Java Code Examples for org.apache.hadoop.security.authorize.AccessControlList

The following examples show how to use org.apache.hadoop.security.authorize.AccessControlList. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: ranger   Source File: TestKMSACLs.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testKeyAclDuplicateEntries() {
  final Configuration conf = new Configuration(false);
  conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt1");
  conf.set(KEY_ACL + "test_key_2.ALL", "all2");
  conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt2");
  conf.set(KEY_ACL + "test_key_2.ALL", "all1,all3");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "default1");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "");
  conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "whitelist1");
  conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
  final KMSACLs acls = new KMSACLs(conf);
  Assert.assertTrue("expected key ACL size is 2 but got "
    + acls.keyAcls.size(), acls.keyAcls.size() == 2);
  assertKeyAcl("test_key_1", acls, KeyOpType.DECRYPT_EEK, "decrypt2");
  assertKeyAcl("test_key_2", acls, KeyOpType.ALL, "all1", "all3");
  assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT);
  assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK);
  AccessControlList acl = acls.whitelistKeyAcls.get(KeyOpType.DECRYPT_EEK);
  Assert.assertNotNull(acl);
  Assert.assertTrue(acl.isAllAllowed());
}
 
Example 2
Source Project: hadoop   Source File: AdminACLsManager.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Constructs and initializes this AdminACLsManager
 *
 * @param conf configuration for this object to use
 */
public AdminACLsManager(Configuration conf) {

  this.adminAcl = new AccessControlList(conf.get(
        YarnConfiguration.YARN_ADMIN_ACL,
        YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  try {
    owner = UserGroupInformation.getCurrentUser();
    adminAcl.addUser(owner.getShortUserName());
  } catch (IOException e){
    LOG.warn("Could not add current user to admin:" + e);
    throw new YarnRuntimeException(e);
  }

  aclsEnabled = conf.getBoolean(YarnConfiguration.YARN_ACL_ENABLE,
      YarnConfiguration.DEFAULT_YARN_ACL_ENABLE);
}
 
Example 3
Source Project: hadoop   Source File: ConfiguredYarnAuthorizer.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public boolean checkPermission(AccessType accessType,
    PrivilegedEntity target, UserGroupInformation user) {
  boolean ret = false;
  Map<AccessType, AccessControlList> acls = allAcls.get(target);
  if (acls != null) {
    AccessControlList list = acls.get(accessType);
    if (list != null) {
      ret = list.isUserAllowed(user);
    }
  }

  // recursively look up the queue to see if parent queue has the permission.
  if (target.getType() == EntityType.QUEUE && !ret) {
    String queueName = target.getName();
    if (!queueName.contains(".")) {
      return ret;
    }
    String parentQueueName = queueName.substring(0, queueName.lastIndexOf("."));
    return checkPermission(accessType, new PrivilegedEntity(target.getType(),
      parentQueueName), user);
  }
  return ret;
}
 
Example 4
Source Project: big-c   Source File: JobStatus.java    License: Apache License 2.0 6 votes vote down vote up
public synchronized void write(DataOutput out) throws IOException {
  jobid.write(out);
  out.writeFloat(setupProgress);
  out.writeFloat(mapProgress);
  out.writeFloat(reduceProgress);
  out.writeFloat(cleanupProgress);
  WritableUtils.writeEnum(out, runState);
  out.writeLong(startTime);
  Text.writeString(out, user);
  WritableUtils.writeEnum(out, priority);
  Text.writeString(out, schedulingInfo);
  out.writeLong(finishTime);
  out.writeBoolean(isRetired);
  Text.writeString(out, historyFile);
  Text.writeString(out, jobName);
  Text.writeString(out, trackingUrl);
  Text.writeString(out, jobFile);
  out.writeBoolean(isUber);

  // Serialize the job's ACLs
  out.writeInt(jobACLs.size());
  for (Entry<JobACL, AccessControlList> entry : jobACLs.entrySet()) {
    WritableUtils.writeEnum(out, entry.getKey());
    entry.getValue().write(out);
  }
}
 
Example 5
Source Project: hadoop   Source File: DeprecatedQueueConfigurationParser.java    License: Apache License 2.0 6 votes vote down vote up
private List<Queue> createQueues(Configuration conf) {
  String[] queueNameValues = conf.getStrings(
    MAPRED_QUEUE_NAMES_KEY);
  List<Queue> list = new ArrayList<Queue>();
  for (String name : queueNameValues) {
    try {
      Map<String, AccessControlList> acls = getQueueAcls(
        name, conf);
      QueueState state = getQueueState(name, conf);
      Queue q = new Queue(name, acls, state);
      list.add(q);
    } catch (Throwable t) {
      LOG.warn("Not able to initialize queue " + name);
    }
  }
  return list;
}
 
Example 6
Source Project: big-c   Source File: TestJobAclsManager.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testGroups() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String user = "testuser2";
  String adminGroup = "adminGroup";
  conf.set(MRConfig.MR_ADMINS, " " + adminGroup);

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
   user, new String[] {adminGroup});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("user in admin group should have access", val);
}
 
Example 7
Source Project: big-c   Source File: DeprecatedQueueConfigurationParser.java    License: Apache License 2.0 6 votes vote down vote up
private List<Queue> createQueues(Configuration conf) {
  String[] queueNameValues = conf.getStrings(
    MAPRED_QUEUE_NAMES_KEY);
  List<Queue> list = new ArrayList<Queue>();
  for (String name : queueNameValues) {
    try {
      Map<String, AccessControlList> acls = getQueueAcls(
        name, conf);
      QueueState state = getQueueState(name, conf);
      Queue q = new Queue(name, acls, state);
      list.add(q);
    } catch (Throwable t) {
      LOG.warn("Not able to initialize queue " + name);
    }
  }
  return list;
}
 
Example 8
Source Project: big-c   Source File: AllocationConfiguration.java    License: Apache License 2.0 6 votes vote down vote up
public AllocationConfiguration(Configuration conf) {
  minQueueResources = new HashMap<String, Resource>();
  maxQueueResources = new HashMap<String, Resource>();
  queueWeights = new HashMap<String, ResourceWeights>();
  queueMaxApps = new HashMap<String, Integer>();
  userMaxApps = new HashMap<String, Integer>();
  queueMaxAMShares = new HashMap<String, Float>();
  userMaxAppsDefault = Integer.MAX_VALUE;
  queueMaxAppsDefault = Integer.MAX_VALUE;
  queueMaxAMShareDefault = 0.5f;
  queueAcls = new HashMap<String, Map<QueueACL, AccessControlList>>();
  minSharePreemptionTimeouts = new HashMap<String, Long>();
  fairSharePreemptionTimeouts = new HashMap<String, Long>();
  fairSharePreemptionThresholds = new HashMap<String, Float>();
  schedulingPolicies = new HashMap<String, SchedulingPolicy>();
  defaultSchedulingPolicy = SchedulingPolicy.DEFAULT_POLICY;
  reservableQueues = new HashSet<>();
  configuredQueues = new HashMap<FSQueueType, Set<String>>();
  for (FSQueueType queueType : FSQueueType.values()) {
    configuredQueues.put(queueType, new HashSet<String>());
  }
  placementPolicy = QueuePlacementPolicy.fromConfiguration(conf,
      configuredQueues);
}
 
Example 9
Source Project: hadoop   Source File: TestJobAclsManager.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testAclsOff() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, false);
  String noAdminUser = "testuser2";

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
      noAdminUser, new String[] {});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("acls off so anyone should have access", val);
}
 
Example 10
Source Project: hadoop   Source File: TestJobAclsManager.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testGroups() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String user = "testuser2";
  String adminGroup = "adminGroup";
  conf.set(MRConfig.MR_ADMINS, " " + adminGroup);

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
   user, new String[] {adminGroup});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("user in admin group should have access", val);
}
 
Example 11
Source Project: big-c   Source File: AllocationConfiguration.java    License: Apache License 2.0 5 votes vote down vote up
public AllocationConfiguration(Map<String, Resource> minQueueResources,
    Map<String, Resource> maxQueueResources,
    Map<String, Integer> queueMaxApps, Map<String, Integer> userMaxApps,
    Map<String, ResourceWeights> queueWeights,
    Map<String, Float> queueMaxAMShares, int userMaxAppsDefault,
    int queueMaxAppsDefault, float queueMaxAMShareDefault,
    Map<String, SchedulingPolicy> schedulingPolicies,
    SchedulingPolicy defaultSchedulingPolicy,
    Map<String, Long> minSharePreemptionTimeouts,
    Map<String, Long> fairSharePreemptionTimeouts,
    Map<String, Float> fairSharePreemptionThresholds,
    Map<String, Map<QueueACL, AccessControlList>> queueAcls,
    QueuePlacementPolicy placementPolicy,
    Map<FSQueueType, Set<String>> configuredQueues,
    ReservationQueueConfiguration globalReservationQueueConfig,
    Set<String> reservableQueues) {
  this.minQueueResources = minQueueResources;
  this.maxQueueResources = maxQueueResources;
  this.queueMaxApps = queueMaxApps;
  this.userMaxApps = userMaxApps;
  this.queueMaxAMShares = queueMaxAMShares;
  this.queueWeights = queueWeights;
  this.userMaxAppsDefault = userMaxAppsDefault;
  this.queueMaxAppsDefault = queueMaxAppsDefault;
  this.queueMaxAMShareDefault = queueMaxAMShareDefault;
  this.defaultSchedulingPolicy = defaultSchedulingPolicy;
  this.schedulingPolicies = schedulingPolicies;
  this.minSharePreemptionTimeouts = minSharePreemptionTimeouts;
  this.fairSharePreemptionTimeouts = fairSharePreemptionTimeouts;
  this.fairSharePreemptionThresholds = fairSharePreemptionThresholds;
  this.queueAcls = queueAcls;
  this.reservableQueues = reservableQueues;
  this.globalReservationQueueConfig = globalReservationQueueConfig;
  this.placementPolicy = placementPolicy;
  this.configuredQueues = configuredQueues;
}
 
Example 12
Source Project: big-c   Source File: DeprecatedQueueConfigurationParser.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Parse ACLs for the queue from the configuration.
 */
private Map<String, AccessControlList> getQueueAcls(
  String name,
  Configuration conf) {
  HashMap<String, AccessControlList> map =
    new HashMap<String, AccessControlList>();
  for (QueueACL qAcl : QueueACL.values()) {
    String aclKey = toFullPropertyName(name, qAcl.getAclName());
    map.put(
      aclKey, new AccessControlList(
        conf.get(
          aclKey, "*")));
  }
  return map;
}
 
Example 13
Source Project: big-c   Source File: DFSZKFailoverController.java    License: Apache License 2.0 5 votes vote down vote up
private DFSZKFailoverController(Configuration conf,
      NNHAServiceTarget localTarget) {
    super(conf, localTarget);
    this.localNNTarget = localTarget;
    // Setup ACLs
    adminAcl = new AccessControlList(
        conf.get(DFSConfigKeys.DFS_ADMIN, " "));
    LOG.info("Failover controller configured for NameNode " +
        localTarget);
}
 
Example 14
Source Project: big-c   Source File: ApplicationACLsManager.java    License: Apache License 2.0 5 votes vote down vote up
public void addApplication(ApplicationId appId,
    Map<ApplicationAccessType, String> acls) {
  Map<ApplicationAccessType, AccessControlList> finalMap
      = new HashMap<ApplicationAccessType, AccessControlList>(acls.size());
  for (Entry<ApplicationAccessType, String> acl : acls.entrySet()) {
    finalMap.put(acl.getKey(), new AccessControlList(acl.getValue()));
  }
  this.applicationACLS.put(appId, finalMap);
}
 
Example 15
Source Project: hbase   Source File: InfoServer.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Create a status server on the given port.
 * The jsp scripts are taken from src/hbase-webapps/<code>name</code>.
 * @param name The name of the server
 * @param bindAddress address to bind to
 * @param port The port to use on the server
 * @param findPort whether the server should start at the given port and increment by 1 until it
 *                 finds a free port.
 * @param c the {@link Configuration} to build the server
 * @throws IOException if getting one of the password fails or the server cannot be created
 */
public InfoServer(String name, String bindAddress, int port, boolean findPort,
    final Configuration c) throws IOException {
  HttpConfig httpConfig = new HttpConfig(c);
  HttpServer.Builder builder =
    new org.apache.hadoop.hbase.http.HttpServer.Builder();

  builder.setName(name).addEndpoint(URI.create(httpConfig.getSchemePrefix() +
    bindAddress + ":" +
    port)).setAppDir(HBASE_APP_DIR).setFindPort(findPort).setConf(c);
  String logDir = System.getProperty("hbase.log.dir");
  if (logDir != null) {
    builder.setLogDir(logDir);
  }
  if (httpConfig.isSecure()) {
    builder.keyPassword(HBaseConfiguration
            .getPassword(c, "ssl.server.keystore.keypassword", null))
      .keyStore(c.get("ssl.server.keystore.location"),
              HBaseConfiguration.getPassword(c,"ssl.server.keystore.password", null),
              c.get("ssl.server.keystore.type", "jks"))
      .trustStore(c.get("ssl.server.truststore.location"),
              HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", null),
              c.get("ssl.server.truststore.type", "jks"));
  }
  // Enable SPNEGO authentication
  if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) {
    builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY)
      .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY)
      .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY)
      .setSignatureSecretFileKey(
          HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY)
      .setSecurityEnabled(true);

    // Set an admin ACL on sensitive webUI endpoints
    AccessControlList acl = buildAdminAcl(c);
    builder.setACL(acl);
  }
  this.httpServer = builder.build();
}
 
Example 16
Source Project: big-c   Source File: HSAdminServer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void refreshAdminAcls() throws IOException {
  UserGroupInformation user = checkAcls("refreshAdminAcls");

  Configuration conf = createConf();
  adminAcl = new AccessControlList(conf.get(JHAdminConfig.JHS_ADMIN_ACL,
      JHAdminConfig.DEFAULT_JHS_ADMIN_ACL));
  HSAuditLogger.logSuccess(user.getShortUserName(), "refreshAdminAcls",
      HISTORY_ADMIN_SERVER);
}
 
Example 17
Source Project: hadoop   Source File: WebAppProxy.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void serviceInit(Configuration conf) throws Exception {
  String auth =  conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION);
  if (auth == null || "simple".equals(auth)) {
    isSecurityEnabled = false;
  } else if ("kerberos".equals(auth)) {
    isSecurityEnabled = true;
  } else {
    LOG.warn("Unrecongized attribute value for " +
        CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION +
        " of " + auth);
  }
  String proxy = WebAppUtils.getProxyHostAndPort(conf);
  String[] proxyParts = proxy.split(":");
  proxyHost = proxyParts[0];

  fetcher = new AppReportFetcher(conf);
  bindAddress = conf.get(YarnConfiguration.PROXY_ADDRESS);
  if(bindAddress == null || bindAddress.isEmpty()) {
    throw new YarnRuntimeException(YarnConfiguration.PROXY_ADDRESS + 
        " is not set so the proxy will not run.");
  }
  LOG.info("Instantiating Proxy at " + bindAddress);
  String[] parts = StringUtils.split(bindAddress, ':');
  port = 0;
  if (parts.length == 2) {
    bindAddress = parts[0];
    port = Integer.parseInt(parts[1]);
  }
  acl = new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL, 
      YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  super.serviceInit(conf);
}
 
Example 18
Source Project: hadoop   Source File: DockerLinuxContainerRuntime.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void initialize(Configuration conf)
    throws ContainerExecutionException {
  this.conf = conf;
  dockerClient = new DockerClient(conf);
  allowedNetworks.clear();
  allowedNetworks.addAll(Arrays.asList(
      conf.getStrings(YarnConfiguration.NM_DOCKER_ALLOWED_CONTAINER_NETWORKS,
          YarnConfiguration.DEFAULT_NM_DOCKER_ALLOWED_CONTAINER_NETWORKS)));
  defaultNetwork = conf.get(
      YarnConfiguration.NM_DOCKER_DEFAULT_CONTAINER_NETWORK,
      YarnConfiguration.DEFAULT_NM_DOCKER_DEFAULT_CONTAINER_NETWORK);

  if(!allowedNetworks.contains(defaultNetwork)) {
    String message = "Default network: " + defaultNetwork
        + " is not in the set of allowed networks: " + allowedNetworks;

    if (LOG.isWarnEnabled()) {
      LOG.warn(message + ". Please check "
          + "configuration");
    }

    throw new ContainerExecutionException(message);
  }

  privilegedContainersAcl = new AccessControlList(conf.get(
      YarnConfiguration.NM_DOCKER_PRIVILEGED_CONTAINERS_ACL,
      YarnConfiguration.DEFAULT_NM_DOCKER_PRIVILEGED_CONTAINERS_ACL));
}
 
Example 19
Source Project: big-c   Source File: AllocationConfiguration.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Get the ACLs associated with this queue. If a given ACL is not explicitly
 * configured, include the default value for that ACL.  The default for the
 * root queue is everybody ("*") and the default for all other queues is
 * nobody ("")
 */
public AccessControlList getQueueAcl(String queue, QueueACL operation) {
  Map<QueueACL, AccessControlList> queueAcls = this.queueAcls.get(queue);
  if (queueAcls != null) {
    AccessControlList operationAcl = queueAcls.get(operation);
    if (operationAcl != null) {
      return operationAcl;
    }
  }
  return (queue.equals("root")) ? EVERYBODY_ACL : NOBODY_ACL;
}
 
Example 20
Source Project: hadoop   Source File: AllocationConfiguration.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Get the ACLs associated with this queue. If a given ACL is not explicitly
 * configured, include the default value for that ACL.  The default for the
 * root queue is everybody ("*") and the default for all other queues is
 * nobody ("")
 */
public AccessControlList getQueueAcl(String queue, QueueACL operation) {
  Map<QueueACL, AccessControlList> queueAcls = this.queueAcls.get(queue);
  if (queueAcls != null) {
    AccessControlList operationAcl = queueAcls.get(operation);
    if (operationAcl != null) {
      return operationAcl;
    }
  }
  return (queue.equals("root")) ? EVERYBODY_ACL : NOBODY_ACL;
}
 
Example 21
Source Project: hadoop   Source File: DFSZKFailoverController.java    License: Apache License 2.0 5 votes vote down vote up
private DFSZKFailoverController(Configuration conf,
      NNHAServiceTarget localTarget) {
    super(conf, localTarget);
    this.localNNTarget = localTarget;
    // Setup ACLs
    adminAcl = new AccessControlList(
        conf.get(DFSConfigKeys.DFS_ADMIN, " "));
    LOG.info("Failover controller configured for NameNode " +
        localTarget);
}
 
Example 22
Source Project: hadoop   Source File: AdminService.java    License: Apache License 2.0 5 votes vote down vote up
private AccessControlList getAdminAclList(Configuration conf) {
  AccessControlList aclList =
      new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL,
        YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  aclList.addUser(daemonUser.getShortUserName());
  return aclList;
}
 
Example 23
Source Project: ranger   Source File: RangerYarnAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi, RangerYarnAuditHandler auditHandler) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
	}

	boolean ret = false;

	for(Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> e : yarnAcl.entrySet()) {
		PrivilegedEntity                   aclEntity         = e.getKey();
		Map<AccessType, AccessControlList> entityPermissions = e.getValue();

		AccessControlList acl = entityPermissions == null ? null : entityPermissions.get(accessType);

		if(acl != null && acl.isUserAllowed(ugi) && isSelfOrChildOf(entity, aclEntity)) {
		    ret = true;
	    	break;
           }
	}

	if(auditHandler != null) {
		auditHandler.logYarnAclEvent(ret);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret);
	}

	return ret;
}
 
Example 24
Source Project: hadoop   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 
Example 25
Source Project: big-c   Source File: QueueACLsTestBase.java    License: Apache License 2.0 5 votes vote down vote up
@Before
public void setup() throws InterruptedException, IOException {
  conf = createConfiguration();
  rpc = YarnRPC.create(conf);
  rmAddress = conf.getSocketAddr(
    YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS,
    YarnConfiguration.DEFAULT_RM_PORT);
  
  AccessControlList adminACL = new AccessControlList("");
  conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACL.getAclString());

  resourceManager = new MockRM(conf) {
    protected ClientRMService createClientRMService() {
      return new ClientRMService(getRMContext(), this.scheduler,
        this.rmAppManager, this.applicationACLsManager,
        this.queueACLsManager, getRMContext().getRMDelegationTokenSecretManager());
    };

    @Override
    protected void doSecureLogin() throws IOException {
    }
  };
  new Thread() {
    public void run() {
      resourceManager.start();
    };
  }.start();
  int waitCount = 0;
  while (resourceManager.getServiceState() == STATE.INITED
      && waitCount++ < 60) {
    LOG.info("Waiting for RM to start...");
    Thread.sleep(1500);
  }
  if (resourceManager.getServiceState() != STATE.STARTED) {
    // RM could have failed.
    throw new IOException("ResourceManager failed to start. Final state is "
        + resourceManager.getServiceState());
  }
}
 
Example 26
Source Project: hadoop   Source File: TestApplicationACLs.java    License: Apache License 2.0 5 votes vote down vote up
private void verifySuperUserAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol superUserClient = getRMClientForUser(SUPER_USER);

    // View as the superUser
    superUserClient.getApplicationReport(appReportRequest);

    // List apps as superUser
    Assert.assertEquals("App view by super-user should list the apps!!", 2,
        superUserClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the superUser
    superUserClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 
Example 27
Source Project: hadoop   Source File: TestApplicationACLs.java    License: Apache License 2.0 5 votes vote down vote up
private void verifyFriendAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol friendClient = getRMClientForUser(FRIEND);

    // View as the friend
    friendClient.getApplicationReport(appReportRequest);

    // List apps as friend
    Assert.assertEquals("App view by a friend should list the apps!!", 3,
        friendClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the friend
    friendClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 
Example 28
Source Project: ranger   Source File: RangerYarnAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void setAdmins(AccessControlList acl, UserGroupInformation ugi) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.setAdmins(" + acl + ", " + ugi + ")");
	}

	admins = acl;

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.setAdmins(" + acl + ", " + ugi + ")");
	}
}
 
Example 29
Source Project: hadoop   Source File: TimelineACLsManager.java    License: Apache License 2.0 5 votes vote down vote up
private AccessControlListExt putDomainIntoCache(
    TimelineDomain domain) {
  Map<ApplicationAccessType, AccessControlList> acls
  = new HashMap<ApplicationAccessType, AccessControlList>(2);
  acls.put(ApplicationAccessType.VIEW_APP,
      new AccessControlList(StringHelper.cjoin(domain.getReaders())));
  acls.put(ApplicationAccessType.MODIFY_APP,
      new AccessControlList(StringHelper.cjoin(domain.getWriters())));
  AccessControlListExt aclExt =
      new AccessControlListExt(domain.getOwner(), acls);
  aclExts.put(domain.getId(), aclExt);
  return aclExt;
}
 
Example 30
Source Project: big-c   Source File: JobStatus.java    License: Apache License 2.0 5 votes vote down vote up
public synchronized void readFields(DataInput in) throws IOException {
  this.jobid = new JobID();
  this.jobid.readFields(in);
  this.setupProgress = in.readFloat();
  this.mapProgress = in.readFloat();
  this.reduceProgress = in.readFloat();
  this.cleanupProgress = in.readFloat();
  this.runState = WritableUtils.readEnum(in, State.class);
  this.startTime = in.readLong();
  this.user = StringInterner.weakIntern(Text.readString(in));
  this.priority = WritableUtils.readEnum(in, JobPriority.class);
  this.schedulingInfo = StringInterner.weakIntern(Text.readString(in));
  this.finishTime = in.readLong();
  this.isRetired = in.readBoolean();
  this.historyFile = StringInterner.weakIntern(Text.readString(in));
  this.jobName = StringInterner.weakIntern(Text.readString(in));
  this.trackingUrl = StringInterner.weakIntern(Text.readString(in));
  this.jobFile = StringInterner.weakIntern(Text.readString(in));
  this.isUber = in.readBoolean();

  // De-serialize the job's ACLs
  int numACLs = in.readInt();
  for (int i = 0; i < numACLs; i++) {
    JobACL aclType = WritableUtils.readEnum(in, JobACL.class);
    AccessControlList acl = new AccessControlList(" ");
    acl.readFields(in);
    this.jobACLs.put(aclType, acl);
  }
}