Search in sources :

Example 51 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class JobStatus method readFields.

public synchronized void readFields(DataInput in) throws IOException {
    this.jobid = new JobID();
    this.jobid.readFields(in);
    this.setupProgress = in.readFloat();
    this.mapProgress = in.readFloat();
    this.reduceProgress = in.readFloat();
    this.cleanupProgress = in.readFloat();
    this.runState = WritableUtils.readEnum(in, State.class);
    this.startTime = in.readLong();
    this.user = StringInterner.weakIntern(Text.readString(in));
    this.priority = WritableUtils.readEnum(in, JobPriority.class);
    this.schedulingInfo = StringInterner.weakIntern(Text.readString(in));
    this.finishTime = in.readLong();
    this.isRetired = in.readBoolean();
    this.historyFile = StringInterner.weakIntern(Text.readString(in));
    this.jobName = StringInterner.weakIntern(Text.readString(in));
    this.trackingUrl = StringInterner.weakIntern(Text.readString(in));
    this.jobFile = StringInterner.weakIntern(Text.readString(in));
    this.isUber = in.readBoolean();
    // De-serialize the job's ACLs
    int numACLs = in.readInt();
    for (int i = 0; i < numACLs; i++) {
        JobACL aclType = WritableUtils.readEnum(in, JobACL.class);
        AccessControlList acl = new AccessControlList(" ");
        acl.readFields(in);
        this.jobACLs.put(aclType, acl);
    }
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)

Example 52 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TestLogLevel method createServer.

/**
   * Creates and starts a Jetty server binding at an ephemeral port to run
   * LogLevel servlet.
   * @param protocol "http" or "https"
   * @param isSpnego true if SPNEGO is enabled
   * @return a created HttpServer2 object
   * @throws Exception if unable to create or start a Jetty server
   */
private HttpServer2 createServer(String protocol, boolean isSpnego) throws Exception {
    HttpServer2.Builder builder = new HttpServer2.Builder().setName("..").addEndpoint(new URI(protocol + "://localhost:0")).setFindPort(true).setConf(conf);
    if (isSpnego) {
        // Set up server Kerberos credentials.
        // Since the server may fall back to simple authentication,
        // use ACL to make sure the connection is Kerberos/SPNEGO authenticated.
        builder.setSecurityEnabled(true).setUsernameConfKey(PRINCIPAL).setKeytabConfKey(KEYTAB).setACL(new AccessControlList(clientPrincipal));
    }
    // if using HTTPS, configure keystore/truststore properties.
    if (protocol.equals(LogLevel.PROTOCOL_HTTPS)) {
        builder = builder.keyPassword(sslConf.get("ssl.server.keystore.keypassword")).keyStore(sslConf.get("ssl.server.keystore.location"), sslConf.get("ssl.server.keystore.password"), sslConf.get("ssl.server.keystore.type", "jks")).trustStore(sslConf.get("ssl.server.truststore.location"), sslConf.get("ssl.server.truststore.password"), sslConf.get("ssl.server.truststore.type", "jks"));
    }
    HttpServer2 server = builder.build();
    // Enable SPNEGO for LogLevel servlet
    if (isSpnego) {
        server.addInternalServlet("logLevel", "/logLevel", LogLevel.Servlet.class, true);
    }
    server.start();
    return server;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) HttpServer2(org.apache.hadoop.http.HttpServer2) URI(java.net.URI)

Example 53 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class DFSUtil method httpServerTemplateForNNAndJN.

/**
   * Return a HttpServer.Builder that the journalnode / namenode / secondary
   * namenode can use to initialize their HTTP / HTTPS server.
   *
   */
public static HttpServer2.Builder httpServerTemplateForNNAndJN(Configuration conf, final InetSocketAddress httpAddr, final InetSocketAddress httpsAddr, String name, String spnegoUserNameKey, String spnegoKeytabFileKey) throws IOException {
    HttpConfig.Policy policy = getHttpPolicy(conf);
    HttpServer2.Builder builder = new HttpServer2.Builder().setName(name).setConf(conf).setACL(new AccessControlList(conf.get(DFS_ADMIN, " "))).setSecurityEnabled(UserGroupInformation.isSecurityEnabled()).setUsernameConfKey(spnegoUserNameKey).setKeytabConfKey(getSpnegoKeytabKey(conf, spnegoKeytabFileKey));
    // initialize the webserver for uploading/downloading files.
    if (UserGroupInformation.isSecurityEnabled()) {
        LOG.info("Starting web server as: " + SecurityUtil.getServerPrincipal(conf.get(spnegoUserNameKey), httpAddr.getHostName()));
    }
    if (policy.isHttpEnabled()) {
        if (httpAddr.getPort() == 0) {
            builder.setFindPort(true);
        }
        URI uri = URI.create("http://" + NetUtils.getHostPortString(httpAddr));
        builder.addEndpoint(uri);
        LOG.info("Starting Web-server for " + name + " at: " + uri);
    }
    if (policy.isHttpsEnabled() && httpsAddr != null) {
        Configuration sslConf = loadSslConfiguration(conf);
        loadSslConfToHttpServerBuilder(builder, sslConf);
        if (httpsAddr.getPort() == 0) {
            builder.setFindPort(true);
        }
        URI uri = URI.create("https://" + NetUtils.getHostPortString(httpsAddr));
        builder.addEndpoint(uri);
        LOG.info("Starting Web-server for " + name + " at: " + uri);
    }
    return builder;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) Configuration(org.apache.hadoop.conf.Configuration) HttpConfig(org.apache.hadoop.http.HttpConfig) HttpServer2(org.apache.hadoop.http.HttpServer2) URI(java.net.URI)

Example 54 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class HttpServer2 method userHasAdministratorAccess.

/**
   * Get the admin ACLs from the given ServletContext and check if the given
   * user is in the ACL.
   *
   * @param servletContext the context containing the admin ACL.
   * @param remoteUser the remote user to check for.
   * @return true if the user is present in the ACL, false if no ACL is set or
   *         the user is not present
   */
public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) {
    AccessControlList adminsAcl = (AccessControlList) servletContext.getAttribute(ADMINS_ACL);
    UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser);
    return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 55 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TestHttpServerWithSpengo method testAuthenticationWithProxyUser.

/**
   * groupA
   *  - userA
   * groupB
   *  - userA, userB
   * groupC
   *  - userC
   * SPNEGO filter has been enabled.
   * userA has the privilege to impersonate users in groupB.
   * userA has admin access to all default servlets, but userB
   * and userC don't have. So "/logs" can only be accessed by userA.
   * @throws Exception
   */
@Test
public void testAuthenticationWithProxyUser() throws Exception {
    Configuration spengoConf = getSpengoConf(new Configuration());
    //setup logs dir
    System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
    // Setup user group
    UserGroupInformation.createUserForTesting("userA", new String[] { "groupA", "groupB" });
    UserGroupInformation.createUserForTesting("userB", new String[] { "groupB" });
    UserGroupInformation.createUserForTesting("userC", new String[] { "groupC" });
    // Make userA impersonate users in groupB
    spengoConf.set("hadoop.proxyuser.userA.hosts", "*");
    spengoConf.set("hadoop.proxyuser.userA.groups", "groupB");
    ProxyUsers.refreshSuperUserGroupsConfiguration(spengoConf);
    HttpServer2 httpServer = null;
    try {
        // Create http server to test.
        httpServer = getCommonBuilder().setConf(spengoConf).setACL(new AccessControlList("userA groupA")).build();
        httpServer.start();
        // Get signer to encrypt token
        Signer signer = getSignerToEncrypt();
        // setup auth token for userA
        AuthenticatedURL.Token token = getEncryptedAuthToken(signer, "userA");
        String serverURL = "http://" + NetUtils.getHostPortString(httpServer.getConnectorAddress(0)) + "/";
        // The default authenticator is kerberos.
        AuthenticatedURL authUrl = new AuthenticatedURL();
        // userA impersonates userB, it's allowed.
        for (String servlet : new String[] { "stacks", "jmx", "conf" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet + "?doAs=userB"), token);
            Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
        }
        // can be accessed.
        for (String servlet : new String[] { "stacks", "jmx", "conf" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet + "?doAs=userC"), token);
            Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
        }
        // only userA has the access.
        for (String servlet : new String[] { "logLevel", "logs" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet + "?doAs=userC"), token);
            Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
        }
        // only userA has the access.
        for (String servlet : new String[] { "logLevel", "logs" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet), token);
            Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
        }
        // Setup token for userB
        token = getEncryptedAuthToken(signer, "userB");
        // userB cannot access these servlets.
        for (String servlet : new String[] { "logLevel", "logs" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet), token);
            Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
        }
    } finally {
        if (httpServer != null) {
            httpServer.stop();
        }
    }
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) Signer(org.apache.hadoop.security.authentication.util.Signer) HttpURLConnection(java.net.HttpURLConnection) Configuration(org.apache.hadoop.conf.Configuration) URL(java.net.URL) AuthenticatedURL(org.apache.hadoop.security.authentication.client.AuthenticatedURL) AuthenticatedURL(org.apache.hadoop.security.authentication.client.AuthenticatedURL) Test(org.junit.Test)

Aggregations

AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)78 Configuration (org.apache.hadoop.conf.Configuration)24 HashMap (java.util.HashMap)22 Test (org.junit.Test)17 JobACL (org.apache.hadoop.mapreduce.JobACL)10 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10 Map (java.util.Map)6 KeyOpType (org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)6 URI (java.net.URI)5 ServletContext (javax.servlet.ServletContext)5 ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5 GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5 KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5 IOException (java.io.IOException)4 ArrayList (java.util.ArrayList)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4 KMSConfiguration (org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)4 ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4