use of org.apache.hadoop.util.MachineList in project hadoop by apache.
the class DefaultImpersonationProvider method authorize.
@Override
public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException {
if (user == null) {
throw new IllegalArgumentException("user is null.");
}
UserGroupInformation realUser = user.getRealUser();
if (realUser == null) {
return;
}
AccessControlList acl = proxyUserAcl.get(configPrefix + realUser.getShortUserName());
if (acl == null || !acl.isUserAllowed(user)) {
throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + user.getUserName());
}
MachineList MachineList = proxyHosts.get(getProxySuperuserIpConfKey(realUser.getShortUserName()));
if (MachineList == null || !MachineList.includes(remoteAddress)) {
throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress);
}
}
use of org.apache.hadoop.util.MachineList in project hadoop by apache.
the class DefaultImpersonationProvider method init.
@Override
public void init(String configurationPrefix) {
configPrefix = configurationPrefix + (configurationPrefix.endsWith(".") ? "" : ".");
// constructing regex to match the following patterns:
// $configPrefix.[ANY].users
// $configPrefix.[ANY].groups
// $configPrefix.[ANY].hosts
//
String prefixRegEx = configPrefix.replace(".", "\\.");
String usersGroupsRegEx = prefixRegEx + "[^.]*(" + Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + ")";
String hostsRegEx = prefixRegEx + "[^.]*" + Pattern.quote(CONF_HOSTS);
// get list of users and groups per proxyuser
Map<String, String> allMatchKeys = conf.getValByRegex(usersGroupsRegEx);
for (Entry<String, String> entry : allMatchKeys.entrySet()) {
String aclKey = getAclKey(entry.getKey());
if (!proxyUserAcl.containsKey(aclKey)) {
proxyUserAcl.put(aclKey, new AccessControlList(allMatchKeys.get(aclKey + CONF_USERS), allMatchKeys.get(aclKey + CONF_GROUPS)));
}
}
// get hosts per proxyuser
allMatchKeys = conf.getValByRegex(hostsRegEx);
for (Entry<String, String> entry : allMatchKeys.entrySet()) {
proxyHosts.put(entry.getKey(), new MachineList(entry.getValue()));
}
}
use of org.apache.hadoop.util.MachineList in project hadoop by apache.
the class ServiceAuthorizationManager method authorize.
/**
* Authorize the user to access the protocol being used.
*
* @param user user accessing the service
* @param protocol service being accessed
* @param conf configuration to use
* @param addr InetAddress of the client
* @throws AuthorizationException on authorization failure
*/
public void authorize(UserGroupInformation user, Class<?> protocol, Configuration conf, InetAddress addr) throws AuthorizationException {
AccessControlList[] acls = protocolToAcls.get(protocol);
MachineList[] hosts = protocolToMachineLists.get(protocol);
if (acls == null || hosts == null) {
throw new AuthorizationException("Protocol " + protocol + " is not known.");
}
// get client principal key to verify (if available)
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
String clientPrincipal = null;
if (krbInfo != null) {
String clientKey = krbInfo.clientPrincipal();
if (clientKey != null && !clientKey.isEmpty()) {
try {
clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey), addr);
} catch (IOException e) {
throw (AuthorizationException) new AuthorizationException("Can't figure out Kerberos principal name for connection from " + addr + " for user=" + user + " protocol=" + protocol).initCause(e);
}
}
}
if ((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
String cause = clientPrincipal != null ? ": this service is only accessible by " + clientPrincipal : ": denied by configured ACL";
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol + cause);
throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + cause);
}
if (addr != null) {
String hostAddress = addr.getHostAddress();
if (hosts.length != 2 || !hosts[0].includes(hostAddress) || hosts[1].includes(hostAddress)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol + " from host = " + hostAddress);
throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol);
}
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol=" + protocol);
}
use of org.apache.hadoop.util.MachineList in project hadoop by apache.
the class ServiceAuthorizationManager method refreshWithLoadedConfiguration.
@Private
public void refreshWithLoadedConfiguration(Configuration conf, PolicyProvider provider) {
final Map<Class<?>, AccessControlList[]> newAcls = new IdentityHashMap<Class<?>, AccessControlList[]>();
final Map<Class<?>, MachineList[]> newMachineLists = new IdentityHashMap<Class<?>, MachineList[]>();
String defaultAcl = conf.get(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, AccessControlList.WILDCARD_ACL_VALUE);
String defaultBlockedAcl = conf.get(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, "");
String defaultServiceHostsKey = getHostKey(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL);
String defaultMachineList = conf.get(defaultServiceHostsKey, MachineList.WILDCARD_VALUE);
String defaultBlockedMachineList = conf.get(defaultServiceHostsKey + BLOCKED, "");
// Parse the config file
Service[] services = provider.getServices();
if (services != null) {
for (Service service : services) {
AccessControlList acl = new AccessControlList(conf.get(service.getServiceKey(), defaultAcl));
AccessControlList blockedAcl = new AccessControlList(conf.get(service.getServiceKey() + BLOCKED, defaultBlockedAcl));
newAcls.put(service.getProtocol(), new AccessControlList[] { acl, blockedAcl });
String serviceHostsKey = getHostKey(service.getServiceKey());
MachineList machineList = new MachineList(conf.get(serviceHostsKey, defaultMachineList));
MachineList blockedMachineList = new MachineList(conf.get(serviceHostsKey + BLOCKED, defaultBlockedMachineList));
newMachineLists.put(service.getProtocol(), new MachineList[] { machineList, blockedMachineList });
}
}
// Flip to the newly parsed permissions
protocolToAcls = newAcls;
protocolToMachineLists = newMachineLists;
}
Aggregations