Example 76 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project ranger by apache.
the class TestKMSACLs method testKeyAclReload.
@Test
public void testKeyAclReload() {
Configuration conf = new Configuration(false);
conf.set(DEFAULT_KEY_ACL_PREFIX + "READ", "read1");
conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
conf.set(DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "*");
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "decrypt1");
conf.set(KEY_ACL + "testuser1.ALL", "testkey1");
conf.set(WHITELIST_KEY_ACL_PREFIX + "READ", "admin_read1");
conf.set(WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "");
conf.set(WHITELIST_KEY_ACL_PREFIX + "GENERATE_EEK", "*");
conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "admin_decrypt1");
final KMSACLs acls = new KMSACLs(conf);
// update config and hot-reload.
conf.set(DEFAULT_KEY_ACL_PREFIX + "READ", "read2");
conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "mgmt1,mgmt2");
conf.set(DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "");
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "decrypt2");
conf.set(KEY_ACL + "testkey1.ALL", "testkey1,testkey2");
conf.set(WHITELIST_KEY_ACL_PREFIX + "READ", "admin_read2");
conf.set(WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "admin_mgmt,admin_mgmt1");
conf.set(WHITELIST_KEY_ACL_PREFIX + "GENERATE_EEK", "");
conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "admin_decrypt2");
acls.setKeyACLs(conf);
assertDefaultKeyAcl(acls, KeyOpType.READ, "read2");
assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
assertDefaultKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK, "decrypt2");
assertKeyAcl("testuser1", acls, KeyOpType.ALL, "testkey1");
assertWhitelistKeyAcl(acls, KeyOpType.READ, "admin_read2");
assertWhitelistKeyAcl(acls, KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
assertWhitelistKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertWhitelistKeyAcl(acls, KeyOpType.DECRYPT_EEK, "admin_decrypt2");
// reloading same config, nothing should change.
acls.setKeyACLs(conf);
assertDefaultKeyAcl(acls, KeyOpType.READ, "read2");
assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
assertDefaultKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK, "decrypt2");
assertKeyAcl("testuser1", acls, KeyOpType.ALL, "testkey1");
assertWhitelistKeyAcl(acls, KeyOpType.READ, "admin_read2");
assertWhitelistKeyAcl(acls, KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
assertWhitelistKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertWhitelistKeyAcl(acls, KeyOpType.DECRYPT_EEK, "admin_decrypt2");
// test wildcard.
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
acls.setKeyACLs(conf);
AccessControlList acl = acls.defaultKeyAcls.get(KeyOpType.DECRYPT_EEK);
Assert.assertTrue(acl.isAllAllowed());
Assert.assertTrue(acl.getUsers().isEmpty());
// everything else should still be the same.
assertDefaultKeyAcl(acls, KeyOpType.READ, "read2");
assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
assertDefaultKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertKeyAcl("testuser1", acls, KeyOpType.ALL, "testkey1");
assertWhitelistKeyAcl(acls, KeyOpType.READ, "admin_read2");
assertWhitelistKeyAcl(acls, KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
assertWhitelistKeyAcl(acls, KeyOpType.GENERATE_EEK);
assertWhitelistKeyAcl(acls, KeyOpType.DECRYPT_EEK, "admin_decrypt2");
// test new configuration should clear other items
conf = new Configuration();
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "new");
acls.setKeyACLs(conf);
assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK, "new");
Assert.assertTrue(acls.keyAcls.isEmpty());
Assert.assertTrue(acls.whitelistKeyAcls.isEmpty());
Assert.assertEquals("Got unexpected sized acls:" + acls.defaultKeyAcls, 1, acls.defaultKeyAcls.size());
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
KMSConfiguration(org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
Test(org.junit.Test)
Example 77 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project ranger by apache.
the class TestKMSACLs method assertDefaultKeyAcl.
private void assertDefaultKeyAcl(final KMSACLs acls, final KeyOpType op, final String... names) {
final AccessControlList acl = acls.defaultKeyAcls.get(op);
assertAcl(acl, op, names);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Example 78 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project ranger by apache.
the class RangerYarnAuditHandler method isAllowedByYarnAcl.
public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi, RangerYarnAuditHandler auditHandler) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
}
boolean ret = false;
for (Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> e : yarnAcl.entrySet()) {
PrivilegedEntity aclEntity = e.getKey();
Map<AccessType, AccessControlList> entityPermissions = e.getValue();
AccessControlList acl = entityPermissions == null ? null : entityPermissions.get(accessType);
if (acl != null && acl.isUserAllowed(ugi) && isSelfOrChildOf(entity, aclEntity)) {
ret = true;
break;
}
}
if (auditHandler != null) {
auditHandler.logYarnAclEvent(ret);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret);
}
return ret;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
HashMap(java.util.HashMap)
Map(java.util.Map)
Aggregations
AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)78
Configuration (org.apache.hadoop.conf.Configuration)24
HashMap (java.util.HashMap)22
Test (org.junit.Test)17
JobACL (org.apache.hadoop.mapreduce.JobACL)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
Map (java.util.Map)6
KeyOpType (org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)6
URI (java.net.URI)5
ServletContext (javax.servlet.ServletContext)5
ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5
GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5
KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
IOException (java.io.IOException)4
ArrayList (java.util.ArrayList)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
KMSConfiguration (org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)4
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4
