Example 1 with ACLType
use of org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType in project ozone by apache.
the class OzoneAclUtil method checkAclRights.
/**
* Check if acl right requested for given RequestContext exist
* in provided acl list.
* Acl validation rules:
* 1. If user/group has ALL bit set than all user should have all rights.
* 2. If user/group has NONE bit set than user/group will not have any right.
* 3. For all other individual rights individual bits should be set.
*
* @param acls
* @param context
* @return return true if acl list contains right requsted in context.
*/
public static boolean checkAclRights(List<OzoneAcl> acls, RequestContext context) throws OMException {
String[] userGroups = context.getClientUgi().getGroupNames();
String userName = context.getClientUgi().getUserName();
ACLType aclToCheck = context.getAclRights();
for (OzoneAcl acl : acls) {
if (checkAccessInAcl(acl, userGroups, userName, aclToCheck)) {
return true;
}
}
return false;
}Example 2 with ACLType
use of org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType in project ozone by apache.
the class TestOzoneNativeAuthorizer method validateAll.
/**
* Helper function to test acl rights with user/group had ALL acl bit set.
* @param obj
* @param builder
*/
private void validateAll(OzoneObj obj, RequestContext.Builder builder) throws OMException {
List<ACLType> allAcls = new ArrayList<>(Arrays.asList(ACLType.values()));
allAcls.remove(ALL);
allAcls.remove(NONE);
RequestContext ctx = builder.build();
boolean expectedResult = expectedAclResult;
if (nativeAuthorizer.getOzoneAdmins().contains(ctx.getClientUgi().getUserName())) {
expectedResult = true;
}
for (ACLType a : allAcls) {
assertEquals("User should have right " + a + ".", expectedResult, nativeAuthorizer.checkAccess(obj, ctx));
}
}Example 3 with ACLType
use of org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType in project ozone by apache.
the class TestOzoneNativeAuthorizer method resetAclsAndValidateAccess.
private void resetAclsAndValidateAccess(OzoneObj obj, ACLIdentityType accessType, OzoneManagerProtocol aclImplementor) throws IOException {
List<OzoneAcl> acls;
String user = testUgi.getUserName();
String group = (testUgi.getGroups().size() > 0) ? testUgi.getGroups().get(0) : "";
RequestContext.Builder builder = new RequestContext.Builder().setClientUgi(testUgi).setAclType(accessType);
// Get all acls.
List<ACLType> allAcls = Arrays.stream(ACLType.values()).collect(Collectors.toList());
/**
* 1. Reset default acls to an acl.
* 2. Test if user/group has access only to it.
* 3. Add remaining acls one by one and then test
* if user/group has access to them.
*/
for (ACLType a1 : allAcls) {
OzoneAcl newAcl = new OzoneAcl(accessType, getAclName(accessType), a1, ACCESS);
// Reset acls to only one right.
if (obj.getResourceType() == VOLUME) {
setVolumeAcl(Collections.singletonList(newAcl));
} else if (obj.getResourceType() == BUCKET) {
setBucketAcl(Collections.singletonList(newAcl));
} else {
aclImplementor.setAcl(obj, Collections.singletonList(newAcl));
}
// Fetch current acls and validate.
acls = aclImplementor.getAcl(obj);
assertTrue(acls.size() == 1);
assertTrue(acls.contains(newAcl));
// Special handling for ALL.
if (a1.equals(ALL)) {
validateAll(obj, builder);
continue;
}
// Special handling for NONE.
if (a1.equals(NONE)) {
validateNone(obj, builder);
continue;
}
String msg = "Acl to check:" + a1 + " accessType:" + accessType + " path:" + obj.getPath();
if (a1.equals(CREATE) && obj.getResourceType().equals(VOLUME)) {
assertEquals(msg, nativeAuthorizer.getOzoneAdmins().contains(user), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
} else {
assertEquals(msg, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
}
List<ACLType> aclsToBeValidated = Arrays.stream(ACLType.values()).collect(Collectors.toList());
List<ACLType> aclsToBeAdded = Arrays.stream(ACLType.values()).collect(Collectors.toList());
aclsToBeValidated.remove(NONE);
// Do not validate "WRITE" since write acl type requires object to be
// present in OpenKeyTable.
aclsToBeValidated.remove(WRITE);
aclsToBeValidated.remove(a1);
aclsToBeAdded.remove(NONE);
aclsToBeAdded.remove(ALL);
// AclType "CREATE" is skipped from access check on objects
// since the object will not exist during access check.
aclsToBeAdded.remove(CREATE);
// AclType "WRITE" is removed from being tested here,
// because object must always be present in OpenKeyTable for write
// acl requests. But, here the objects are already committed
// and will move to keyTable.
aclsToBeAdded.remove(WRITE);
// Fetch acls again.
for (ACLType a2 : aclsToBeAdded) {
if (!a2.equals(a1)) {
acls = aclImplementor.getAcl(obj);
List right = acls.stream().map(a -> a.getAclList()).collect(Collectors.toList());
assertFalse("Did not expect client to have " + a2 + " acl. " + "Current acls found:" + right + ". Type:" + accessType + "," + " name:" + (accessType == USER ? user : group), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
// Randomize next type.
int type = RandomUtils.nextInt(0, 3);
ACLIdentityType identityType = ACLIdentityType.values()[type];
// Add remaining acls one by one and then check access.
OzoneAcl addAcl = new OzoneAcl(identityType, getAclName(identityType), a2, ACCESS);
// only DB not cache.
if (obj.getResourceType() == VOLUME) {
addVolumeAcl(addAcl);
} else if (obj.getResourceType() == BUCKET) {
addBucketAcl(addAcl);
} else {
aclImplementor.addAcl(obj, addAcl);
}
// Fetch acls again.
acls = aclImplementor.getAcl(obj);
boolean a2AclFound = false;
boolean a1AclFound = false;
for (OzoneAcl acl : acls) {
if (acl.getAclList().contains(a2)) {
a2AclFound = true;
}
if (acl.getAclList().contains(a1)) {
a1AclFound = true;
}
}
assertTrue("Current acls :" + acls + ". " + "Type:" + accessType + ", name:" + (accessType == USER ? user : group) + " acl:" + a2, a2AclFound);
assertTrue("Expected client to have " + a1 + " acl. Current acls " + "found:" + acls + ". Type:" + accessType + ", name:" + (accessType == USER ? user : group), a1AclFound);
assertEquals("Current acls " + acls + ". Expect acl:" + a2 + " to be set? " + expectedAclResult + " accessType:" + accessType, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
aclsToBeValidated.remove(a2);
for (ACLType a3 : aclsToBeValidated) {
if (!a3.equals(a1) && !a3.equals(a2) && !a3.equals(CREATE)) {
assertFalse("User shouldn't have right " + a3 + ". " + "Current acl rights for user:" + a1 + "," + a2, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a3).build()));
}
}
}
}
}
}
Also used :
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
Arrays(java.util.Arrays)
VolumeManager(org.apache.hadoop.ozone.om.VolumeManager)
OMRequestTestUtils(org.apache.hadoop.ozone.om.request.OMRequestTestUtils)
OzoneManagerProtocol(org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol)
OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs)
VOLUME(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME)
Optional(com.google.common.base.Optional)
CacheValue(org.apache.hadoop.hdds.utils.db.cache.CacheValue)
ALL(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
Parameterized(org.junit.runners.Parameterized)
USER(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER)
OZONE_METADATA_DIRS(org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS)
OmBucketInfo(org.apache.hadoop.ozone.om.helpers.OmBucketInfo)
BucketManager(org.apache.hadoop.ozone.om.BucketManager)
Collection(java.util.Collection)
Collectors(java.util.stream.Collectors)
List(java.util.List)
ANONYMOUS(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.ANONYMOUS)
PrefixManager(org.apache.hadoop.ozone.om.PrefixManager)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
OmTestManagers(org.apache.hadoop.ozone.om.OmTestManagers)
Assert.assertFalse(org.junit.Assert.assertFalse)
OZONE_ACL_AUTHORIZER_CLASS_NATIVE(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE)
GenericTestUtils(org.apache.ozone.test.GenericTestUtils)
CREATE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.CREATE)
RandomUtils(org.apache.commons.lang3.RandomUtils)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
OZONE_ADMINISTRATORS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS)
OZONE_URI_DELIMITER(org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER)
BeforeClass(org.junit.BeforeClass)
OZONE(org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE)
KeyManager(org.apache.hadoop.ozone.om.KeyManager)
WRITE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.WRITE)
RunWith(org.junit.runner.RunWith)
ArrayList(java.util.ArrayList)
ACCESS(org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS)
BUCKET(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
OzoneAclUtil(org.apache.hadoop.ozone.om.helpers.OzoneAclUtil)
NONE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE)
PREFIX(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.PREFIX)
GROUP(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP)
OpenKeySession(org.apache.hadoop.ozone.om.helpers.OpenKeySession)
Assert.assertTrue(org.junit.Assert.assertTrue)
Test(org.junit.Test)
IOException(java.io.IOException)
WORLD(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.WORLD)
OmVolumeArgs(org.apache.hadoop.ozone.om.helpers.OmVolumeArgs)
File(java.io.File)
KEY(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY)
StandaloneReplicationConfig(org.apache.hadoop.hdds.client.StandaloneReplicationConfig)
CacheKey(org.apache.hadoop.hdds.utils.db.cache.CacheKey)
OZONE_ACL_AUTHORIZER_CLASS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS)
Collections(java.util.Collections)
ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType)
Assert.assertEquals(org.junit.Assert.assertEquals)
OMMetadataManager(org.apache.hadoop.ozone.om.OMMetadataManager)
ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
List(java.util.List)
ArrayList(java.util.ArrayList)
Example 4 with ACLType
use of org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType in project ozone by apache.
the class TestOzoneNativeAuthorizer method validateNone.
/**
* Helper function to test acl rights with user/group had NONE acl bit set.
* @param obj
* @param builder
*/
private void validateNone(OzoneObj obj, RequestContext.Builder builder) throws OMException {
List<ACLType> allAcls = new ArrayList<>(Arrays.asList(ACLType.values()));
allAcls.remove(NONE);
// Removing CREATE, WRITE since they need special handling.
allAcls.remove(CREATE);
allAcls.remove(WRITE);
for (ACLType a : allAcls) {
assertFalse("User shouldn't have right " + a + ".", nativeAuthorizer.checkAccess(obj, builder.setAclRights(a).build()));
}
}Example 5 with ACLType
use of org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType in project ozone by apache.
the class OzoneManager method resolveBucketLink.
/**
* Resolves bucket symlinks. Read permission is required for following links.
*
* @param volumeAndBucket the bucket to be resolved (if it is a link)
* @param visited collects link buckets visited during the resolution to
* avoid infinite loops
* @param {@link UserGroupInformation}
* @param remoteAddress
* @param hostName
* @return bucket location possibly updated with its actual volume and bucket
* after following bucket links
* @throws IOException (most likely OMException) if ACL check fails, bucket is
* not found, loop is detected in the links, etc.
*/
private Pair<String, String> resolveBucketLink(Pair<String, String> volumeAndBucket, Set<Pair<String, String>> visited, UserGroupInformation userGroupInformation, InetAddress remoteAddress, String hostName) throws IOException {
String volumeName = volumeAndBucket.getLeft();
String bucketName = volumeAndBucket.getRight();
OmBucketInfo info = bucketManager.getBucketInfo(volumeName, bucketName);
if (!info.isLink()) {
return volumeAndBucket;
}
if (!visited.add(volumeAndBucket)) {
throw new OMException("Detected loop in bucket links", DETECTED_LOOP_IN_BUCKET_LINKS);
}
if (isAclEnabled) {
final ACLType type = ACLType.READ;
checkAcls(ResourceType.BUCKET, StoreType.OZONE, type, volumeName, bucketName, null, userGroupInformation, remoteAddress, hostName, true, getVolumeOwner(volumeName, type, ResourceType.BUCKET));
}
return resolveBucketLink(Pair.of(info.getSourceVolume(), info.getSourceBucket()), visited, userGroupInformation, remoteAddress, hostName);
}
Also used :
OmBucketInfo(org.apache.hadoop.ozone.om.helpers.OmBucketInfo)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
Aggregations
ACLType (org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)8
OzoneAcl (org.apache.hadoop.ozone.OzoneAcl)5
ArrayList (java.util.ArrayList)4
OMException (org.apache.hadoop.ozone.om.exceptions.OMException)3
OzoneAclConfig (org.apache.hadoop.ozone.security.acl.OzoneAclConfig)3
IOException (java.io.IOException)2
Path (org.apache.hadoop.fs.Path)2
OFSPath (org.apache.hadoop.ozone.OFSPath)2
VolumeArgs (org.apache.hadoop.ozone.client.VolumeArgs)2
ClientProtocol (org.apache.hadoop.ozone.client.protocol.ClientProtocol)2
OmBucketInfo (org.apache.hadoop.ozone.om.helpers.OmBucketInfo)2
Test (org.junit.Test)2
Optional (com.google.common.base.Optional)1
File (java.io.File)1
Arrays (java.util.Arrays)1
Collection (java.util.Collection)1
Collections (java.util.Collections)1
List (java.util.List)1
Collectors (java.util.stream.Collectors)1
RandomUtils (org.apache.commons.lang3.RandomUtils)1
