Search in sources :

Example 1 with OzoneAclConfig

use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.

the class TestOzoneRpcClientAbstract method getAclList.

/**
 * Helper function to get default acl list for current user.
 *
 * @return list of default Acls.
 * @throws IOException
 */
private List<OzoneAcl> getAclList(OzoneConfiguration conf) throws IOException {
    List<OzoneAcl> listOfAcls = new ArrayList<>();
    // User ACL
    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
    ACLType userRights = aclConfig.getUserDefaultRights();
    ACLType groupRights = aclConfig.getGroupDefaultRights();
    listOfAcls.add(new OzoneAcl(USER, ugi.getUserName(), userRights, ACCESS));
    // Group ACLs of the User
    List<String> userGroups = Arrays.asList(ugi.getGroupNames());
    userGroups.stream().forEach((group) -> listOfAcls.add(new OzoneAcl(GROUP, group, groupRights, ACCESS)));
    return listOfAcls;
}
Also used : OzoneAclConfig(org.apache.hadoop.ozone.security.acl.OzoneAclConfig) OzoneAcl(org.apache.hadoop.ozone.OzoneAcl) ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType) ArrayList(java.util.ArrayList) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 2 with OzoneAclConfig

use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.

the class TestOzoneAclUtil method getDefaultAcls.

/**
 * Helper function to get default acl list for current user.
 *
 * @return list of ozoneAcls.
 * @throws IOException
 */
private static List<OzoneAcl> getDefaultAcls() {
    List<OzoneAcl> ozoneAcls = new ArrayList<>();
    // User ACL
    UserGroupInformation ugi;
    try {
        ugi = UserGroupInformation.getCurrentUser();
    } catch (IOException ioe) {
        ugi = UserGroupInformation.createRemoteUser("user0");
    }
    OzoneAclConfig aclConfig = newInstanceOf(OzoneAclConfig.class);
    IAccessAuthorizer.ACLType userRights = aclConfig.getUserDefaultRights();
    IAccessAuthorizer.ACLType groupRights = aclConfig.getGroupDefaultRights();
    OzoneAclUtil.addAcl(ozoneAcls, new OzoneAcl(USER, ugi.getUserName(), userRights, ACCESS));
    // Group ACLs of the User
    List<String> userGroups = Arrays.asList(ugi.getGroupNames());
    userGroups.stream().forEach((group) -> OzoneAclUtil.addAcl(ozoneAcls, new OzoneAcl(GROUP, group, groupRights, ACCESS)));
    return ozoneAcls;
}
Also used : OzoneAclConfig(org.apache.hadoop.ozone.security.acl.OzoneAclConfig) OzoneAcl(org.apache.hadoop.ozone.OzoneAcl) IAccessAuthorizer(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer) ArrayList(java.util.ArrayList) ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType) IOException(java.io.IOException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 3 with OzoneAclConfig

use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.

the class TestRootedOzoneFileSystem method testNonPrivilegedUserMkdirCreateBucket.

@Test
public void testNonPrivilegedUserMkdirCreateBucket() throws IOException {
    // This test is only meaningful when ACL is enabled
    Assume.assumeTrue("ACL is not enabled. Skipping this test as it requires " + "ACL to be enabled to be meaningful.", enableAcl);
    // Sanity check
    Assert.assertTrue(cluster.getOzoneManager().getAclsEnabled());
    final String volume = "volume-for-test-get-bucket";
    // Create a volume as admin
    // Create volume "tmp" with world access. allow non-admin to create buckets
    ClientProtocol proxy = objectStore.getClientProxy();
    // Get default acl rights for user
    OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
    ACLType userRights = aclConfig.getUserDefaultRights();
    // Construct ACL for world access
    OzoneAcl aclWorldAccess = new OzoneAcl(ACLIdentityType.WORLD, "", userRights, ACCESS);
    // Construct VolumeArgs, set ACL to world access
    VolumeArgs volumeArgs = new VolumeArgs.Builder().setAcls(Collections.singletonList(aclWorldAccess)).build();
    proxy.createVolume(volume, volumeArgs);
    // Create a bucket as non-admin, should succeed
    final String bucket = "test-bucket-1";
    try {
        final Path myBucketPath = new Path(volume, bucket);
        // Have to prepend the root to bucket path here.
        // Otherwise, FS will automatically prepend user home directory path
        // which is not we want here.
        Assert.assertTrue(userOfs.mkdirs(new Path("/", myBucketPath)));
    } catch (IOException e) {
        Assert.fail("Should not have thrown exception when creating bucket as" + " a regular user here");
    }
    // Clean up
    proxy.deleteBucket(volume, bucket);
    proxy.deleteVolume(volume);
}
Also used : OzoneAclConfig(org.apache.hadoop.ozone.security.acl.OzoneAclConfig) Path(org.apache.hadoop.fs.Path) OFSPath(org.apache.hadoop.ozone.OFSPath) OzoneAcl(org.apache.hadoop.ozone.OzoneAcl) ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType) VolumeArgs(org.apache.hadoop.ozone.client.VolumeArgs) IOException(java.io.IOException) ClientProtocol(org.apache.hadoop.ozone.client.protocol.ClientProtocol) Test(org.junit.Test)

Example 4 with OzoneAclConfig

use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.

the class TestRootedOzoneFileSystem method testTempMount.

/*
   * OFS: Test /tmp mount behavior.
   */
@Test
public void testTempMount() throws IOException {
    // Prep
    // Use ClientProtocol to pass in volume ACL, ObjectStore won't do it
    ClientProtocol proxy = objectStore.getClientProxy();
    // Get default acl rights for user
    OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
    ACLType userRights = aclConfig.getUserDefaultRights();
    // Construct ACL for world access
    OzoneAcl aclWorldAccess = new OzoneAcl(ACLIdentityType.WORLD, "", userRights, ACCESS);
    // Construct VolumeArgs
    VolumeArgs volumeArgs = new VolumeArgs.Builder().setAcls(Collections.singletonList(aclWorldAccess)).setQuotaInNamespace(1000).setQuotaInBytes(Long.MAX_VALUE).build();
    // Sanity check
    Assert.assertNull(volumeArgs.getOwner());
    Assert.assertNull(volumeArgs.getAdmin());
    Assert.assertEquals(Long.MAX_VALUE, volumeArgs.getQuotaInBytes());
    Assert.assertEquals(1000, volumeArgs.getQuotaInNamespace());
    Assert.assertEquals(0, volumeArgs.getMetadata().size());
    Assert.assertEquals(1, volumeArgs.getAcls().size());
    // Create volume "tmp" with world access. allow non-admin to create buckets
    proxy.createVolume(OFSPath.OFS_MOUNT_TMP_VOLUMENAME, volumeArgs);
    OzoneVolume vol = objectStore.getVolume(OFSPath.OFS_MOUNT_TMP_VOLUMENAME);
    Assert.assertNotNull(vol);
    // Begin test
    String hashedUsername = OFSPath.getTempMountBucketNameOfCurrentUser();
    // Expect failure since temp bucket for current user is not created yet
    try {
        vol.getBucket(hashedUsername);
    } catch (OMException ex) {
        // Expect BUCKET_NOT_FOUND
        if (!ex.getResult().equals(BUCKET_NOT_FOUND)) {
            Assert.fail("Temp bucket for current user shouldn't have been created");
        }
    }
    // Write under /tmp/, OFS will create the temp bucket if not exist
    Path dir1 = new Path("/tmp/dir1");
    fs.mkdirs(dir1);
    try (FSDataOutputStream stream = ofs.create(new Path("/tmp/dir1/file1"))) {
        stream.write(1);
    }
    // Verify temp bucket creation
    OzoneBucket bucket = vol.getBucket(hashedUsername);
    Assert.assertNotNull(bucket);
    // Verify dir1 creation
    FileStatus[] fileStatuses = fs.listStatus(new Path("/tmp/"));
    Assert.assertEquals(1, fileStatuses.length);
    Assert.assertEquals("/tmp/dir1", fileStatuses[0].getPath().toUri().getPath());
    // Verify file1 creation
    FileStatus[] fileStatusesInDir1 = fs.listStatus(dir1);
    Assert.assertEquals(1, fileStatusesInDir1.length);
    Assert.assertEquals("/tmp/dir1/file1", fileStatusesInDir1[0].getPath().toUri().getPath());
    // Cleanup
    fs.delete(dir1, true);
    vol.deleteBucket(hashedUsername);
    proxy.deleteVolume(OFSPath.OFS_MOUNT_TMP_VOLUMENAME);
}
Also used : Path(org.apache.hadoop.fs.Path) OFSPath(org.apache.hadoop.ozone.OFSPath) FileStatus(org.apache.hadoop.fs.FileStatus) ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType) VolumeArgs(org.apache.hadoop.ozone.client.VolumeArgs) OzoneAclConfig(org.apache.hadoop.ozone.security.acl.OzoneAclConfig) OzoneVolume(org.apache.hadoop.ozone.client.OzoneVolume) OzoneBucket(org.apache.hadoop.ozone.client.OzoneBucket) OzoneAcl(org.apache.hadoop.ozone.OzoneAcl) FSDataOutputStream(org.apache.hadoop.fs.FSDataOutputStream) ClientProtocol(org.apache.hadoop.ozone.client.protocol.ClientProtocol) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) Test(org.junit.Test)

Aggregations

OzoneAcl (org.apache.hadoop.ozone.OzoneAcl)4 ACLType (org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)4 OzoneAclConfig (org.apache.hadoop.ozone.security.acl.OzoneAclConfig)4 IOException (java.io.IOException)2 ArrayList (java.util.ArrayList)2 Path (org.apache.hadoop.fs.Path)2 OFSPath (org.apache.hadoop.ozone.OFSPath)2 VolumeArgs (org.apache.hadoop.ozone.client.VolumeArgs)2 ClientProtocol (org.apache.hadoop.ozone.client.protocol.ClientProtocol)2 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2 Test (org.junit.Test)2 FSDataOutputStream (org.apache.hadoop.fs.FSDataOutputStream)1 FileStatus (org.apache.hadoop.fs.FileStatus)1 OzoneBucket (org.apache.hadoop.ozone.client.OzoneBucket)1 OzoneVolume (org.apache.hadoop.ozone.client.OzoneVolume)1 OMException (org.apache.hadoop.ozone.om.exceptions.OMException)1 IAccessAuthorizer (org.apache.hadoop.ozone.security.acl.IAccessAuthorizer)1