Java Code Examples for org.apache.hadoop.security.authorize.AccessControlList#isUserAllowed()

@Override
public boolean checkPermission(AccessType accessType,
    PrivilegedEntity target, UserGroupInformation user) {
  boolean ret = false;
  Map<AccessType, AccessControlList> acls = allAcls.get(target);
  if (acls != null) {
    AccessControlList list = acls.get(accessType);
    if (list != null) {
      ret = list.isUserAllowed(user);
    }
  }

  // recursively look up the queue to see if parent queue has the permission.
  if (target.getType() == EntityType.QUEUE && !ret) {
    String queueName = target.getName();
    if (!queueName.contains(".")) {
      return ret;
    }
    String parentQueueName = queueName.substring(0, queueName.lastIndexOf("."));
    return checkPermission(accessType, new PrivilegedEntity(target.getType(),
      parentQueueName), user);
  }
  return ret;
}
 

@Override
public boolean isAdmin(UserGroupInformation ugi) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.isAdmin(" + ugi + ")");
	}

	boolean ret = false;
	
	AccessControlList admins = this.admins;

	if(admins != null) {
		ret = admins.isUserAllowed(ugi);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.isAdmin(" + ugi + "): " + ret);
	}

	return ret;
}
 

/**
 * If authorization is enabled, checks whether the user (in the callerUGI)
 * is authorized to perform the operation specified by 'jobOperation' on
 * the job by checking if the user is jobOwner or part of job ACL for the
 * specific job operation.
 * <ul>
 * <li>The owner of the job can do any operation on the job</li>
 * <li>For all other users/groups job-acls are checked</li>
 * </ul>
 * @param callerUGI
 * @param jobOperation
 * @param jobOwner
 * @param jobACL
 */
public boolean checkAccess(UserGroupInformation callerUGI,
    JobACL jobOperation, String jobOwner, AccessControlList jobACL) {

  if (LOG.isDebugEnabled()) {
    LOG.debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: "
        + jobOperation.toString() + " user: " + callerUGI.getShortUserName());
  }
  String user = callerUGI.getShortUserName();
  if (!areACLsEnabled()) {
    return true;
  }

  // Allow Job-owner for any operation on the job
  if (isMRAdmin(callerUGI)
      || user.equals(jobOwner)
      || jobACL.isUserAllowed(callerUGI)) {
    return true;
  }

  return false;
}
 

/**
 * If authorization is enabled, checks whether the user (in the callerUGI)
 * is authorized to perform the operation specified by 'jobOperation' on
 * the job by checking if the user is jobOwner or part of job ACL for the
 * specific job operation.
 * <ul>
 * <li>The owner of the job can do any operation on the job</li>
 * <li>For all other users/groups job-acls are checked</li>
 * </ul>
 * @param callerUGI
 * @param jobOperation
 * @param jobOwner
 * @param jobACL
 */
public boolean checkAccess(UserGroupInformation callerUGI,
    JobACL jobOperation, String jobOwner, AccessControlList jobACL) {

  if (LOG.isDebugEnabled()) {
    LOG.debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: "
        + jobOperation.toString() + " user: " + callerUGI.getShortUserName());
  }
  String user = callerUGI.getShortUserName();
  if (!areACLsEnabled()) {
    return true;
  }

  // Allow Job-owner for any operation on the job
  if (isMRAdmin(callerUGI)
      || user.equals(jobOwner)
      || jobACL.isUserAllowed(callerUGI)) {
    return true;
  }

  return false;
}
 

@Override
public boolean checkPermission(AccessType accessType,
    PrivilegedEntity target, UserGroupInformation user) {
  boolean ret = false;
  Map<AccessType, AccessControlList> acls = allAcls.get(target);
  if (acls != null) {
    AccessControlList list = acls.get(accessType);
    if (list != null) {
      ret = list.isUserAllowed(user);
    }
  }

  // recursively look up the queue to see if parent queue has the permission.
  if (target.getType() == EntityType.QUEUE && !ret) {
    String queueName = target.getName();
    if (!queueName.contains(".")) {
      return ret;
    }
    String parentQueueName = queueName.substring(0, queueName.lastIndexOf("."));
    return checkPermission(accessType, new PrivilegedEntity(target.getType(),
      parentQueueName), user);
  }
  return ret;
}
 

/**
 * Return true if the given user is part of the ACL for the given
 * {@link QueueACL} name for the given queue.
 * <p>
 * An operation is allowed if all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 *
 * @param queueName Queue on which the operation needs to be performed.
 * @param qACL      The queue ACL name to be checked
 * @param ugi       The user and groups who wish to perform the operation.
 * @return true     if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(
  String queueName, QueueACL qACL, UserGroupInformation ugi) {

  Queue q = leafQueues.get(queueName);

  if (q == null) {
    LOG.info("Queue " + queueName + " is not present");
    return false;
  }

  if(q.getChildren() != null && !q.getChildren().isEmpty()) {
    LOG.info("Cannot submit job to parent queue " + q.getName());
    return false;
  }

  if (!areAclsEnabled()) {
    return true;
  }

  if (LOG.isDebugEnabled()) {
    LOG.debug("Checking access for the acl " + toFullPropertyName(queueName,
      qACL.getAclName()) + " for user " + ugi.getShortUserName());
  }

  AccessControlList acl = q.getAcls().get(
      toFullPropertyName(queueName, qACL.getAclName()));
  if (acl == null) {
    return false;
  }

  // Check if user is part of the ACL
  return acl.isUserAllowed(ugi);
}
 

public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi, RangerYarnAuditHandler auditHandler) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
	}

	boolean ret = false;

	for(Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> e : yarnAcl.entrySet()) {
		PrivilegedEntity                   aclEntity         = e.getKey();
		Map<AccessType, AccessControlList> entityPermissions = e.getValue();

		AccessControlList acl = entityPermissions == null ? null : entityPermissions.get(accessType);

		if(acl != null && acl.isUserAllowed(ugi) && isSelfOrChildOf(entity, aclEntity)) {
		    ret = true;
	    	break;
           }
	}

	if(auditHandler != null) {
		auditHandler.logYarnAclEvent(ret);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret);
	}

	return ret;
}
 

private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    LOG.debug("No ACL available for key, denying access for {}", opType);
    return false;
  } else {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Checking user [{}] for: {}: {}" + ugi.getShortUserName(),
      opType.toString(), acl.getAclString());
    }
    return acl.isUserAllowed(ugi);
  }
}
 

private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 

/**
 * Get the admin ACLs from the given ServletContext and check if the given
 * user is in the ACL.
 *
 * @param servletContext the context containing the admin ACL.
 * @param remoteUser the remote user to check for.
 * @return true if the user is present in the ACL, false if no ACL is set or
 *         the user is not present
 */
public static boolean userHasAdministratorAccess(
    ServletContext servletContext,
    String remoteUser) {
  AccessControlList adminsAcl = (AccessControlList) servletContext
      .getAttribute(ADMINS_ACL);
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
 

private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 

/**
 * Return true if the given user is part of the ACL for the given
 * {@link QueueACL} name for the given queue.
 * <p>
 * An operation is allowed if all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 *
 * @param queueName Queue on which the operation needs to be performed.
 * @param qACL      The queue ACL name to be checked
 * @param ugi       The user and groups who wish to perform the operation.
 * @return true     if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(
  String queueName, QueueACL qACL, UserGroupInformation ugi) {

  Queue q = leafQueues.get(queueName);

  if (q == null) {
    LOG.info("Queue " + queueName + " is not present");
    return false;
  }

  if(q.getChildren() != null && !q.getChildren().isEmpty()) {
    LOG.info("Cannot submit job to parent queue " + q.getName());
    return false;
  }

  if (!areAclsEnabled()) {
    return true;
  }

  if (LOG.isDebugEnabled()) {
    LOG.debug("Checking access for the acl " + toFullPropertyName(queueName,
      qACL.getAclName()) + " for user " + ugi.getShortUserName());
  }

  AccessControlList acl = q.getAcls().get(
      toFullPropertyName(queueName, qACL.getAclName()));
  if (acl == null) {
    return false;
  }

  // Check if user is part of the ACL
  return acl.isUserAllowed(ugi);
}
 

/**
 * If authorization is enabled, checks whether the user (in the callerUGI) is
 * authorized to perform the access specified by 'applicationAccessType' on
 * the application by checking if the user is applicationOwner or part of
 * application ACL for the specific access-type.
 * <ul>
 * <li>The owner of the application can have all access-types on the
 * application</li>
 * <li>For all other users/groups application-acls are checked</li>
 * </ul>
 * 
 * @param callerUGI
 * @param applicationAccessType
 * @param applicationOwner
 * @param applicationId
 */
public boolean checkAccess(UserGroupInformation callerUGI,
    ApplicationAccessType applicationAccessType, String applicationOwner,
    ApplicationId applicationId) {

  if (LOG.isDebugEnabled()) {
    LOG.debug("Verifying access-type " + applicationAccessType + " for "
        + callerUGI + " on application " + applicationId + " owned by "
        + applicationOwner);
  }

  String user = callerUGI.getShortUserName();
  if (!areACLsEnabled()) {
    return true;
  }
  AccessControlList applicationACL = DEFAULT_YARN_APP_ACL;
  Map<ApplicationAccessType, AccessControlList> acls = this.applicationACLS
      .get(applicationId);
  if (acls == null) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("ACL not found for application "
          + applicationId + " owned by "
          + applicationOwner + ". Using default ["
          + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]");
    }
  } else {
    AccessControlList applicationACLInMap = acls.get(applicationAccessType);
    if (applicationACLInMap != null) {
      applicationACL = applicationACLInMap;
    } else if (LOG.isDebugEnabled()) {
      LOG.debug("ACL not found for access-type " + applicationAccessType
          + " for application " + applicationId + " owned by "
          + applicationOwner + ". Using default ["
          + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]");
    }
  }

  // Allow application-owner for any type of access on the application
  if (this.adminAclsManager.isAdmin(callerUGI)
      || user.equals(applicationOwner)
      || applicationACL.isUserAllowed(callerUGI)) {
    return true;
  }
  return false;
}
 

/**
 * If authorization is enabled, checks whether the user (in the callerUGI) is
 * authorized to perform the access specified by 'applicationAccessType' on
 * the application by checking if the user is applicationOwner or part of
 * application ACL for the specific access-type.
 * <ul>
 * <li>The owner of the application can have all access-types on the
 * application</li>
 * <li>For all other users/groups application-acls are checked</li>
 * </ul>
 * 
 * @param callerUGI
 * @param applicationAccessType
 * @param applicationOwner
 * @param applicationId
 */
public boolean checkAccess(UserGroupInformation callerUGI,
    ApplicationAccessType applicationAccessType, String applicationOwner,
    ApplicationId applicationId) {

  if (LOG.isDebugEnabled()) {
    LOG.debug("Verifying access-type " + applicationAccessType + " for "
        + callerUGI + " on application " + applicationId + " owned by "
        + applicationOwner);
  }

  String user = callerUGI.getShortUserName();
  if (!areACLsEnabled()) {
    return true;
  }
  AccessControlList applicationACL = DEFAULT_YARN_APP_ACL;
  Map<ApplicationAccessType, AccessControlList> acls = this.applicationACLS
      .get(applicationId);
  if (acls == null) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("ACL not found for application "
          + applicationId + " owned by "
          + applicationOwner + ". Using default ["
          + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]");
    }
  } else {
    AccessControlList applicationACLInMap = acls.get(applicationAccessType);
    if (applicationACLInMap != null) {
      applicationACL = applicationACLInMap;
    } else if (LOG.isDebugEnabled()) {
      LOG.debug("ACL not found for access-type " + applicationAccessType
          + " for application " + applicationId + " owned by "
          + applicationOwner + ". Using default ["
          + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]");
    }
  }

  // Allow application-owner for any type of access on the application
  if (this.adminAclsManager.isAdmin(callerUGI)
      || user.equals(applicationOwner)
      || applicationACL.isUserAllowed(callerUGI)) {
    return true;
  }
  return false;
}
 

public static boolean userHasAdministratorAccess(AccessControlList acl, String remoteUser) {
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return acl != null && acl.isUserAllowed(remoteUserUGI);
}
 

/**
 * Get the admin ACLs from the given ServletContext and check if the given
 * user is in the ACL.
 *
 * @param servletContext the context containing the admin ACL.
 * @param remoteUser the remote user to check for.
 * @return true if the user is present in the ACL, false if no ACL is set or
 *         the user is not present
 */
public static boolean userHasAdministratorAccess(ServletContext servletContext,
                                                 String remoteUser) {
  AccessControlList adminsAcl = (AccessControlList) servletContext
                                                        .getAttribute(ADMINS_ACL);
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
 

/**
 * Get the admin ACLs from the given ServletContext and check if the given
 * user is in the ACL.
 *
 * @param servletContext the context containing the admin ACL.
 * @param remoteUser the remote user to check for.
 * @return true if the user is present in the ACL, false if no ACL is set or
 *         the user is not present
 */
public static boolean userHasAdministratorAccess(ServletContext servletContext,
    String remoteUser) {
  AccessControlList adminsAcl = (AccessControlList) servletContext
      .getAttribute(ADMINS_ACL);
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
 

/**
 * Get the admin ACLs from the given ServletContext and check if the given
 * user is in the ACL.
 *
 * @param servletContext the context containing the admin ACL.
 * @param remoteUser the remote user to check for.
 * @return true if the user is present in the ACL, false if no ACL is set or
 *         the user is not present
 */
public static boolean userHasAdministratorAccess(ServletContext servletContext,
                                                 String remoteUser) {
  AccessControlList adminsAcl = (AccessControlList) servletContext
                                                        .getAttribute(ADMINS_ACL);
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
 

/**
 * Get the admin ACLs from the given ServletContext and check if the given
 * user is in the ACL.
 *
 * @param servletContext the context containing the admin ACL.
 * @param remoteUser the remote user to check for.
 * @return true if the user is present in the ACL, false if no ACL is set or
 *         the user is not present
 */
public static boolean userHasAdministratorAccess(ServletContext servletContext,
                                                 String remoteUser) {
  AccessControlList adminsAcl = (AccessControlList) servletContext
      .getAttribute(ADMINS_ACL);
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
 

/**
 * Get the admin ACLs from the given ServletContext and check if the given
 * user is in the ACL.
 * 
 * @param servletContext the context containing the admin ACL.
 * @param remoteUser the remote user to check for.
 * @return true if the user is present in the ACL, false if no ACL is set or
 *         the user is not present
 */
public static boolean userHasAdministratorAccess(ServletContext servletContext,
    String remoteUser) {
  AccessControlList adminsAcl = (AccessControlList) servletContext
      .getAttribute(ADMINS_ACL);
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}