use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestApplicationACLs method verifyEnemyAccess.
private void verifyEnemyAccess() throws Exception {
AccessControlList viewACL = new AccessControlList("");
viewACL.addGroup(FRIENDLY_GROUP);
AccessControlList modifyACL = new AccessControlList("");
modifyACL.addUser(FRIEND);
ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
appReportRequest.setApplicationId(applicationId);
final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
finishAppRequest.setApplicationId(applicationId);
ApplicationClientProtocol enemyRmClient = getRMClientForUser(ENEMY);
// View as the enemy
ApplicationReport appReport = enemyRmClient.getApplicationReport(appReportRequest).getApplicationReport();
verifyEnemyAppReport(appReport);
// List apps as enemy
List<ApplicationReport> appReports = enemyRmClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList();
Assert.assertEquals("App view by enemy should list the apps!!", 4, appReports.size());
for (ApplicationReport report : appReports) {
verifyEnemyAppReport(report);
}
// Kill app as the enemy
try {
enemyRmClient.forceKillApplication(finishAppRequest);
Assert.fail("App killing by the enemy should fail!!");
} catch (YarnException e) {
LOG.info("Got exception while killing app as the enemy", e);
Assert.assertTrue(e.getMessage().contains("User enemy cannot perform operation MODIFY_APP on " + applicationId));
}
rmClient.forceKillApplication(finishAppRequest);
}
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class AppPriorityACLConfigurationParser method getPriorityAcl.
public List<AppPriorityACLGroup> getPriorityAcl(Priority clusterMaxPriority, String aclString) {
List<AppPriorityACLGroup> aclList = new ArrayList<AppPriorityACLGroup>();
Matcher matcher = Pattern.compile(PATTERN_FOR_PRIORITY_ACL).matcher(aclString);
/*
* Each ACL group will be separated by "[]". Syntax of each ACL group could
* be like below "user=b1,b2 group=g1 max-priority=a2 default-priority=a1"
* Ideally this means "for this given user/group, maximum possible priority
* is a2 and if the user has not specified any priority, then it is a1."
*/
while (matcher.find()) {
// Get the first ACL sub-group.
String aclSubGroup = matcher.group(1);
if (aclSubGroup.trim().isEmpty()) {
continue;
}
/*
* Internal storage is PriorityACLGroup which stores each parsed priority
* ACLs group. This will help while looking for a user to priority mapping
* during app submission time. ACLs will be passed in below order only. 1.
* user/group 2. max-priority 3. default-priority
*/
AppPriorityACLGroup userPriorityACL = new AppPriorityACLGroup();
// userAndGroupName will hold user acl and group acl as interim storage
// since both user/group acl comes with separate key value pairs.
List<StringBuilder> userAndGroupName = new ArrayList<>();
for (String kvPair : aclSubGroup.trim().split(" +")) {
/*
* There are 3 possible options for key here: 1. user/group 2.
* max-priority 3. default-priority
*/
String[] splits = kvPair.split("=");
// Ensure that each ACL sub string is key value pair separated by '='.
if (splits != null && splits.length > 1) {
parsePriorityACLType(userPriorityACL, splits, userAndGroupName);
}
}
// handle here.
if (userPriorityACL.getMaxPriority().getPriority() > clusterMaxPriority.getPriority()) {
LOG.warn("ACL configuration for '" + userPriorityACL.getMaxPriority() + "' is greater that cluster max priority. Resetting ACLs to " + clusterMaxPriority);
userPriorityACL.setMaxPriority(Priority.newInstance(clusterMaxPriority.getPriority()));
}
AccessControlList acl = createACLStringForPriority(userAndGroupName);
userPriorityACL.setACLList(acl);
aclList.add(userPriorityACL);
}
return aclList;
}
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class QueueConfigurationParser method createHierarchy.
/**
* @param parent Name of the parent queue
* @param queueNode
* @return
*/
private Queue createHierarchy(String parent, Element queueNode) {
if (queueNode == null) {
return null;
}
//Name of the current queue.
//Complete qualified queue name.
String name = "";
Queue newQueue = new Queue();
Map<String, AccessControlList> acls = new HashMap<String, AccessControlList>();
NodeList fields = queueNode.getChildNodes();
validate(queueNode);
List<Element> subQueues = new ArrayList<Element>();
String submitKey = "";
String adminKey = "";
for (int j = 0; j < fields.getLength(); j++) {
Node fieldNode = fields.item(j);
if (!(fieldNode instanceof Element)) {
continue;
}
Element field = (Element) fieldNode;
if (QUEUE_NAME_TAG.equals(field.getTagName())) {
String nameValue = field.getTextContent();
if (field.getTextContent() == null || field.getTextContent().trim().equals("") || field.getTextContent().contains(NAME_SEPARATOR)) {
throw new RuntimeException("Improper queue name : " + nameValue);
}
if (!parent.equals("")) {
name += parent + NAME_SEPARATOR;
}
//generate the complete qualified name
//parent.child
name += nameValue;
newQueue.setName(name);
submitKey = toFullPropertyName(name, QueueACL.SUBMIT_JOB.getAclName());
adminKey = toFullPropertyName(name, QueueACL.ADMINISTER_JOBS.getAclName());
}
if (QUEUE_TAG.equals(field.getTagName()) && field.hasChildNodes()) {
subQueues.add(field);
}
if (isAclsEnabled()) {
if (ACL_SUBMIT_JOB_TAG.equals(field.getTagName())) {
acls.put(submitKey, new AccessControlList(field.getTextContent()));
}
if (ACL_ADMINISTER_JOB_TAG.equals(field.getTagName())) {
acls.put(adminKey, new AccessControlList(field.getTextContent()));
}
}
if (PROPERTIES_TAG.equals(field.getTagName())) {
Properties properties = populateProperties(field);
newQueue.setProperties(properties);
}
if (STATE_TAG.equals(field.getTagName())) {
String state = field.getTextContent();
newQueue.setState(QueueState.getState(state));
}
}
if (!acls.containsKey(submitKey)) {
acls.put(submitKey, new AccessControlList(" "));
}
if (!acls.containsKey(adminKey)) {
acls.put(adminKey, new AccessControlList(" "));
}
//Set acls
newQueue.setAcls(acls);
for (Element field : subQueues) {
newQueue.addChild(createHierarchy(newQueue.getName(), field));
}
return newQueue;
}
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class QueueManager method dumpConfiguration.
/**
* method to perform depth-first search and write the parameters of every
* queue in JSON format.
* @param dumpGenerator JsonGenerator object which takes the dump and flushes
* to a writer object
* @param rootQueues the top-level queues
* @throws JsonGenerationException
* @throws IOException
*/
private static void dumpConfiguration(JsonGenerator dumpGenerator, Set<Queue> rootQueues) throws JsonGenerationException, IOException {
for (Queue queue : rootQueues) {
dumpGenerator.writeStartObject();
dumpGenerator.writeStringField("name", queue.getName());
dumpGenerator.writeStringField("state", queue.getState().toString());
AccessControlList submitJobList = null;
AccessControlList administerJobsList = null;
if (queue.getAcls() != null) {
submitJobList = queue.getAcls().get(toFullPropertyName(queue.getName(), QueueACL.SUBMIT_JOB.getAclName()));
administerJobsList = queue.getAcls().get(toFullPropertyName(queue.getName(), QueueACL.ADMINISTER_JOBS.getAclName()));
}
String aclsSubmitJobValue = " ";
if (submitJobList != null) {
aclsSubmitJobValue = submitJobList.getAclString();
}
dumpGenerator.writeStringField("acl_submit_job", aclsSubmitJobValue);
String aclsAdministerValue = " ";
if (administerJobsList != null) {
aclsAdministerValue = administerJobsList.getAclString();
}
dumpGenerator.writeStringField("acl_administer_jobs", aclsAdministerValue);
dumpGenerator.writeFieldName("properties");
dumpGenerator.writeStartArray();
if (queue.getProperties() != null) {
for (Map.Entry<Object, Object> property : queue.getProperties().entrySet()) {
dumpGenerator.writeStartObject();
dumpGenerator.writeStringField("key", (String) property.getKey());
dumpGenerator.writeStringField("value", (String) property.getValue());
dumpGenerator.writeEndObject();
}
}
dumpGenerator.writeEndArray();
Set<Queue> childQueues = queue.getChildren();
dumpGenerator.writeFieldName("children");
dumpGenerator.writeStartArray();
if (childQueues != null && childQueues.size() > 0) {
dumpConfiguration(dumpGenerator, childQueues);
}
dumpGenerator.writeEndArray();
dumpGenerator.writeEndObject();
}
}
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class QueueManager method hasAccess.
/**
* Return true if the given user is part of the ACL for the given
* {@link QueueACL} name for the given queue.
* <p>
* An operation is allowed if all users are provided access for this
* operation, or if either the user or any of the groups specified is
* provided access.
*
* @param queueName Queue on which the operation needs to be performed.
* @param qACL The queue ACL name to be checked
* @param ugi The user and groups who wish to perform the operation.
* @return true if the operation is allowed, false otherwise.
*/
public synchronized boolean hasAccess(String queueName, QueueACL qACL, UserGroupInformation ugi) {
Queue q = leafQueues.get(queueName);
if (q == null) {
LOG.info("Queue " + queueName + " is not present");
return false;
}
if (q.getChildren() != null && !q.getChildren().isEmpty()) {
LOG.info("Cannot submit job to parent queue " + q.getName());
return false;
}
if (!areAclsEnabled()) {
return true;
}
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access for the acl " + toFullPropertyName(queueName, qACL.getAclName()) + " for user " + ugi.getShortUserName());
}
AccessControlList acl = q.getAcls().get(toFullPropertyName(queueName, qACL.getAclName()));
if (acl == null) {
return false;
}
// Check if user is part of the ACL
return acl.isUserAllowed(ugi);
}
Aggregations