Example 61 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestKMSACLs method testKeyAclReload.
@Test
public void testKeyAclReload() {
Configuration conf = new Configuration(false);
conf.set(DEFAULT_KEY_ACL_PREFIX + "READ", "read1");
conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
conf.set(DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "*");
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "decrypt1");
conf.set(KEY_ACL + "testuser1.ALL", "testkey1");
conf.set(WHITELIST_KEY_ACL_PREFIX + "READ", "admin_read1");
conf.set(WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "");
conf.set(WHITELIST_KEY_ACL_PREFIX + "GENERATE_EEK", "*");
conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "admin_decrypt1");
final KMSACLs acls = new KMSACLs(conf);
// update config and hot-reload.
conf.set(DEFAULT_KEY_ACL_PREFIX + "READ", "read2");
conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "mgmt1,mgmt2");
conf.set(DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "");
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "decrypt2");
conf.set(KEY_ACL + "testkey1.ALL", "testkey1,testkey2");
conf.set(WHITELIST_KEY_ACL_PREFIX + "READ", "admin_read2");
conf.set(WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "admin_mgmt,admin_mgmt1");
conf.set(WHITELIST_KEY_ACL_PREFIX + "GENERATE_EEK", "");
conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "admin_decrypt2");
acls.setKeyACLs(conf);
assertDefaultKeyAcl(acls, KeyOpType.READ, "read2");
assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
assertDefaultKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK, "decrypt2");
assertKeyAcl("testuser1", acls, KeyOpType.ALL, "testkey1");
assertWhitelistKeyAcl(acls, KeyOpType.READ, "admin_read2");
assertWhitelistKeyAcl(acls, KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
assertWhitelistKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertWhitelistKeyAcl(acls, KeyOpType.DECRYPT_EEK, "admin_decrypt2");
// reloading same config, nothing should change.
acls.setKeyACLs(conf);
assertDefaultKeyAcl(acls, KeyOpType.READ, "read2");
assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
assertDefaultKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK, "decrypt2");
assertKeyAcl("testuser1", acls, KeyOpType.ALL, "testkey1");
assertWhitelistKeyAcl(acls, KeyOpType.READ, "admin_read2");
assertWhitelistKeyAcl(acls, KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
assertWhitelistKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertWhitelistKeyAcl(acls, KeyOpType.DECRYPT_EEK, "admin_decrypt2");
// test wildcard.
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
acls.setKeyACLs(conf);
AccessControlList acl = acls.defaultKeyAcls.get(KeyOpType.DECRYPT_EEK);
Assert.assertTrue(acl.isAllAllowed());
Assert.assertTrue(acl.getUsers().isEmpty());
// everything else should still be the same.
assertDefaultKeyAcl(acls, KeyOpType.READ, "read2");
assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
assertDefaultKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertKeyAcl("testuser1", acls, KeyOpType.ALL, "testkey1");
assertWhitelistKeyAcl(acls, KeyOpType.READ, "admin_read2");
assertWhitelistKeyAcl(acls, KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
assertWhitelistKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertWhitelistKeyAcl(acls, KeyOpType.DECRYPT_EEK, "admin_decrypt2");
// test new configuration should clear other items
conf = new Configuration();
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "new");
acls.setKeyACLs(conf);
assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK, "new");
Assert.assertTrue(acls.keyAcls.isEmpty());
Assert.assertTrue(acls.whitelistKeyAcls.isEmpty());
Assert.assertEquals("Got unexpected sized acls:" + acls.defaultKeyAcls, 1, acls.defaultKeyAcls.size());
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
KMSConfiguration(org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
Test(org.junit.Test)
Example 62 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class KMSACLs method setKMSACLs.
private void setKMSACLs(Configuration conf) {
Map<Type, AccessControlList> tempAcls = new HashMap<Type, AccessControlList>();
Map<Type, AccessControlList> tempBlacklist = new HashMap<Type, AccessControlList>();
for (Type aclType : Type.values()) {
String aclStr = conf.get(aclType.getAclConfigKey(), ACL_DEFAULT);
tempAcls.put(aclType, new AccessControlList(aclStr));
String blacklistStr = conf.get(aclType.getBlacklistConfigKey());
if (blacklistStr != null) {
// Only add if blacklist is present
tempBlacklist.put(aclType, new AccessControlList(blacklistStr));
LOG.info("'{}' Blacklist '{}'", aclType, blacklistStr);
}
LOG.info("'{}' ACL '{}'", aclType, aclStr);
}
acls = tempAcls;
blacklistedAcls = tempBlacklist;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
KeyOpType(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)
HashMap(java.util.HashMap)
Example 63 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class KMSACLs method hasAccess.
/**
* First Check if user is in ACL for the KMS operation, if yes, then
* return true if user is not present in any configured blacklist for
* the operation
* @param type KMS Operation
* @param ugi UserGroupInformation of user
* @return true is user has access
*/
public boolean hasAccess(Type type, UserGroupInformation ugi) {
boolean access = acls.get(type).isUserAllowed(ugi);
if (LOG.isDebugEnabled()) {
LOG.debug("Checking user [{}] for: {} {} ", ugi.getShortUserName(), type.toString(), acls.get(type).getAclString());
}
if (access) {
AccessControlList blacklist = blacklistedAcls.get(type);
access = (blacklist == null) || !blacklist.isUserInList(ugi);
if (LOG.isDebugEnabled()) {
if (blacklist == null) {
LOG.debug("No blacklist for {}", type.toString());
} else if (access) {
LOG.debug("user is in {}", blacklist.getAclString());
} else {
LOG.debug("user is not in {}", blacklist.getAclString());
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("User: [{}], Type: {} Result: {}", ugi.getShortUserName(), type.toString(), access);
}
return access;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Example 64 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestJobAclsManager method testGroups.
@Test
public void testGroups() {
Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
Configuration conf = new Configuration();
String jobOwner = "testuser";
conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
String user = "testuser2";
String adminGroup = "adminGroup";
conf.set(MRConfig.MR_ADMINS, " " + adminGroup);
JobACLsManager aclsManager = new JobACLsManager(conf);
tmpJobACLs = aclsManager.constructJobACLs(conf);
final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;
UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(user, new String[] { adminGroup });
// acls off so anyone should have access
boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner, jobACLs.get(JobACL.VIEW_JOB));
assertTrue("user in admin group should have access", val);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
HashMap(java.util.HashMap)
JobACL(org.apache.hadoop.mapreduce.JobACL)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 65 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestJobAclsManager method testAclsOff.
@Test
public void testAclsOff() {
Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
Configuration conf = new Configuration();
String jobOwner = "testuser";
conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
conf.setBoolean(MRConfig.MR_ACLS_ENABLED, false);
String noAdminUser = "testuser2";
JobACLsManager aclsManager = new JobACLsManager(conf);
tmpJobACLs = aclsManager.constructJobACLs(conf);
final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;
UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(noAdminUser, new String[] {});
// acls off so anyone should have access
boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner, jobACLs.get(JobACL.VIEW_JOB));
assertTrue("acls off so anyone should have access", val);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
HashMap(java.util.HashMap)
JobACL(org.apache.hadoop.mapreduce.JobACL)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Aggregations
AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)78
Configuration (org.apache.hadoop.conf.Configuration)24
HashMap (java.util.HashMap)22
Test (org.junit.Test)17
JobACL (org.apache.hadoop.mapreduce.JobACL)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
Map (java.util.Map)6
KeyOpType (org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)6
URI (java.net.URI)5
ServletContext (javax.servlet.ServletContext)5
ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5
GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5
KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
IOException (java.io.IOException)4
ArrayList (java.util.ArrayList)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
KMSConfiguration (org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)4
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4
