Example 36 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hbase by apache.
the class HttpServer method userHasAdministratorAccess.
/**
* Get the admin ACLs from the given ServletContext and check if the given
* user is in the ACL.
*
* @param servletContext the context containing the admin ACL.
* @param remoteUser the remote user to check for.
* @return true if the user is present in the ACL, false if no ACL is set or
* the user is not present
*/
public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) {
AccessControlList adminsAcl = (AccessControlList) servletContext.getAttribute(ADMINS_ACL);
UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser);
return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 37 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TimelineACLsManager method putDomainIntoCache.
private AccessControlListExt putDomainIntoCache(TimelineDomain domain) {
Map<ApplicationAccessType, AccessControlList> acls = new HashMap<ApplicationAccessType, AccessControlList>(2);
acls.put(ApplicationAccessType.VIEW_APP, new AccessControlList(StringHelper.cjoin(domain.getReaders())));
acls.put(ApplicationAccessType.MODIFY_APP, new AccessControlList(StringHelper.cjoin(domain.getWriters())));
AccessControlListExt aclExt = new AccessControlListExt(domain.getOwner(), acls);
aclExts.put(domain.getId(), aclExt);
return aclExt;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
HashMap(java.util.HashMap)
ApplicationAccessType(org.apache.hadoop.yarn.api.records.ApplicationAccessType)
Example 38 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class DockerLinuxContainerRuntime method initialize.
@Override
public void initialize(Configuration conf) throws ContainerExecutionException {
this.conf = conf;
dockerClient = new DockerClient(conf);
allowedNetworks.clear();
allowedNetworks.addAll(Arrays.asList(conf.getTrimmedStrings(YarnConfiguration.NM_DOCKER_ALLOWED_CONTAINER_NETWORKS, YarnConfiguration.DEFAULT_NM_DOCKER_ALLOWED_CONTAINER_NETWORKS)));
defaultNetwork = conf.getTrimmed(YarnConfiguration.NM_DOCKER_DEFAULT_CONTAINER_NETWORK, YarnConfiguration.DEFAULT_NM_DOCKER_DEFAULT_CONTAINER_NETWORK);
if (!allowedNetworks.contains(defaultNetwork)) {
String message = "Default network: " + defaultNetwork + " is not in the set of allowed networks: " + allowedNetworks;
if (LOG.isWarnEnabled()) {
LOG.warn(message + ". Please check " + "configuration");
}
throw new ContainerExecutionException(message);
}
privilegedContainersAcl = new AccessControlList(conf.getTrimmed(YarnConfiguration.NM_DOCKER_PRIVILEGED_CONTAINERS_ACL, YarnConfiguration.DEFAULT_NM_DOCKER_PRIVILEGED_CONTAINERS_ACL));
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
ContainerExecutionException(org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException)
DockerClient(org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerClient)
Example 39 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class AdminService method getAdminAclList.
private AccessControlList getAdminAclList(Configuration conf) {
AccessControlList aclList = new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL, YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
aclList.addUser(daemonUser.getShortUserName());
return aclList;
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Example 40 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestGetImageServlet method testIsValidRequestor.
@Test
public void testIsValidRequestor() throws IOException {
Configuration conf = new HdfsConfiguration();
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
// Set up generic HA configs.
conf.set(DFSConfigKeys.DFS_NAMESERVICES, "ns1");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_HA_NAMENODES_KEY_PREFIX, "ns1"), "nn1,nn2");
// Set up NN1 HA configs.
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_RPC_ADDRESS_KEY, "ns1", "nn1"), "host1:1234");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, "ns1", "nn1"), "hdfs/_HOST@TEST-REALM.COM");
// Set up NN2 HA configs.
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_RPC_ADDRESS_KEY, "ns1", "nn2"), "host2:1234");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, "ns1", "nn2"), "hdfs/_HOST@TEST-REALM.COM");
// Initialize this conf object as though we're running on NN1.
NameNode.initializeGenericKeys(conf, "ns1", "nn1");
AccessControlList acls = Mockito.mock(AccessControlList.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);
// Make sure that NN2 is considered a valid fsimage/edits requestor.
assertTrue(ImageServlet.isValidRequestor(context, "hdfs/host2@TEST-REALM.COM", conf));
// Mark atm as an admin.
Mockito.when(acls.isUserAllowed(Mockito.argThat(new ArgumentMatcher<UserGroupInformation>() {
@Override
public boolean matches(Object argument) {
return ((UserGroupInformation) argument).getShortUserName().equals("atm");
}
}))).thenReturn(true);
// Make sure that NN2 is still considered a valid requestor.
assertTrue(ImageServlet.isValidRequestor(context, "hdfs/host2@TEST-REALM.COM", conf));
// Make sure an admin is considered a valid requestor.
assertTrue(ImageServlet.isValidRequestor(context, "atm@TEST-REALM.COM", conf));
// Make sure other users are *not* considered valid requestors.
assertFalse(ImageServlet.isValidRequestor(context, "todd@TEST-REALM.COM", conf));
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
HdfsConfiguration(org.apache.hadoop.hdfs.HdfsConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
ArgumentMatcher(org.mockito.ArgumentMatcher)
ServletContext(javax.servlet.ServletContext)
HdfsConfiguration(org.apache.hadoop.hdfs.HdfsConfiguration)
Test(org.junit.Test)
Aggregations
AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)62
Configuration (org.apache.hadoop.conf.Configuration)20
HashMap (java.util.HashMap)18
Test (org.junit.Test)15
JobACL (org.apache.hadoop.mapreduce.JobACL)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
ServletContext (javax.servlet.ServletContext)5
ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5
GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5
KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
IOException (java.io.IOException)4
URI (java.net.URI)4
ArrayList (java.util.ArrayList)4
Map (java.util.Map)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4
QueueACL (org.apache.hadoop.yarn.api.records.QueueACL)3
AccessType (org.apache.hadoop.yarn.security.AccessType)3
