Search in sources :

Example 1 with RequestContext

use of org.apache.hadoop.ozone.security.acl.RequestContext in project ozone by apache.

the class TestKeyManagerImpl method testCheckAccessForFileKey.

@Test
public void testCheckAccessForFileKey() throws Exception {
    // GIVEN
    OmKeyArgs keyArgs = createBuilder().setKeyName("testdir/deep/NOTICE.txt").build();
    OpenKeySession keySession = writeClient.createFile(keyArgs, false, true);
    keyArgs.setLocationInfoList(keySession.getKeyInfo().getLatestVersionLocations().getLocationList());
    writeClient.commitKey(keyArgs, keySession.getId());
    reset(mockScmContainerClient);
    OzoneObj fileKey = OzoneObjInfo.Builder.fromKeyArgs(keyArgs).setStoreType(OzoneObj.StoreType.OZONE).build();
    RequestContext context = currentUserReads();
    // WHEN
    boolean access = keyManager.checkAccess(fileKey, context);
    // THEN
    Assert.assertTrue(access);
    verify(mockScmContainerClient, never()).getContainerWithPipelineBatch(any());
}
Also used : OzoneObj(org.apache.hadoop.ozone.security.acl.OzoneObj) OpenKeySession(org.apache.hadoop.ozone.om.helpers.OpenKeySession) RequestContext(org.apache.hadoop.ozone.security.acl.RequestContext) OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs) Test(org.junit.Test)

Example 2 with RequestContext

use of org.apache.hadoop.ozone.security.acl.RequestContext in project ozone by apache.

the class OzoneManager method checkAcls.

/**
 * CheckAcls for the ozone object.
 *
 * @return true if permission granted, false if permission denied.
 * @throws OMException ResultCodes.PERMISSION_DENIED if permission denied
 *                     and throwOnPermissionDenied set to true.
 */
@SuppressWarnings("parameternumber")
public boolean checkAcls(ResourceType resType, StoreType storeType, ACLType aclType, String vol, String bucket, String key, UserGroupInformation ugi, InetAddress remoteAddress, String hostName, boolean throwIfPermissionDenied, String owner) throws OMException {
    OzoneObj obj = OzoneObjInfo.Builder.newBuilder().setResType(resType).setStoreType(storeType).setVolumeName(vol).setBucketName(bucket).setKeyName(key).build();
    RequestContext context = RequestContext.newBuilder().setClientUgi(ugi).setIp(remoteAddress).setHost(hostName).setAclType(ACLIdentityType.USER).setAclRights(aclType).setOwnerName(owner).build();
    return checkAcls(obj, context, throwIfPermissionDenied);
}
Also used : OzoneObj(org.apache.hadoop.ozone.security.acl.OzoneObj) RequestContext(org.apache.hadoop.ozone.security.acl.RequestContext)

Example 3 with RequestContext

use of org.apache.hadoop.ozone.security.acl.RequestContext in project ozone by apache.

the class OMClientRequest method checkACLsWithFSO.

/**
 * Check Acls for the ozone key.
 * @param ozoneManager
 * @param volumeName
 * @param bucketName
 * @param keyName
 * @throws IOException
 */
protected void checkACLsWithFSO(OzoneManager ozoneManager, String volumeName, String bucketName, String keyName, IAccessAuthorizer.ACLType aclType) throws IOException {
    // TODO: Presently not populating sub-paths under a single bucket
    // lock. Need to revisit this to handle any concurrent operations
    // along with this.
    OzonePrefixPathImpl pathViewer = new OzonePrefixPathImpl(volumeName, bucketName, keyName, ozoneManager.getKeyManager());
    OzoneObj obj = OzoneObjInfo.Builder.newBuilder().setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName(volumeName).setBucketName(bucketName).setKeyName(keyName).setOzonePrefixPath(pathViewer).build();
    RequestContext.Builder contextBuilder = RequestContext.newBuilder().setAclRights(aclType).setRecursiveAccessCheck(pathViewer.isCheckRecursiveAccess());
    // check Acl
    if (ozoneManager.getAclsEnabled()) {
        String volumeOwner = ozoneManager.getVolumeOwner(obj.getVolumeName(), contextBuilder.getAclRights(), obj.getResourceType());
        String bucketOwner = ozoneManager.getBucketOwner(obj.getVolumeName(), obj.getBucketName(), contextBuilder.getAclRights(), obj.getResourceType());
        UserGroupInformation currentUser = createUGI();
        contextBuilder.setClientUgi(currentUser);
        contextBuilder.setIp(getRemoteAddress());
        contextBuilder.setHost(getHostName());
        contextBuilder.setAclType(IAccessAuthorizer.ACLIdentityType.USER);
        boolean isVolOwner = isOwner(currentUser, volumeOwner);
        IAccessAuthorizer.ACLType parentAclRight = aclType;
        if (isVolOwner) {
            contextBuilder.setOwnerName(volumeOwner);
        } else {
            contextBuilder.setOwnerName(bucketOwner);
        }
        if (ozoneManager.isNativeAuthorizerEnabled()) {
            if (aclType == IAccessAuthorizer.ACLType.CREATE || aclType == IAccessAuthorizer.ACLType.DELETE || aclType == IAccessAuthorizer.ACLType.WRITE_ACL) {
                parentAclRight = IAccessAuthorizer.ACLType.WRITE;
            } else if (aclType == IAccessAuthorizer.ACLType.READ_ACL || aclType == IAccessAuthorizer.ACLType.LIST) {
                parentAclRight = IAccessAuthorizer.ACLType.READ;
            }
        } else {
            parentAclRight = IAccessAuthorizer.ACLType.READ;
        }
        OzoneObj volumeObj = OzoneObjInfo.Builder.newBuilder().setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName(volumeName).setBucketName(bucketName).setKeyName(keyName).build();
        RequestContext volumeContext = RequestContext.newBuilder().setClientUgi(currentUser).setIp(getRemoteAddress()).setHost(getHostName()).setAclType(IAccessAuthorizer.ACLIdentityType.USER).setAclRights(parentAclRight).setOwnerName(volumeOwner).build();
        ozoneManager.checkAcls(volumeObj, volumeContext, true);
        ozoneManager.checkAcls(obj, contextBuilder.build(), true);
    }
}
Also used : OzoneObj(org.apache.hadoop.ozone.security.acl.OzoneObj) IAccessAuthorizer(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer) OzonePrefixPathImpl(org.apache.hadoop.ozone.om.OzonePrefixPathImpl) RequestContext(org.apache.hadoop.ozone.security.acl.RequestContext) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

OzoneObj (org.apache.hadoop.ozone.security.acl.OzoneObj)3 RequestContext (org.apache.hadoop.ozone.security.acl.RequestContext)3 OzonePrefixPathImpl (org.apache.hadoop.ozone.om.OzonePrefixPathImpl)1 OmKeyArgs (org.apache.hadoop.ozone.om.helpers.OmKeyArgs)1 OpenKeySession (org.apache.hadoop.ozone.om.helpers.OpenKeySession)1 IAccessAuthorizer (org.apache.hadoop.ozone.security.acl.IAccessAuthorizer)1 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1 Test (org.junit.Test)1