Example 66 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestJobAclsManager method testClusterAdmins.
@Test
public void testClusterAdmins() {
Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
Configuration conf = new Configuration();
String jobOwner = "testuser";
conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
conf.set(JobACL.MODIFY_JOB.getAclName(), jobOwner);
conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
String clusterAdmin = "testuser2";
conf.set(MRConfig.MR_ADMINS, clusterAdmin);
JobACLsManager aclsManager = new JobACLsManager(conf);
tmpJobACLs = aclsManager.constructJobACLs(conf);
final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;
UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(clusterAdmin, new String[] {});
// cluster admin should have access
boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner, jobACLs.get(JobACL.VIEW_JOB));
assertTrue("cluster admin should have view access", val);
val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner, jobACLs.get(JobACL.MODIFY_JOB));
assertTrue("cluster admin should have modify access", val);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
HashMap(java.util.HashMap)
JobACL(org.apache.hadoop.mapreduce.JobACL)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 67 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class HSAdminServer method refreshAdminAcls.
@Override
public void refreshAdminAcls() throws IOException {
UserGroupInformation user = checkAcls("refreshAdminAcls");
Configuration conf = createConf();
adminAcl = new AccessControlList(conf.get(JHAdminConfig.JHS_ADMIN_ACL, JHAdminConfig.DEFAULT_JHS_ADMIN_ACL));
HSAuditLogger.logSuccess(user.getShortUserName(), "refreshAdminAcls", HISTORY_ADMIN_SERVER);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 68 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class ApplicationACLsManager method checkAccess.
/**
* If authorization is enabled, checks whether the user (in the callerUGI) is
* authorized to perform the access specified by 'applicationAccessType' on
* the application by checking if the user is applicationOwner or part of
* application ACL for the specific access-type.
* <ul>
* <li>The owner of the application can have all access-types on the
* application</li>
* <li>For all other users/groups application-acls are checked</li>
* </ul>
*
* @param callerUGI
* @param applicationAccessType
* @param applicationOwner
* @param applicationId
*/
public boolean checkAccess(UserGroupInformation callerUGI, ApplicationAccessType applicationAccessType, String applicationOwner, ApplicationId applicationId) {
if (LOG.isDebugEnabled()) {
LOG.debug("Verifying access-type " + applicationAccessType + " for " + callerUGI + " on application " + applicationId + " owned by " + applicationOwner);
}
String user = callerUGI.getShortUserName();
if (!areACLsEnabled()) {
return true;
}
AccessControlList applicationACL = DEFAULT_YARN_APP_ACL;
Map<ApplicationAccessType, AccessControlList> acls = this.applicationACLS.get(applicationId);
if (acls == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("ACL not found for application " + applicationId + " owned by " + applicationOwner + ". Using default [" + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]");
}
} else {
AccessControlList applicationACLInMap = acls.get(applicationAccessType);
if (applicationACLInMap != null) {
applicationACL = applicationACLInMap;
} else if (LOG.isDebugEnabled()) {
LOG.debug("ACL not found for access-type " + applicationAccessType + " for application " + applicationId + " owned by " + applicationOwner + ". Using default [" + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]");
}
}
// Allow application-owner for any type of access on the application
if (this.adminAclsManager.isAdmin(callerUGI) || user.equals(applicationOwner) || applicationACL.isUserAllowed(callerUGI)) {
return true;
}
return false;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
ApplicationAccessType(org.apache.hadoop.yarn.api.records.ApplicationAccessType)
Example 69 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hive by apache.
the class HttpServer method userHasAdministratorAccess.
/**
* Get the admin ACLs from the given ServletContext and check if the given
* user is in the ACL.
*
* @param servletContext the context containing the admin ACL.
* @param remoteUser the remote user to check for.
* @return true if the user is present in the ACL, false if no ACL is set or
* the user is not present
*/
static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) {
AccessControlList adminsAcl = (AccessControlList) servletContext.getAttribute(ADMINS_ACL);
UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser);
return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 70 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hbase by apache.
the class TestHttpServer method testRequiresAuthorizationAccess.
@Test
public void testRequiresAuthorizationAccess() throws Exception {
Configuration conf = new Configuration();
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE)).thenReturn(conf);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
// requires admin access to instrumentation, FALSE by default
Assert.assertTrue(HttpServer.isInstrumentationAccessAllowed(context, request, response));
// requires admin access to instrumentation, TRUE
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN, true);
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
AccessControlList acls = Mockito.mock(AccessControlList.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
Assert.assertFalse(HttpServer.isInstrumentationAccessAllowed(context, request, response));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
ServletContext(javax.servlet.ServletContext)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Test(org.junit.Test)
Aggregations
AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)78
Configuration (org.apache.hadoop.conf.Configuration)24
HashMap (java.util.HashMap)22
Test (org.junit.Test)17
JobACL (org.apache.hadoop.mapreduce.JobACL)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
Map (java.util.Map)6
KeyOpType (org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)6
URI (java.net.URI)5
ServletContext (javax.servlet.ServletContext)5
ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5
GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5
KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
IOException (java.io.IOException)4
ArrayList (java.util.ArrayList)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
KMSConfiguration (org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)4
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4
