org.apache.hadoop.security.authorize.AccessControlList Java Examples

The following examples show how to use org.apache.hadoop.security.authorize.AccessControlList. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TestKMSACLs.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Test
public void testKeyAclDuplicateEntries() {
  final Configuration conf = new Configuration(false);
  conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt1");
  conf.set(KEY_ACL + "test_key_2.ALL", "all2");
  conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt2");
  conf.set(KEY_ACL + "test_key_2.ALL", "all1,all3");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "default1");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "");
  conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "whitelist1");
  conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
  final KMSACLs acls = new KMSACLs(conf);
  Assert.assertTrue("expected key ACL size is 2 but got "
    + acls.keyAcls.size(), acls.keyAcls.size() == 2);
  assertKeyAcl("test_key_1", acls, KeyOpType.DECRYPT_EEK, "decrypt2");
  assertKeyAcl("test_key_2", acls, KeyOpType.ALL, "all1", "all3");
  assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT);
  assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK);
  AccessControlList acl = acls.whitelistKeyAcls.get(KeyOpType.DECRYPT_EEK);
  Assert.assertNotNull(acl);
  Assert.assertTrue(acl.isAllAllowed());
}
 
Example #2
Source File: DeprecatedQueueConfigurationParser.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private List<Queue> createQueues(Configuration conf) {
  String[] queueNameValues = conf.getStrings(
    MAPRED_QUEUE_NAMES_KEY);
  List<Queue> list = new ArrayList<Queue>();
  for (String name : queueNameValues) {
    try {
      Map<String, AccessControlList> acls = getQueueAcls(
        name, conf);
      QueueState state = getQueueState(name, conf);
      Queue q = new Queue(name, acls, state);
      list.add(q);
    } catch (Throwable t) {
      LOG.warn("Not able to initialize queue " + name);
    }
  }
  return list;
}
 
Example #3
Source File: TestJobAclsManager.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Test
public void testGroups() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String user = "testuser2";
  String adminGroup = "adminGroup";
  conf.set(MRConfig.MR_ADMINS, " " + adminGroup);

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
   user, new String[] {adminGroup});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("user in admin group should have access", val);
}
 
Example #4
Source File: JobStatus.java    From big-c with Apache License 2.0 6 votes vote down vote up
public synchronized void write(DataOutput out) throws IOException {
  jobid.write(out);
  out.writeFloat(setupProgress);
  out.writeFloat(mapProgress);
  out.writeFloat(reduceProgress);
  out.writeFloat(cleanupProgress);
  WritableUtils.writeEnum(out, runState);
  out.writeLong(startTime);
  Text.writeString(out, user);
  WritableUtils.writeEnum(out, priority);
  Text.writeString(out, schedulingInfo);
  out.writeLong(finishTime);
  out.writeBoolean(isRetired);
  Text.writeString(out, historyFile);
  Text.writeString(out, jobName);
  Text.writeString(out, trackingUrl);
  Text.writeString(out, jobFile);
  out.writeBoolean(isUber);

  // Serialize the job's ACLs
  out.writeInt(jobACLs.size());
  for (Entry<JobACL, AccessControlList> entry : jobACLs.entrySet()) {
    WritableUtils.writeEnum(out, entry.getKey());
    entry.getValue().write(out);
  }
}
 
Example #5
Source File: DeprecatedQueueConfigurationParser.java    From big-c with Apache License 2.0 6 votes vote down vote up
private List<Queue> createQueues(Configuration conf) {
  String[] queueNameValues = conf.getStrings(
    MAPRED_QUEUE_NAMES_KEY);
  List<Queue> list = new ArrayList<Queue>();
  for (String name : queueNameValues) {
    try {
      Map<String, AccessControlList> acls = getQueueAcls(
        name, conf);
      QueueState state = getQueueState(name, conf);
      Queue q = new Queue(name, acls, state);
      list.add(q);
    } catch (Throwable t) {
      LOG.warn("Not able to initialize queue " + name);
    }
  }
  return list;
}
 
Example #6
Source File: AllocationConfiguration.java    From big-c with Apache License 2.0 6 votes vote down vote up
public AllocationConfiguration(Configuration conf) {
  minQueueResources = new HashMap<String, Resource>();
  maxQueueResources = new HashMap<String, Resource>();
  queueWeights = new HashMap<String, ResourceWeights>();
  queueMaxApps = new HashMap<String, Integer>();
  userMaxApps = new HashMap<String, Integer>();
  queueMaxAMShares = new HashMap<String, Float>();
  userMaxAppsDefault = Integer.MAX_VALUE;
  queueMaxAppsDefault = Integer.MAX_VALUE;
  queueMaxAMShareDefault = 0.5f;
  queueAcls = new HashMap<String, Map<QueueACL, AccessControlList>>();
  minSharePreemptionTimeouts = new HashMap<String, Long>();
  fairSharePreemptionTimeouts = new HashMap<String, Long>();
  fairSharePreemptionThresholds = new HashMap<String, Float>();
  schedulingPolicies = new HashMap<String, SchedulingPolicy>();
  defaultSchedulingPolicy = SchedulingPolicy.DEFAULT_POLICY;
  reservableQueues = new HashSet<>();
  configuredQueues = new HashMap<FSQueueType, Set<String>>();
  for (FSQueueType queueType : FSQueueType.values()) {
    configuredQueues.put(queueType, new HashSet<String>());
  }
  placementPolicy = QueuePlacementPolicy.fromConfiguration(conf,
      configuredQueues);
}
 
Example #7
Source File: ConfiguredYarnAuthorizer.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public boolean checkPermission(AccessType accessType,
    PrivilegedEntity target, UserGroupInformation user) {
  boolean ret = false;
  Map<AccessType, AccessControlList> acls = allAcls.get(target);
  if (acls != null) {
    AccessControlList list = acls.get(accessType);
    if (list != null) {
      ret = list.isUserAllowed(user);
    }
  }

  // recursively look up the queue to see if parent queue has the permission.
  if (target.getType() == EntityType.QUEUE && !ret) {
    String queueName = target.getName();
    if (!queueName.contains(".")) {
      return ret;
    }
    String parentQueueName = queueName.substring(0, queueName.lastIndexOf("."));
    return checkPermission(accessType, new PrivilegedEntity(target.getType(),
      parentQueueName), user);
  }
  return ret;
}
 
Example #8
Source File: TestJobAclsManager.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test
public void testGroups() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String user = "testuser2";
  String adminGroup = "adminGroup";
  conf.set(MRConfig.MR_ADMINS, " " + adminGroup);

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
   user, new String[] {adminGroup});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("user in admin group should have access", val);
}
 
Example #9
Source File: TestJobAclsManager.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAclsOff() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, false);
  String noAdminUser = "testuser2";

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
      noAdminUser, new String[] {});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("acls off so anyone should have access", val);
}
 
Example #10
Source File: AdminACLsManager.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Constructs and initializes this AdminACLsManager
 *
 * @param conf configuration for this object to use
 */
public AdminACLsManager(Configuration conf) {

  this.adminAcl = new AccessControlList(conf.get(
        YarnConfiguration.YARN_ADMIN_ACL,
        YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  try {
    owner = UserGroupInformation.getCurrentUser();
    adminAcl.addUser(owner.getShortUserName());
  } catch (IOException e){
    LOG.warn("Could not add current user to admin:" + e);
    throw new YarnRuntimeException(e);
  }

  aclsEnabled = conf.getBoolean(YarnConfiguration.YARN_ACL_ENABLE,
      YarnConfiguration.DEFAULT_YARN_ACL_ENABLE);
}
 
Example #11
Source File: WebAppProxy.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
protected void serviceInit(Configuration conf) throws Exception {
  String auth =  conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION);
  if (auth == null || "simple".equals(auth)) {
    isSecurityEnabled = false;
  } else if ("kerberos".equals(auth)) {
    isSecurityEnabled = true;
  } else {
    LOG.warn("Unrecongized attribute value for " +
        CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION +
        " of " + auth);
  }
  String proxy = WebAppUtils.getProxyHostAndPort(conf);
  String[] proxyParts = proxy.split(":");
  proxyHost = proxyParts[0];

  fetcher = new AppReportFetcher(conf);
  bindAddress = conf.get(YarnConfiguration.PROXY_ADDRESS);
  if(bindAddress == null || bindAddress.isEmpty()) {
    throw new YarnRuntimeException(YarnConfiguration.PROXY_ADDRESS + 
        " is not set so the proxy will not run.");
  }
  LOG.info("Instantiating Proxy at " + bindAddress);
  String[] parts = StringUtils.split(bindAddress, ':');
  port = 0;
  if (parts.length == 2) {
    bindAddress = parts[0];
    port = Integer.parseInt(parts[1]);
  }
  acl = new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL, 
      YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  super.serviceInit(conf);
}
 
Example #12
Source File: InfoServer.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Create a status server on the given port.
 * The jsp scripts are taken from src/hbase-webapps/<code>name</code>.
 * @param name The name of the server
 * @param bindAddress address to bind to
 * @param port The port to use on the server
 * @param findPort whether the server should start at the given port and increment by 1 until it
 *                 finds a free port.
 * @param c the {@link Configuration} to build the server
 * @throws IOException if getting one of the password fails or the server cannot be created
 */
public InfoServer(String name, String bindAddress, int port, boolean findPort,
    final Configuration c) throws IOException {
  HttpConfig httpConfig = new HttpConfig(c);
  HttpServer.Builder builder =
    new org.apache.hadoop.hbase.http.HttpServer.Builder();

  builder.setName(name).addEndpoint(URI.create(httpConfig.getSchemePrefix() +
    bindAddress + ":" +
    port)).setAppDir(HBASE_APP_DIR).setFindPort(findPort).setConf(c);
  String logDir = System.getProperty("hbase.log.dir");
  if (logDir != null) {
    builder.setLogDir(logDir);
  }
  if (httpConfig.isSecure()) {
    builder.keyPassword(HBaseConfiguration
            .getPassword(c, "ssl.server.keystore.keypassword", null))
      .keyStore(c.get("ssl.server.keystore.location"),
              HBaseConfiguration.getPassword(c,"ssl.server.keystore.password", null),
              c.get("ssl.server.keystore.type", "jks"))
      .trustStore(c.get("ssl.server.truststore.location"),
              HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", null),
              c.get("ssl.server.truststore.type", "jks"));
  }
  // Enable SPNEGO authentication
  if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) {
    builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY)
      .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY)
      .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY)
      .setSignatureSecretFileKey(
          HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY)
      .setSecurityEnabled(true);

    // Set an admin ACL on sensitive webUI endpoints
    AccessControlList acl = buildAdminAcl(c);
    builder.setACL(acl);
  }
  this.httpServer = builder.build();
}
 
Example #13
Source File: ApplicationACLsManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
public void addApplication(ApplicationId appId,
    Map<ApplicationAccessType, String> acls) {
  Map<ApplicationAccessType, AccessControlList> finalMap
      = new HashMap<ApplicationAccessType, AccessControlList>(acls.size());
  for (Entry<ApplicationAccessType, String> acl : acls.entrySet()) {
    finalMap.put(acl.getKey(), new AccessControlList(acl.getValue()));
  }
  this.applicationACLS.put(appId, finalMap);
}
 
Example #14
Source File: RangerYarnAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi, RangerYarnAuditHandler auditHandler) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
	}

	boolean ret = false;

	for(Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> e : yarnAcl.entrySet()) {
		PrivilegedEntity                   aclEntity         = e.getKey();
		Map<AccessType, AccessControlList> entityPermissions = e.getValue();

		AccessControlList acl = entityPermissions == null ? null : entityPermissions.get(accessType);

		if(acl != null && acl.isUserAllowed(ugi) && isSelfOrChildOf(entity, aclEntity)) {
		    ret = true;
	    	break;
           }
	}

	if(auditHandler != null) {
		auditHandler.logYarnAclEvent(ret);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret);
	}

	return ret;
}
 
Example #15
Source File: KMSACLs.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 
Example #16
Source File: QueueACLsTestBase.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Before
public void setup() throws InterruptedException, IOException {
  conf = createConfiguration();
  rpc = YarnRPC.create(conf);
  rmAddress = conf.getSocketAddr(
    YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS,
    YarnConfiguration.DEFAULT_RM_PORT);
  
  AccessControlList adminACL = new AccessControlList("");
  conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACL.getAclString());

  resourceManager = new MockRM(conf) {
    protected ClientRMService createClientRMService() {
      return new ClientRMService(getRMContext(), this.scheduler,
        this.rmAppManager, this.applicationACLsManager,
        this.queueACLsManager, getRMContext().getRMDelegationTokenSecretManager());
    };

    @Override
    protected void doSecureLogin() throws IOException {
    }
  };
  new Thread() {
    public void run() {
      resourceManager.start();
    };
  }.start();
  int waitCount = 0;
  while (resourceManager.getServiceState() == STATE.INITED
      && waitCount++ < 60) {
    LOG.info("Waiting for RM to start...");
    Thread.sleep(1500);
  }
  if (resourceManager.getServiceState() != STATE.STARTED) {
    // RM could have failed.
    throw new IOException("ResourceManager failed to start. Final state is "
        + resourceManager.getServiceState());
  }
}
 
Example #17
Source File: TestApplicationACLs.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void verifySuperUserAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol superUserClient = getRMClientForUser(SUPER_USER);

    // View as the superUser
    superUserClient.getApplicationReport(appReportRequest);

    // List apps as superUser
    Assert.assertEquals("App view by super-user should list the apps!!", 2,
        superUserClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the superUser
    superUserClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 
Example #18
Source File: TestApplicationACLs.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void verifyFriendAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol friendClient = getRMClientForUser(FRIEND);

    // View as the friend
    friendClient.getApplicationReport(appReportRequest);

    // List apps as friend
    Assert.assertEquals("App view by a friend should list the apps!!", 3,
        friendClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the friend
    friendClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 
Example #19
Source File: RangerYarnAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void setAdmins(AccessControlList acl, UserGroupInformation ugi) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.setAdmins(" + acl + ", " + ugi + ")");
	}

	admins = acl;

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.setAdmins(" + acl + ", " + ugi + ")");
	}
}
 
Example #20
Source File: TimelineACLsManager.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private AccessControlListExt putDomainIntoCache(
    TimelineDomain domain) {
  Map<ApplicationAccessType, AccessControlList> acls
  = new HashMap<ApplicationAccessType, AccessControlList>(2);
  acls.put(ApplicationAccessType.VIEW_APP,
      new AccessControlList(StringHelper.cjoin(domain.getReaders())));
  acls.put(ApplicationAccessType.MODIFY_APP,
      new AccessControlList(StringHelper.cjoin(domain.getWriters())));
  AccessControlListExt aclExt =
      new AccessControlListExt(domain.getOwner(), acls);
  aclExts.put(domain.getId(), aclExt);
  return aclExt;
}
 
Example #21
Source File: JobStatus.java    From big-c with Apache License 2.0 5 votes vote down vote up
public synchronized void readFields(DataInput in) throws IOException {
  this.jobid = new JobID();
  this.jobid.readFields(in);
  this.setupProgress = in.readFloat();
  this.mapProgress = in.readFloat();
  this.reduceProgress = in.readFloat();
  this.cleanupProgress = in.readFloat();
  this.runState = WritableUtils.readEnum(in, State.class);
  this.startTime = in.readLong();
  this.user = StringInterner.weakIntern(Text.readString(in));
  this.priority = WritableUtils.readEnum(in, JobPriority.class);
  this.schedulingInfo = StringInterner.weakIntern(Text.readString(in));
  this.finishTime = in.readLong();
  this.isRetired = in.readBoolean();
  this.historyFile = StringInterner.weakIntern(Text.readString(in));
  this.jobName = StringInterner.weakIntern(Text.readString(in));
  this.trackingUrl = StringInterner.weakIntern(Text.readString(in));
  this.jobFile = StringInterner.weakIntern(Text.readString(in));
  this.isUber = in.readBoolean();

  // De-serialize the job's ACLs
  int numACLs = in.readInt();
  for (int i = 0; i < numACLs; i++) {
    JobACL aclType = WritableUtils.readEnum(in, JobACL.class);
    AccessControlList acl = new AccessControlList(" ");
    acl.readFields(in);
    this.jobACLs.put(aclType, acl);
  }
}
 
Example #22
Source File: TestHsWebServicesAcls.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public MockJobForAcls(Job mockJob, Configuration conf) {
  this.mockJob = mockJob;
  this.conf = conf;
  AccessControlList viewAcl = new AccessControlList(FRIENDLY_USER);
  this.jobAcls = new HashMap<JobACL, AccessControlList>();
  this.jobAcls.put(JobACL.VIEW_JOB, viewAcl);
  this.aclsMgr = new JobACLsManager(conf); 
}
 
Example #23
Source File: DeprecatedQueueConfigurationParser.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Parse ACLs for the queue from the configuration.
 */
private Map<String, AccessControlList> getQueueAcls(
  String name,
  Configuration conf) {
  HashMap<String, AccessControlList> map =
    new HashMap<String, AccessControlList>();
  for (QueueACL qAcl : QueueACL.values()) {
    String aclKey = toFullPropertyName(name, qAcl.getAclName());
    map.put(
      aclKey, new AccessControlList(
        conf.get(
          aclKey, "*")));
  }
  return map;
}
 
Example #24
Source File: TestApplicationACLs.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void verifyAdministerQueueUserAccess() throws Exception {
  isQueueUser = true;
  AccessControlList viewACL = new AccessControlList("");
  viewACL.addGroup(FRIENDLY_GROUP);
  AccessControlList modifyACL = new AccessControlList("");
  modifyACL.addUser(FRIEND);
  ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

  final GetApplicationReportRequest appReportRequest = recordFactory
      .newRecordInstance(GetApplicationReportRequest.class);
  appReportRequest.setApplicationId(applicationId);
  final KillApplicationRequest finishAppRequest = recordFactory
      .newRecordInstance(KillApplicationRequest.class);
  finishAppRequest.setApplicationId(applicationId);

  ApplicationClientProtocol administerQueueUserRmClient =
      getRMClientForUser(QUEUE_ADMIN_USER);

  // View as the administerQueueUserRmClient
  administerQueueUserRmClient.getApplicationReport(appReportRequest);

  // List apps as administerQueueUserRmClient
  Assert.assertEquals("App view by queue-admin-user should list the apps!!",
      5, administerQueueUserRmClient.getApplications(
             recordFactory.newRecordInstance(GetApplicationsRequest.class))
             .getApplicationList().size());

  // Kill app as the administerQueueUserRmClient
  administerQueueUserRmClient.forceKillApplication(finishAppRequest);
  resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
 
Example #25
Source File: KMSACLs.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * First Check if user is in ACL for the KMS operation, if yes, then
 * return true if user is not present in any configured blacklist for
 * the operation
 * @param type KMS Operation
 * @param ugi UserGroupInformation of user
 * @return true is user has access
 */
public boolean hasAccess(Type type, UserGroupInformation ugi) {
  boolean access = acls.get(type).isUserAllowed(ugi);
  if (access) {
    AccessControlList blacklist = blacklistedAcls.get(type);
    access = (blacklist == null) || !blacklist.isUserInList(ugi);
  }
  return access;
}
 
Example #26
Source File: QueueManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Return true if the given user is part of the ACL for the given
 * {@link QueueACL} name for the given queue.
 * <p>
 * An operation is allowed if all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 *
 * @param queueName Queue on which the operation needs to be performed.
 * @param qACL      The queue ACL name to be checked
 * @param ugi       The user and groups who wish to perform the operation.
 * @return true     if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(
  String queueName, QueueACL qACL, UserGroupInformation ugi) {

  Queue q = leafQueues.get(queueName);

  if (q == null) {
    LOG.info("Queue " + queueName + " is not present");
    return false;
  }

  if(q.getChildren() != null && !q.getChildren().isEmpty()) {
    LOG.info("Cannot submit job to parent queue " + q.getName());
    return false;
  }

  if (!areAclsEnabled()) {
    return true;
  }

  if (LOG.isDebugEnabled()) {
    LOG.debug("Checking access for the acl " + toFullPropertyName(queueName,
      qACL.getAclName()) + " for user " + ugi.getShortUserName());
  }

  AccessControlList acl = q.getAcls().get(
      toFullPropertyName(queueName, qACL.getAclName()));
  if (acl == null) {
    return false;
  }

  // Check if user is part of the ACL
  return acl.isUserAllowed(ugi);
}
 
Example #27
Source File: InfoServer.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI
 * which are meant only for administrators.
 */
AccessControlList buildAdminAcl(Configuration conf) {
  final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);
  final String adminGroups = conf.get(
      HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null);
  if (userGroups == null && adminGroups == null) {
    // Backwards compatibility - if the user doesn't have anything set, allow all users in.
    return new AccessControlList("*", null);
  }
  return new AccessControlList(userGroups, adminGroups);
}
 
Example #28
Source File: JobSubmittedEvent.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
   * Create an event to record job submission
   * @param id The job Id of the job
   * @param jobName Name of the job
   * @param userName Name of the user who submitted the job
   * @param submitTime Time of submission
   * @param jobConfPath Path of the Job Configuration file
   * @param jobACLs The configured acls for the job.
   * @param jobQueueName The job-queue to which this job was submitted to
   * @param workflowId The Id of the workflow
   * @param workflowName The name of the workflow
   * @param workflowNodeName The node name of the workflow
   * @param workflowAdjacencies The adjacencies of the workflow
   * @param workflowTags Comma-separated tags for the workflow
   */
  public JobSubmittedEvent(JobID id, String jobName, String userName,
      long submitTime, String jobConfPath,
      Map<JobACL, AccessControlList> jobACLs, String jobQueueName,
      String workflowId, String workflowName, String workflowNodeName,
      String workflowAdjacencies, String workflowTags) {
  datum.jobid = new Utf8(id.toString());
  datum.jobName = new Utf8(jobName);
  datum.userName = new Utf8(userName);
  datum.submitTime = submitTime;
  datum.jobConfPath = new Utf8(jobConfPath);
  Map<CharSequence, CharSequence> jobAcls = new HashMap<CharSequence, CharSequence>();
  for (Entry<JobACL, AccessControlList> entry : jobACLs.entrySet()) {
    jobAcls.put(new Utf8(entry.getKey().getAclName()), new Utf8(
        entry.getValue().getAclString()));
  }
  datum.acls = jobAcls;
  if (jobQueueName != null) {
    datum.jobQueueName = new Utf8(jobQueueName);
  }
  if (workflowId != null) {
    datum.workflowId = new Utf8(workflowId);
  }
  if (workflowName != null) {
    datum.workflowName = new Utf8(workflowName);
  }
  if (workflowNodeName != null) {
    datum.workflowNodeName = new Utf8(workflowNodeName);
  }
  if (workflowAdjacencies != null) {
    datum.workflowAdjacencies = new Utf8(workflowAdjacencies);
  }
  if (workflowTags != null) {
    datum.workflowTags = new Utf8(workflowTags);
  }
}
 
Example #29
Source File: TestApplicationACLs.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("deprecation")
private ApplicationId submitAppAndGetAppId(AccessControlList viewACL,
    AccessControlList modifyACL) throws Exception {
  SubmitApplicationRequest submitRequest = recordFactory
      .newRecordInstance(SubmitApplicationRequest.class);
  ApplicationSubmissionContext context = recordFactory
      .newRecordInstance(ApplicationSubmissionContext.class);

  ApplicationId applicationId = rmClient.getNewApplication(
      recordFactory.newRecordInstance(GetNewApplicationRequest.class))
      .getApplicationId();
  context.setApplicationId(applicationId);

  Map<ApplicationAccessType, String> acls
      = new HashMap<ApplicationAccessType, String>();
  acls.put(ApplicationAccessType.VIEW_APP, viewACL.getAclString());
  acls.put(ApplicationAccessType.MODIFY_APP, modifyACL.getAclString());

  ContainerLaunchContext amContainer = recordFactory
      .newRecordInstance(ContainerLaunchContext.class);
  Resource resource = BuilderUtils.newResource(1024, 1);
  context.setResource(resource);
  amContainer.setApplicationACLs(acls);
  context.setAMContainerSpec(amContainer);
  submitRequest.setApplicationSubmissionContext(context);
  rmClient.submitApplication(submitRequest);
  resourceManager.waitForState(applicationId, RMAppState.ACCEPTED);
  return applicationId;
}
 
Example #30
Source File: TestJobAclsManager.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testClusterNoAdmins() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), "");
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String noAdminUser = "testuser2";

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
      noAdminUser, new String[] {});
  // random user should not have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertFalse("random user should not have view access", val);
  val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner,
      jobACLs.get(JobACL.MODIFY_JOB));
  assertFalse("random user should not have modify access", val);

  callerUGI = UserGroupInformation.createUserForTesting(jobOwner,
      new String[] {});
  // Owner should have access
  val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("owner should have view access", val);
  val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner,
      jobACLs.get(JobACL.MODIFY_JOB));
  assertTrue("owner should have modify access", val);
}