Search in sources :

Example 1 with MachineList

use of org.apache.hadoop.util.MachineList in project hadoop by apache.

the class DefaultImpersonationProvider method authorize.

@Override
public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException {
    if (user == null) {
        throw new IllegalArgumentException("user is null.");
    }
    UserGroupInformation realUser = user.getRealUser();
    if (realUser == null) {
        return;
    }
    AccessControlList acl = proxyUserAcl.get(configPrefix + realUser.getShortUserName());
    if (acl == null || !acl.isUserAllowed(user)) {
        throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + user.getUserName());
    }
    MachineList MachineList = proxyHosts.get(getProxySuperuserIpConfKey(realUser.getShortUserName()));
    if (MachineList == null || !MachineList.includes(remoteAddress)) {
        throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress);
    }
}
Also used : MachineList(org.apache.hadoop.util.MachineList) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 2 with MachineList

use of org.apache.hadoop.util.MachineList in project hadoop by apache.

the class DefaultImpersonationProvider method init.

@Override
public void init(String configurationPrefix) {
    configPrefix = configurationPrefix + (configurationPrefix.endsWith(".") ? "" : ".");
    // constructing regex to match the following patterns:
    //   $configPrefix.[ANY].users
    //   $configPrefix.[ANY].groups
    //   $configPrefix.[ANY].hosts
    //
    String prefixRegEx = configPrefix.replace(".", "\\.");
    String usersGroupsRegEx = prefixRegEx + "[^.]*(" + Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + ")";
    String hostsRegEx = prefixRegEx + "[^.]*" + Pattern.quote(CONF_HOSTS);
    // get list of users and groups per proxyuser
    Map<String, String> allMatchKeys = conf.getValByRegex(usersGroupsRegEx);
    for (Entry<String, String> entry : allMatchKeys.entrySet()) {
        String aclKey = getAclKey(entry.getKey());
        if (!proxyUserAcl.containsKey(aclKey)) {
            proxyUserAcl.put(aclKey, new AccessControlList(allMatchKeys.get(aclKey + CONF_USERS), allMatchKeys.get(aclKey + CONF_GROUPS)));
        }
    }
    // get hosts per proxyuser
    allMatchKeys = conf.getValByRegex(hostsRegEx);
    for (Entry<String, String> entry : allMatchKeys.entrySet()) {
        proxyHosts.put(entry.getKey(), new MachineList(entry.getValue()));
    }
}
Also used : MachineList(org.apache.hadoop.util.MachineList)

Example 3 with MachineList

use of org.apache.hadoop.util.MachineList in project hadoop by apache.

the class ServiceAuthorizationManager method authorize.

/**
   * Authorize the user to access the protocol being used.
   * 
   * @param user user accessing the service 
   * @param protocol service being accessed
   * @param conf configuration to use
   * @param addr InetAddress of the client
   * @throws AuthorizationException on authorization failure
   */
public void authorize(UserGroupInformation user, Class<?> protocol, Configuration conf, InetAddress addr) throws AuthorizationException {
    AccessControlList[] acls = protocolToAcls.get(protocol);
    MachineList[] hosts = protocolToMachineLists.get(protocol);
    if (acls == null || hosts == null) {
        throw new AuthorizationException("Protocol " + protocol + " is not known.");
    }
    // get client principal key to verify (if available)
    KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
    String clientPrincipal = null;
    if (krbInfo != null) {
        String clientKey = krbInfo.clientPrincipal();
        if (clientKey != null && !clientKey.isEmpty()) {
            try {
                clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey), addr);
            } catch (IOException e) {
                throw (AuthorizationException) new AuthorizationException("Can't figure out Kerberos principal name for connection from " + addr + " for user=" + user + " protocol=" + protocol).initCause(e);
            }
        }
    }
    if ((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
        String cause = clientPrincipal != null ? ": this service is only accessible by " + clientPrincipal : ": denied by configured ACL";
        AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol + cause);
        throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + cause);
    }
    if (addr != null) {
        String hostAddress = addr.getHostAddress();
        if (hosts.length != 2 || !hosts[0].includes(hostAddress) || hosts[1].includes(hostAddress)) {
            AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol + " from host = " + hostAddress);
            throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol);
        }
    }
    AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol=" + protocol);
}
Also used : MachineList(org.apache.hadoop.util.MachineList) KerberosInfo(org.apache.hadoop.security.KerberosInfo) IOException(java.io.IOException)

Example 4 with MachineList

use of org.apache.hadoop.util.MachineList in project hadoop by apache.

the class ServiceAuthorizationManager method refreshWithLoadedConfiguration.

@Private
public void refreshWithLoadedConfiguration(Configuration conf, PolicyProvider provider) {
    final Map<Class<?>, AccessControlList[]> newAcls = new IdentityHashMap<Class<?>, AccessControlList[]>();
    final Map<Class<?>, MachineList[]> newMachineLists = new IdentityHashMap<Class<?>, MachineList[]>();
    String defaultAcl = conf.get(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, AccessControlList.WILDCARD_ACL_VALUE);
    String defaultBlockedAcl = conf.get(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, "");
    String defaultServiceHostsKey = getHostKey(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL);
    String defaultMachineList = conf.get(defaultServiceHostsKey, MachineList.WILDCARD_VALUE);
    String defaultBlockedMachineList = conf.get(defaultServiceHostsKey + BLOCKED, "");
    // Parse the config file
    Service[] services = provider.getServices();
    if (services != null) {
        for (Service service : services) {
            AccessControlList acl = new AccessControlList(conf.get(service.getServiceKey(), defaultAcl));
            AccessControlList blockedAcl = new AccessControlList(conf.get(service.getServiceKey() + BLOCKED, defaultBlockedAcl));
            newAcls.put(service.getProtocol(), new AccessControlList[] { acl, blockedAcl });
            String serviceHostsKey = getHostKey(service.getServiceKey());
            MachineList machineList = new MachineList(conf.get(serviceHostsKey, defaultMachineList));
            MachineList blockedMachineList = new MachineList(conf.get(serviceHostsKey + BLOCKED, defaultBlockedMachineList));
            newMachineLists.put(service.getProtocol(), new MachineList[] { machineList, blockedMachineList });
        }
    }
    // Flip to the newly parsed permissions
    protocolToAcls = newAcls;
    protocolToMachineLists = newMachineLists;
}
Also used : MachineList(org.apache.hadoop.util.MachineList) IdentityHashMap(java.util.IdentityHashMap) Private(org.apache.hadoop.classification.InterfaceAudience.Private)

Aggregations

MachineList (org.apache.hadoop.util.MachineList)4 IOException (java.io.IOException)1 IdentityHashMap (java.util.IdentityHashMap)1 Private (org.apache.hadoop.classification.InterfaceAudience.Private)1 KerberosInfo (org.apache.hadoop.security.KerberosInfo)1 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1