use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.
the class TestOzoneRpcClientAbstract method getAclList.
/**
* Helper function to get default acl list for current user.
*
* @return list of default Acls.
* @throws IOException
*/
private List<OzoneAcl> getAclList(OzoneConfiguration conf) throws IOException {
List<OzoneAcl> listOfAcls = new ArrayList<>();
// User ACL
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
ACLType userRights = aclConfig.getUserDefaultRights();
ACLType groupRights = aclConfig.getGroupDefaultRights();
listOfAcls.add(new OzoneAcl(USER, ugi.getUserName(), userRights, ACCESS));
// Group ACLs of the User
List<String> userGroups = Arrays.asList(ugi.getGroupNames());
userGroups.stream().forEach((group) -> listOfAcls.add(new OzoneAcl(GROUP, group, groupRights, ACCESS)));
return listOfAcls;
}
use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.
the class TestOzoneAclUtil method getDefaultAcls.
/**
* Helper function to get default acl list for current user.
*
* @return list of ozoneAcls.
* @throws IOException
*/
private static List<OzoneAcl> getDefaultAcls() {
List<OzoneAcl> ozoneAcls = new ArrayList<>();
// User ACL
UserGroupInformation ugi;
try {
ugi = UserGroupInformation.getCurrentUser();
} catch (IOException ioe) {
ugi = UserGroupInformation.createRemoteUser("user0");
}
OzoneAclConfig aclConfig = newInstanceOf(OzoneAclConfig.class);
IAccessAuthorizer.ACLType userRights = aclConfig.getUserDefaultRights();
IAccessAuthorizer.ACLType groupRights = aclConfig.getGroupDefaultRights();
OzoneAclUtil.addAcl(ozoneAcls, new OzoneAcl(USER, ugi.getUserName(), userRights, ACCESS));
// Group ACLs of the User
List<String> userGroups = Arrays.asList(ugi.getGroupNames());
userGroups.stream().forEach((group) -> OzoneAclUtil.addAcl(ozoneAcls, new OzoneAcl(GROUP, group, groupRights, ACCESS)));
return ozoneAcls;
}
use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.
the class TestRootedOzoneFileSystem method testNonPrivilegedUserMkdirCreateBucket.
@Test
public void testNonPrivilegedUserMkdirCreateBucket() throws IOException {
// This test is only meaningful when ACL is enabled
Assume.assumeTrue("ACL is not enabled. Skipping this test as it requires " + "ACL to be enabled to be meaningful.", enableAcl);
// Sanity check
Assert.assertTrue(cluster.getOzoneManager().getAclsEnabled());
final String volume = "volume-for-test-get-bucket";
// Create a volume as admin
// Create volume "tmp" with world access. allow non-admin to create buckets
ClientProtocol proxy = objectStore.getClientProxy();
// Get default acl rights for user
OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
ACLType userRights = aclConfig.getUserDefaultRights();
// Construct ACL for world access
OzoneAcl aclWorldAccess = new OzoneAcl(ACLIdentityType.WORLD, "", userRights, ACCESS);
// Construct VolumeArgs, set ACL to world access
VolumeArgs volumeArgs = new VolumeArgs.Builder().setAcls(Collections.singletonList(aclWorldAccess)).build();
proxy.createVolume(volume, volumeArgs);
// Create a bucket as non-admin, should succeed
final String bucket = "test-bucket-1";
try {
final Path myBucketPath = new Path(volume, bucket);
// Have to prepend the root to bucket path here.
// Otherwise, FS will automatically prepend user home directory path
// which is not we want here.
Assert.assertTrue(userOfs.mkdirs(new Path("/", myBucketPath)));
} catch (IOException e) {
Assert.fail("Should not have thrown exception when creating bucket as" + " a regular user here");
}
// Clean up
proxy.deleteBucket(volume, bucket);
proxy.deleteVolume(volume);
}
use of org.apache.hadoop.ozone.security.acl.OzoneAclConfig in project ozone by apache.
the class TestRootedOzoneFileSystem method testTempMount.
/*
* OFS: Test /tmp mount behavior.
*/
@Test
public void testTempMount() throws IOException {
// Prep
// Use ClientProtocol to pass in volume ACL, ObjectStore won't do it
ClientProtocol proxy = objectStore.getClientProxy();
// Get default acl rights for user
OzoneAclConfig aclConfig = conf.getObject(OzoneAclConfig.class);
ACLType userRights = aclConfig.getUserDefaultRights();
// Construct ACL for world access
OzoneAcl aclWorldAccess = new OzoneAcl(ACLIdentityType.WORLD, "", userRights, ACCESS);
// Construct VolumeArgs
VolumeArgs volumeArgs = new VolumeArgs.Builder().setAcls(Collections.singletonList(aclWorldAccess)).setQuotaInNamespace(1000).setQuotaInBytes(Long.MAX_VALUE).build();
// Sanity check
Assert.assertNull(volumeArgs.getOwner());
Assert.assertNull(volumeArgs.getAdmin());
Assert.assertEquals(Long.MAX_VALUE, volumeArgs.getQuotaInBytes());
Assert.assertEquals(1000, volumeArgs.getQuotaInNamespace());
Assert.assertEquals(0, volumeArgs.getMetadata().size());
Assert.assertEquals(1, volumeArgs.getAcls().size());
// Create volume "tmp" with world access. allow non-admin to create buckets
proxy.createVolume(OFSPath.OFS_MOUNT_TMP_VOLUMENAME, volumeArgs);
OzoneVolume vol = objectStore.getVolume(OFSPath.OFS_MOUNT_TMP_VOLUMENAME);
Assert.assertNotNull(vol);
// Begin test
String hashedUsername = OFSPath.getTempMountBucketNameOfCurrentUser();
// Expect failure since temp bucket for current user is not created yet
try {
vol.getBucket(hashedUsername);
} catch (OMException ex) {
// Expect BUCKET_NOT_FOUND
if (!ex.getResult().equals(BUCKET_NOT_FOUND)) {
Assert.fail("Temp bucket for current user shouldn't have been created");
}
}
// Write under /tmp/, OFS will create the temp bucket if not exist
Path dir1 = new Path("/tmp/dir1");
fs.mkdirs(dir1);
try (FSDataOutputStream stream = ofs.create(new Path("/tmp/dir1/file1"))) {
stream.write(1);
}
// Verify temp bucket creation
OzoneBucket bucket = vol.getBucket(hashedUsername);
Assert.assertNotNull(bucket);
// Verify dir1 creation
FileStatus[] fileStatuses = fs.listStatus(new Path("/tmp/"));
Assert.assertEquals(1, fileStatuses.length);
Assert.assertEquals("/tmp/dir1", fileStatuses[0].getPath().toUri().getPath());
// Verify file1 creation
FileStatus[] fileStatusesInDir1 = fs.listStatus(dir1);
Assert.assertEquals(1, fileStatusesInDir1.length);
Assert.assertEquals("/tmp/dir1/file1", fileStatusesInDir1[0].getPath().toUri().getPath());
// Cleanup
fs.delete(dir1, true);
vol.deleteBucket(hashedUsername);
proxy.deleteVolume(OFSPath.OFS_MOUNT_TMP_VOLUMENAME);
}
Aggregations