Example 71 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hbase by apache.
the class TestProxyUserSpnegoHttpServer method setupServer.
@BeforeClass
public static void setupServer() throws Exception {
Configuration conf = new Configuration();
HBaseCommonTestingUtil htu = new HBaseCommonTestingUtil(conf);
final String serverPrincipal = "HTTP/" + KDC_SERVER_HOST;
kdc = SimpleKdcServerUtil.getRunningSimpleKdcServer(new File(htu.getDataTestDir().toString()), HBaseCommonTestingUtil::randomFreePort);
File keytabDir = new File(htu.getDataTestDir("keytabs").toString());
if (keytabDir.exists()) {
deleteRecursively(keytabDir);
}
keytabDir.mkdirs();
infoServerKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab");
wheelKeytab = new File(keytabDir, WHEEL_PRINCIPAL + ".keytab");
unprivilegedKeytab = new File(keytabDir, UNPRIVILEGED_PRINCIPAL + ".keytab");
privilegedKeytab = new File(keytabDir, PRIVILEGED_PRINCIPAL + ".keytab");
privileged2Keytab = new File(keytabDir, PRIVILEGED2_PRINCIPAL + ".keytab");
setupUser(kdc, wheelKeytab, WHEEL_PRINCIPAL);
setupUser(kdc, unprivilegedKeytab, UNPRIVILEGED_PRINCIPAL);
setupUser(kdc, privilegedKeytab, PRIVILEGED_PRINCIPAL);
setupUser(kdc, privileged2Keytab, PRIVILEGED2_PRINCIPAL);
setupUser(kdc, infoServerKeytab, serverPrincipal);
buildSpnegoConfiguration(conf, serverPrincipal, infoServerKeytab);
AccessControlList acl = buildAdminAcl(conf);
server = createTestServerWithSecurityAndAcl(conf, acl);
server.addPrivilegedServlet("echo", "/echo", EchoServlet.class);
server.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*");
server.start();
baseUrl = getServerURL(server);
LOG.info("HTTP server started: " + baseUrl);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
HBaseCommonTestingUtil(org.apache.hadoop.hbase.HBaseCommonTestingUtil)
Configuration(org.apache.hadoop.conf.Configuration)
File(java.io.File)
BeforeClass(org.junit.BeforeClass)
Example 72 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hbase by apache.
the class TestLogLevel method createServer.
/**
* Creates and starts a Jetty server binding at an ephemeral port to run LogLevel servlet.
* @param protocol "http" or "https"
* @param isSpnego true if SPNEGO is enabled
* @return a created HttpServer object
* @throws Exception if unable to create or start a Jetty server
*/
private HttpServer createServer(String protocol, boolean isSpnego) throws Exception {
HttpServer.Builder builder = new HttpServer.Builder().setName("..").addEndpoint(new URI(protocol + "://localhost:0")).setFindPort(true).setConf(serverConf);
if (isSpnego) {
// Set up server Kerberos credentials.
// Since the server may fall back to simple authentication,
// use ACL to make sure the connection is Kerberos/SPNEGO authenticated.
builder.setSecurityEnabled(true).setUsernameConfKey(PRINCIPAL).setKeytabConfKey(KEYTAB).setACL(new AccessControlList("client"));
}
// if using HTTPS, configure keystore/truststore properties.
if (protocol.equals(LogLevel.PROTOCOL_HTTPS)) {
builder = builder.keyPassword(sslConf.get("ssl.server.keystore.keypassword")).keyStore(sslConf.get("ssl.server.keystore.location"), sslConf.get("ssl.server.keystore.password"), sslConf.get("ssl.server.keystore.type", "jks")).trustStore(sslConf.get("ssl.server.truststore.location"), sslConf.get("ssl.server.truststore.password"), sslConf.get("ssl.server.truststore.type", "jks"));
}
HttpServer server = builder.build();
server.start();
return server;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
HttpServer(org.apache.hadoop.hbase.http.HttpServer)
URI(java.net.URI)
Example 73 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project ranger by apache.
the class KMSACLs method setKMSACLs.
private void setKMSACLs(Configuration conf) {
Map<Type, AccessControlList> tempAcls = new HashMap<Type, AccessControlList>();
Map<Type, AccessControlList> tempBlacklist = new HashMap<Type, AccessControlList>();
for (Type aclType : Type.values()) {
String aclStr = conf.get(aclType.getAclConfigKey(), ACL_DEFAULT);
tempAcls.put(aclType, new AccessControlList(aclStr));
String blacklistStr = conf.get(aclType.getBlacklistConfigKey());
if (blacklistStr != null) {
// Only add if blacklist is present
tempBlacklist.put(aclType, new AccessControlList(blacklistStr));
LOG.info("'{}' Blacklist '{}'", aclType, blacklistStr);
}
LOG.info("'{}' ACL '{}'", aclType, aclStr);
}
acls = tempAcls;
blacklistedAcls = tempBlacklist;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Type(org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type)
KeyOpType(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)
HashMap(java.util.HashMap)
Example 74 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project ranger by apache.
the class KMSACLs method setKeyACLs.
@VisibleForTesting
void setKeyACLs(Configuration conf) {
Map<String, HashMap<KeyOpType, AccessControlList>> tempKeyAcls = new HashMap<String, HashMap<KeyOpType, AccessControlList>>();
Map<String, String> allKeyACLS = conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX);
for (Map.Entry<String, String> keyAcl : allKeyACLS.entrySet()) {
String k = keyAcl.getKey();
// this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>"
int keyNameStarts = KMSConfiguration.KEY_ACL_PREFIX.length();
int keyNameEnds = k.lastIndexOf(".");
if (keyNameStarts >= keyNameEnds) {
LOG.warn("Invalid key name '{}'", k);
} else {
String aclStr = keyAcl.getValue();
String keyName = k.substring(keyNameStarts, keyNameEnds);
String keyOp = k.substring(keyNameEnds + 1);
KeyOpType aclType = null;
try {
aclType = KeyOpType.valueOf(keyOp);
} catch (IllegalArgumentException e) {
LOG.warn("Invalid key Operation '{}'", keyOp);
}
if (aclType != null) {
// On the assumption this will be single threaded.. else we need to
// ConcurrentHashMap
HashMap<KeyOpType, AccessControlList> aclMap = tempKeyAcls.get(keyName);
if (aclMap == null) {
aclMap = new HashMap<KeyOpType, AccessControlList>();
tempKeyAcls.put(keyName, aclMap);
}
aclMap.put(aclType, new AccessControlList(aclStr));
LOG.info("KEY_NAME '{}' KEY_OP '{}' ACL '{}'", keyName, aclType, aclStr);
}
}
}
keyAcls = tempKeyAcls;
final Map<KeyOpType, AccessControlList> tempDefaults = new HashMap<>();
final Map<KeyOpType, AccessControlList> tempWhitelists = new HashMap<>();
for (KeyOpType keyOp : KeyOpType.values()) {
parseAclsWithPrefix(conf, KMSConfiguration.DEFAULT_KEY_ACL_PREFIX, keyOp, tempDefaults);
parseAclsWithPrefix(conf, KMSConfiguration.WHITELIST_KEY_ACL_PREFIX, keyOp, tempWhitelists);
}
defaultKeyAcls = tempDefaults;
whitelistKeyAcls = tempWhitelists;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
HashMap(java.util.HashMap)
KeyOpType(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)
HashMap(java.util.HashMap)
Map(java.util.Map)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Example 75 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project ranger by apache.
the class KMSACLs method hasAccess.
/**
* First Check if user is in ACL for the KMS operation, if yes, then
* return true if user is not present in any configured blacklist for
* the operation
* @param type KMS Operation
* @param ugi UserGroupInformation of user
* @return true is user has access
*/
@Override
public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
boolean access = acls.get(type).isUserAllowed(ugi);
if (LOG.isDebugEnabled()) {
LOG.debug("Checking user [{}] for: {} {} ", ugi.getShortUserName(), type.toString(), acls.get(type).getAclString());
}
if (access) {
AccessControlList blacklist = blacklistedAcls.get(type);
access = (blacklist == null) || !blacklist.isUserInList(ugi);
if (LOG.isDebugEnabled()) {
if (blacklist == null) {
LOG.debug("No blacklist for {}", type.toString());
} else if (access) {
LOG.debug("user is not in {}", blacklist.getAclString());
} else {
LOG.debug("user is in {}", blacklist.getAclString());
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("User: [{}], Type: {} Result: {}", ugi.getShortUserName(), type.toString(), access);
}
return access;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Aggregations
AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)78
Configuration (org.apache.hadoop.conf.Configuration)24
HashMap (java.util.HashMap)22
Test (org.junit.Test)17
JobACL (org.apache.hadoop.mapreduce.JobACL)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
Map (java.util.Map)6
KeyOpType (org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)6
URI (java.net.URI)5
ServletContext (javax.servlet.ServletContext)5
ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5
GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5
KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
IOException (java.io.IOException)4
ArrayList (java.util.ArrayList)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
KMSConfiguration (org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)4
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4
