/** * Creates {@link ChannelAuthenticator} instance. * * @param subject javax subject to use for authentication * @param conf Alluxio configuration */ public ChannelAuthenticator(Subject subject, AlluxioConfiguration conf) { mUseSubject = true; mChannelId = UUID.randomUUID(); mParentSubject = subject; mAuthType = conf.getEnum(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.class); mSecurityEnabled = SecurityUtils.isSecurityEnabled(conf); mGrpcAuthTimeoutMs = conf.getMs(PropertyKey.MASTER_GRPC_CHANNEL_AUTH_TIMEOUT); }
/** * Creates context with given option data. * * @param optionsBuilder the options builder */ protected CreatePathContext(T optionsBuilder) { super(optionsBuilder); mMountPoint = false; mOperationTimeMs = System.currentTimeMillis(); mAcl = Collections.emptyList(); mMetadataLoad = false; mGroup = ""; mOwner = ""; if (SecurityUtils.isAuthenticationEnabled(ServerConfiguration.global())) { mOwner = SecurityUtils.getOwnerFromGrpcClient(ServerConfiguration.global()); mGroup = SecurityUtils.getGroupFromGrpcClient(ServerConfiguration.global()); } // Initialize mPersisted based on proto write type. WritePType writeType = WritePType.NONE; if (optionsBuilder instanceof CreateFilePOptions.Builder) { writeType = ((CreateFilePOptions.Builder) optionsBuilder).getWriteType(); } else if (optionsBuilder instanceof CreateDirectoryPOptions.Builder) { writeType = ((CreateDirectoryPOptions.Builder) optionsBuilder).getWriteType(); } mPersisted = WriteType.fromProto(writeType).isThrough(); }
private CreateUfsFileOptions(AlluxioConfiguration alluxioConf) { mOwner = SecurityUtils.getOwnerFromLoginModule(alluxioConf); mGroup = SecurityUtils.getGroupFromLoginModule(alluxioConf); mMode = ModeUtils.applyFileUMask(Mode.defaults(), alluxioConf .get(PropertyKey.SECURITY_AUTHORIZATION_PERMISSION_UMASK)); // TODO(chaomin): set permission based on the alluxio file. Not needed for now since the // file is always created with default permission. } }
/** * Checks if security is enabled. * * @param conf Alluxio configuration * @return true if security is enabled, false otherwise */ public static boolean isSecurityEnabled(AlluxioConfiguration conf) { return isAuthenticationEnabled(conf) && isAuthorizationEnabled(conf); }
try (JournalContext context = createJournalContext()) { mInodeTree.initializeRoot( SecurityUtils.getOwnerFromLoginModule(ServerConfiguration.global()), SecurityUtils.getGroupFromLoginModule(ServerConfiguration.global()), ModeUtils.applyDirectoryUMask(Mode.createFullAccess(), ServerConfiguration.get(PropertyKey.SECURITY_AUTHORIZATION_PERMISSION_UMASK)), String serverOwner = SecurityUtils.getOwnerFromLoginModule(ServerConfiguration.global()); if (SecurityUtils.isSecurityEnabled(ServerConfiguration.global()) && !root.getOwner().isEmpty() && !root.getOwner().equals(serverOwner)) {
private AlluxioURI createTestFile() throws Exception { AlluxioURI path = new AlluxioURI("/" + CommonUtils.randomAlphaNumString(10)); String owner = SecurityUtils.getOwnerFromGrpcClient(ServerConfiguration.global()); String group = SecurityUtils.getGroupFromGrpcClient(ServerConfiguration.global()); mFileSystemMaster.createFile(path, CreateFileContext .defaults( CreateFilePOptions.newBuilder().setMode(Mode.createFullAccess().toProto())) .setOwner(owner).setGroup(group)); mFileSystemMaster.completeFile(path, CompleteFileContext.defaults()); return path; }
/** * Gets the {@link User} from the {@link ThreadLocal} variable. * * @param conf Alluxio configuration * @return the client user, null if the user is not present */ // TODO(peis): Fail early if the user is not able to be set to avoid returning null. public static User get(AlluxioConfiguration conf) throws IOException { if (!SecurityUtils.isAuthenticationEnabled(conf)) { throw new IOException(ExceptionMessage.AUTHENTICATION_IS_NOT_ENABLED.getMessage()); } return sUserThreadLocal.get(); }
/** * Constructs an instance of {@link CreateFileOptions} from {@link CreateFileTOptions}. The option * of permission is constructed with the username obtained from thrift transport. * * @param options the {@link CreateFileTOptions} to use */ public CreateFileOptions(CreateFileTOptions options) { this(); if (options != null) { if (options.isSetCommonOptions()) { mCommonOptions = new CommonOptions(options.getCommonOptions()); } mBlockSizeBytes = options.getBlockSizeBytes(); mPersisted = options.isPersisted(); mRecursive = options.isRecursive(); mTtl = options.getTtl(); mTtlAction = TtlAction.fromThrift(options.getTtlAction()); if (SecurityUtils.isAuthenticationEnabled()) { mOwner = SecurityUtils.getOwnerFromThriftClient(); mGroup = SecurityUtils.getGroupFromThriftClient(); } if (options.isSetMode()) { mMode = new Mode(options.getMode()); } else { mMode.applyFileUMask(); } } }
/** * Tests the {@link SecurityUtils#getOwnerFromGrpcClient()} ()} method. */ @Test public void getOwnerFromGrpcClient() throws Exception { // When security is not enabled, user and group are not set mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.NOSASL.getAuthName()); Assert.assertEquals("", SecurityUtils.getOwnerFromGrpcClient(mConfiguration)); mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.SIMPLE.getAuthName()); mConfiguration.set(PropertyKey.SECURITY_GROUP_MAPPING_CLASS, IdentityUserGroupsMapping.class.getName()); AuthenticatedClientUser.set("test_client_user"); Assert.assertEquals("test_client_user", SecurityUtils.getOwnerFromGrpcClient(mConfiguration)); }
/** * Tests the {@link SecurityUtils#getGroupFromGrpcClient()} ()} method. */ @Test public void getGroupFromGrpcClient() throws Exception { // When security is not enabled, user and group are not set mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.NOSASL.getAuthName()); Assert.assertEquals("", SecurityUtils.getGroupFromGrpcClient(mConfiguration)); mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.SIMPLE.getAuthName()); mConfiguration.set(PropertyKey.SECURITY_GROUP_MAPPING_CLASS, IdentityUserGroupsMapping.class.getName()); AuthenticatedClientUser.set("test_client_user"); Assert.assertEquals("test_client_user", SecurityUtils.getGroupFromGrpcClient(mConfiguration)); }
/** * Tests the {@link SecurityUtils#getOwnerFromLoginModule()} method. */ @Test public void getOwnerFromLoginModule() throws Exception { // When security is not enabled, user and group are not set mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.NOSASL.getAuthName()); Assert.assertEquals("", SecurityUtils.getOwnerFromLoginModule(mConfiguration)); // When authentication is enabled, user and group are inferred from login module mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.SIMPLE.getAuthName()); mConfiguration.set(PropertyKey.SECURITY_LOGIN_USERNAME, "test_login_user"); mConfiguration.set(PropertyKey.SECURITY_GROUP_MAPPING_CLASS, IdentityUserGroupsMapping.class.getName()); Assert.assertEquals("test_login_user", SecurityUtils.getOwnerFromLoginModule(mConfiguration)); }
/** * Tests the {@link SecurityUtils#getGroupFromLoginModule()} method. */ @Test public void getGroupFromLoginModuleError() throws Exception { // When security is not enabled, user and group are not set mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.NOSASL.getAuthName()); Assert.assertEquals("", SecurityUtils.getGroupFromLoginModule(mConfiguration)); // When authentication is enabled, user and group are inferred from login module mConfiguration.set(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.SIMPLE.getAuthName()); mConfiguration.set(PropertyKey.SECURITY_LOGIN_USERNAME, "test_login_user"); mConfiguration.set(PropertyKey.SECURITY_GROUP_MAPPING_CLASS, IdentityUserGroupsMapping.class.getName()); LoginUserTestUtils.resetLoginUser(); Assert.assertEquals("test_login_user", SecurityUtils.getGroupFromLoginModule(mConfiguration)); } }
if (root == null) { try (JournalContext context = createJournalContext()) { mInodeTree.initializeRoot(SecurityUtils.getOwnerFromLoginModule(), SecurityUtils.getGroupFromLoginModule(), Mode.createFullAccess().applyDirectoryUMask(), context); context.append(mInodeTree.getRoot().toJournalEntry()); String serverOwner = SecurityUtils.getOwnerFromLoginModule(); if (SecurityUtils.isSecurityEnabled() && !root.getOwner().isEmpty() && !root.getOwner().equals(serverOwner)) {
private void verifyCreateFile(TestUser user, String path, boolean recursive) throws Exception { try (Closeable r = new AuthenticatedUserRule(user.getUser(), ServerConfiguration.global()).toResource()) { CreateFileContext context = CreateFileContext .defaults( CreateFilePOptions.newBuilder().setRecursive(recursive)) .setOwner(SecurityUtils.getOwnerFromGrpcClient(ServerConfiguration.global())) .setGroup(SecurityUtils.getGroupFromGrpcClient(ServerConfiguration.global())) .setPersisted(true); long fileId = mFileSystemMaster.createFile(new AlluxioURI(path), context); FileInfo fileInfo = mFileSystemMaster.getFileInfo(fileId); String[] pathComponents = path.split("/"); assertEquals(pathComponents[pathComponents.length - 1], fileInfo.getName()); assertEquals(user.getUser(), fileInfo.getOwner()); } }
private GrpcServerBuilder(NettyServerBuilder nettyServerBuilder, AlluxioConfiguration conf) { mConfiguration = conf; mServices = new HashSet<>(); mNettyServerBuilder = nettyServerBuilder; if (SecurityUtils.isAuthenticationEnabled(conf)) { LoggerFactory.getLogger(GrpcServerBuilder.class).warn("Authentication ENABLED"); mAuthenticationServer = new DefaultAuthenticationServer(conf); addService(new GrpcService(mAuthenticationServer).disableAuthentication()); } }
/** * Constructs an instance of {@link CreateDirectoryOptions} from {@link CreateDirectoryTOptions}. * The option of permission is constructed with the username obtained from thrift * transport. * * @param options the {@link CreateDirectoryTOptions} to use */ public CreateDirectoryOptions(CreateDirectoryTOptions options) { this(); if (options != null) { if (options.isSetCommonOptions()) { mCommonOptions = new CommonOptions(options.getCommonOptions()); } mAllowExists = options.isAllowExists(); mPersisted = options.isPersisted(); mRecursive = options.isRecursive(); mTtl = options.getTtl(); mTtlAction = TtlAction.fromThrift(options.getTtlAction()); if (SecurityUtils.isAuthenticationEnabled()) { mOwner = SecurityUtils.getOwnerFromThriftClient(); mGroup = SecurityUtils.getGroupFromThriftClient(); } if (options.isSetMode()) { mMode = new Mode(options.getMode()); } else { mMode.applyDirectoryUMask(); } } }
/** * Checks if security is enabled. * * @return true if security is enabled, false otherwise */ public static boolean isSecurityEnabled() { return isAuthenticationEnabled() && isAuthorizationEnabled(); }
@Override public List<ServerInterceptor> getInterceptors() { if (!SecurityUtils.isSecurityEnabled(mConfiguration)) { return Collections.emptyList(); } List<ServerInterceptor> interceptorsList = new ArrayList<>(2); AuthType authType = mConfiguration.getEnum(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.class); checkSupported(authType); switch (authType) { case SIMPLE: case CUSTOM: interceptorsList.add(new AuthenticatedUserInjector(this)); break; default: throw new RuntimeException("Unsupported authentication type:" + authType); } return interceptorsList; }
private CompleteUfsFileOptions(AlluxioConfiguration alluxioConf) { mOwner = SecurityUtils.getOwnerFromLoginModule(alluxioConf); mGroup = SecurityUtils.getGroupFromLoginModule(alluxioConf); mMode = ModeUtils.applyFileUMask(Mode.defaults(), alluxioConf.get(PropertyKey.SECURITY_AUTHORIZATION_PERMISSION_UMASK)); // TODO(chaomin): set permission based on the alluxio file. Not needed for now since the // file is always created with default permission. } }
private void verifyCreateDirectory(TestUser user, String path, boolean recursive) throws Exception { try (Closeable r = new AuthenticatedUserRule(user.getUser(), ServerConfiguration.global()).toResource()) { CreateDirectoryContext context = CreateDirectoryContext .defaults(CreateDirectoryPOptions.newBuilder().setRecursive(recursive)) .setOwner(SecurityUtils.getOwnerFromGrpcClient(ServerConfiguration.global())) .setGroup(SecurityUtils.getGroupFromGrpcClient(ServerConfiguration.global())); mFileSystemMaster.createDirectory(new AlluxioURI(path), context); FileInfo fileInfo = mFileSystemMaster.getFileInfo(mFileSystemMaster.getFileId(new AlluxioURI(path))); String[] pathComponents = path.split("/"); assertEquals(pathComponents[pathComponents.length - 1], fileInfo.getName()); assertEquals(true, fileInfo.isFolder()); assertEquals(user.getUser(), fileInfo.getOwner()); } }