dagAclManager.checkDAGViewAccess(u1));
  Assert.assertTrue(dagAclManager.checkDAGModifyAccess(a1));
  Assert.assertTrue(dagAclManager.checkDAGModifyAccess(u1));
}
 
Example 14
Source File: GoogleHadoopFileSystemBase.java    From hadoop-connectors with Apache License 2.0 4 votes vote down vote up
/** Helper method to get the UGI short user name */
private static String getUgiUserName() throws IOException {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  return ugi.getShortUserName();
}
 
Example 15
Source File: ProxyUserAuthenticationFilter.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
protected void doFilter(FilterChain filterChain, HttpServletRequest request,
    HttpServletResponse response) throws IOException, ServletException {
  final HttpServletRequest lowerCaseRequest = toLowerCase(request);
  String doAsUser = lowerCaseRequest.getParameter(DO_AS);

  if (doAsUser != null && !doAsUser.equals(request.getRemoteUser())) {
    LOG.debug("doAsUser = {}, RemoteUser = {} , RemoteAddress = {} ",
        doAsUser, request.getRemoteUser(), request.getRemoteAddr());
    UserGroupInformation requestUgi = (request.getUserPrincipal() != null) ?
        UserGroupInformation.createRemoteUser(request.getRemoteUser())
        : null;
    if (requestUgi != null) {
      requestUgi = UserGroupInformation.createProxyUser(doAsUser,
          requestUgi);
      try {
        ProxyUsers.authorize(requestUgi, request.getRemoteAddr());

        final UserGroupInformation ugiF = requestUgi;
        request = new HttpServletRequestWrapper(request) {
          @Override
          public String getRemoteUser() {
            return ugiF.getShortUserName();
          }

          @Override
          public Principal getUserPrincipal() {
            return new Principal() {
              @Override
              public String getName() {
                return ugiF.getUserName();
              }
            };
          }
        };
        LOG.debug("Proxy user Authentication successful");
      } catch (AuthorizationException ex) {
        HttpExceptionUtils.createServletExceptionResponse(response,
            HttpServletResponse.SC_FORBIDDEN, ex);
        LOG.warn("Proxy user Authentication exception", ex);
        return;
      }
    }
  }
  super.doFilter(filterChain, request, response);
}
 
Example 16
Source File: TestACLManager.java    From tez with Apache License 2.0 4 votes vote down vote up
@Test(timeout = 5000)
public void testOtherUserACLChecks() throws IOException {
  String[] groups1 = new String[] {"grp1", "grp2"};
  String[] groups2 = new String[] {"grp3", "grp4"};
  String[] groups3 = new String[] {"grp5", "grp6"};

  UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups);
  UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2
  UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4
  UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups);
  UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups);
  UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6
  UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups);

  Configuration conf = new Configuration(false);
  // View ACLs: user1, user4, grp3, grp4.
  String viewACLs = user1.getShortUserName() + "," + user4.getShortUserName()
      + "   " + "grp3,grp4  ";
  // Modify ACLs: user3, grp6, grp7
  String modifyACLs = user3.getShortUserName() + "  " + "grp6,grp7";
  conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
  conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);

  ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf);

  Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL));
  Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL));
  Assert.assertTrue(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL));
  Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL));
  Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL));
  Assert.assertFalse(aclManager.checkAccess(user5,  ACLType.AM_VIEW_ACL));
  Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL));

  Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL));
  Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL));
  Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL));
  Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL));
  Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL));
  Assert.assertTrue(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL));
  Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL));
}
 
Example 17
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 4 votes vote down vote up
protected void serviceInit(Configuration conf) throws Exception {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUgi = ugi.getRealUser();
  if (realUgi != null) {
    authUgi = realUgi;
    doAsUser = ugi.getShortUserName();
  } else {
    authUgi = ugi;
    doAsUser = null;
  }
  ClientConfig cc = new DefaultClientConfig();
  cc.getClasses().add(YarnJacksonJaxbJsonProvider.class);
  connConfigurator = newConnConfigurator(conf);
  if (UserGroupInformation.isSecurityEnabled()) {
    authenticator = new KerberosDelegationTokenAuthenticator();
  } else {
    authenticator = new PseudoDelegationTokenAuthenticator();
  }
  authenticator.setConnectionConfigurator(connConfigurator);
  token = new DelegationTokenAuthenticatedURL.Token();

  connectionRetry = new TimelineClientConnectionRetry(conf);
  client = new Client(new URLConnectionClientHandler(
      new TimelineURLConnectionFactory()), cc);
  TimelineJerseyRetryFilter retryFilter = new TimelineJerseyRetryFilter();
  client.addFilter(retryFilter);

  if (YarnConfiguration.useHttps(conf)) {
    resURI = URI
        .create(JOINER.join("https://", conf.get(
            YarnConfiguration.TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS,
            YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS),
            RESOURCE_URI_STR));
  } else {
    resURI = URI.create(JOINER.join("http://", conf.get(
        YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
        YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS),
        RESOURCE_URI_STR));
  }
  LOG.info("Timeline service address: " + resURI);
  super.serviceInit(conf);
}
 
Example 18
Source File: TestAggregatedLogFormat.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test(timeout=10000)
public void testContainerLogsFileAccess() throws IOException {
  // This test will run only if NativeIO is enabled as SecureIOUtils 
  // require it to be enabled.
  Assume.assumeTrue(NativeIO.isAvailable());
  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
      "kerberos");
  UserGroupInformation.setConfiguration(conf);
  File workDir = new File(testWorkDir, "testContainerLogsFileAccess1");
  Path remoteAppLogFile =
      new Path(workDir.getAbsolutePath(), "aggregatedLogFile");
  Path srcFileRoot = new Path(workDir.getAbsolutePath(), "srcFiles");

  String data = "Log File content for container : ";
  // Creating files for container1. Log aggregator will try to read log files
  // with illegal user.
  ApplicationId applicationId = ApplicationId.newInstance(1, 1);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(applicationId, 1);
  ContainerId testContainerId1 =
      ContainerId.newContainerId(applicationAttemptId, 1);
  Path appDir =
      new Path(srcFileRoot, testContainerId1.getApplicationAttemptId()
          .getApplicationId().toString());
  Path srcFilePath1 = new Path(appDir, testContainerId1.toString());
  String stdout = "stdout";
  String stderr = "stderr";
  writeSrcFile(srcFilePath1, stdout, data + testContainerId1.toString()
      + stdout);
  writeSrcFile(srcFilePath1, stderr, data + testContainerId1.toString()
      + stderr);

  UserGroupInformation ugi =
      UserGroupInformation.getCurrentUser();
  LogWriter logWriter = new LogWriter(conf, remoteAppLogFile, ugi);

  LogKey logKey = new LogKey(testContainerId1);
  String randomUser = "randomUser";
  LogValue logValue =
      spy(new LogValue(Collections.singletonList(srcFileRoot.toString()),
          testContainerId1, randomUser));
  
  // It is trying simulate a situation where first log file is owned by
  // different user (probably symlink) and second one by the user itself.
  // The first file should not be aggregated. Because this log file has the invalid
  // user name.
  when(logValue.getUser()).thenReturn(randomUser).thenReturn(
      ugi.getShortUserName());
  logWriter.append(logKey, logValue);

  logWriter.close();
  
  BufferedReader in =
      new BufferedReader(new FileReader(new File(remoteAppLogFile
          .toUri().getRawPath())));
  String line;
  StringBuffer sb = new StringBuffer("");
  while ((line = in.readLine()) != null) {
    LOG.info(line);
    sb.append(line);
  }
  line = sb.toString();

  String expectedOwner = ugi.getShortUserName();
  if (Path.WINDOWS) {
    final String adminsGroupString = "Administrators";
    if (Arrays.asList(ugi.getGroupNames()).contains(adminsGroupString)) {
      expectedOwner = adminsGroupString;
    }
  }

  // This file: stderr should not be aggregated.
  // And we will not aggregate the log message.
  String stdoutFile1 =
      StringUtils.join(
          File.separator,
          Arrays.asList(new String[] {
              workDir.getAbsolutePath(), "srcFiles",
              testContainerId1.getApplicationAttemptId().getApplicationId()
                  .toString(), testContainerId1.toString(), stderr }));

  // The file: stdout is expected to be aggregated.
  String stdoutFile2 =
      StringUtils.join(
          File.separator,
          Arrays.asList(new String[] {
              workDir.getAbsolutePath(), "srcFiles",
              testContainerId1.getApplicationAttemptId().getApplicationId()
                  .toString(), testContainerId1.toString(), stdout }));
  String message2 =
      "Owner '" + expectedOwner + "' for path "
          + stdoutFile2 + " did not match expected owner '"
          + ugi.getShortUserName() + "'";
  
  Assert.assertFalse(line.contains(message2));
  Assert.assertFalse(line.contains(data + testContainerId1.toString()
      + stderr));
  Assert.assertTrue(line.contains(data + testContainerId1.toString()
      + stdout));
}
 
Example 19
Source File: AtlasBaseClient.java    From incubator-atlas with Apache License 2.0 4 votes vote down vote up
protected AtlasBaseClient(UserGroupInformation ugi, String[] baseUrls) {
    this(ugi, ugi.getShortUserName(), baseUrls);
}
 
Example 20
Source File: RangerStormAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
/**
    * permit() method is invoked for each incoming Thrift request.
    * @param aRequestContext request context includes info about
    * @param aOperationName operation name
    * @param aTopologyConfigMap configuration of targeted topology
    * @return true if the request is authorized, false if reject
    */

@Override
public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) {
	
	boolean accessAllowed = false;
	boolean isAuditEnabled = false;

	String topologyName = null;

	RangerPerfTracer perf = null;

	try {

		if(RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
			perf = RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()");
		}

		topologyName = (aTopologyConfigMap == null ? "" : (String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME));

		if (LOG.isDebugEnabled()) {
			LOG.debug("[req "+ aRequestContext.requestID()+ "] Access "
	                + " from: [" + aRequestContext.remoteAddress() + "]"
	                + " user: [" + aRequestContext.principal() + "],"
	                + " op:   [" + aOperationName + "],"
	                + "topology: [" + topologyName + "]");
			
			if (aTopologyConfigMap != null) {
				for(Object keyObj : aTopologyConfigMap.keySet()) {
					Object valObj = aTopologyConfigMap.get(keyObj);
					LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
				}
			}
			else {
				LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
			}
		}

		if(noAuthzOperations.contains(aOperationName)) {
			accessAllowed = true;
		} else if(plugin == null) {
			LOG.info("Ranger plugin not initialized yet! Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
		} else {
			String userName = null;
			String[] groups = null;

			Principal user = aRequestContext.principal();
		
			if (user != null) {
				userName = user.getName();
				if (userName != null) {
					UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
					userName = ugi.getShortUserName();
					groups = ugi.getGroupNames();
					if (LOG.isDebugEnabled()) {
						LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]");
					}
				}
			}
			
			
			if (userName != null) {
				String clientIp =  (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() );
				RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName);
				RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
				accessAllowed = result != null && result.getIsAllowed();
				isAuditEnabled = result != null && result.getIsAudited();
			
				if (LOG.isDebugEnabled()) {
					LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
				}
			}
			else {
				LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
			}
		}
	}
	catch(Throwable t) {
		LOG.error("RangerStormAuthorizer found this exception", t);
	}
	finally {
		RangerPerfTracer.log(perf);
		if (LOG.isDebugEnabled()) {
			LOG.debug("[req "+ aRequestContext.requestID()+ "] Access "
	                + " from: [" + aRequestContext.remoteAddress() + "]"
	                + " user: [" + aRequestContext.principal() + "],"
	                + " op:   [" + aOperationName + "],"
	                + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
		}
	}
	
	return accessAllowed;
}