private void initGroupService(Configuration conf) { if (groupService == null) { groupService = Groups.getUserToGroupsMappingService(conf); } }
private static void validateGroup(String proxyUser, String doAsUser) throws NotAuthorizedException { Set<String> validGroups = proxyUserGroups.get(proxyUser); if(validGroups == WILD_CARD) { return; } else if(validGroups == null || validGroups.isEmpty()) { throw new NotAuthorizedException( MessageFormat.format( "Unauthorized proxyuser [{0}] for doAsUser [{1}], not in proxyuser groups", proxyUser, doAsUser)); } Groups groupsInfo = new Groups(Main.getAppConfigInstance()); try { List<String> userGroups = groupsInfo.getGroups(doAsUser); for (String g : validGroups) { if (userGroups.contains(g)) { return; } } } catch (IOException ex) {//thrown, for example, if there is no such user on the system LOG.warn(MessageFormat.format("Unable to get list of groups for doAsUser [{0}].", doAsUser), ex); } throw new NotAuthorizedException( MessageFormat.format( "Unauthorized proxyuser [{0}] for doAsUser [{1}], not in proxyuser groups", proxyUser, doAsUser)); }
/** * Add group to the names of groups allowed for this service. * * @param group * The group name */ public void addGroup(String group) { if (isWildCardACLValue(group)) { throw new IllegalArgumentException("Group " + group + " can not be added"); } if (!isAllAllowed()) { List<String> groupsList = new LinkedList<String>(); groupsList.add(group); groupsMapping.cacheGroupsAdd(groupsList); groups.add(group); } }
/** * Get the group memberships of a given user. * If the user's group is not cached, this method may block. * @param user User's name * @return the group memberships of the user * @throws IOException if user does not exist */ public List<String> getGroups(final String user) throws IOException { // No need to lookup for groups of static users Map<String, List<String>> staticUserToGroupsMap = staticMapRef.get(); if (staticUserToGroupsMap != null) { List<String> staticMapping = staticUserToGroupsMap.get(user); if (staticMapping != null) { return staticMapping; } } // Check the negative cache first if (isNegativeCacheEnabled()) { if (negativeCache.contains(user)) { throw noGroupsForUser(user); } } try { return cache.get(user); } catch (ExecutionException e) { throw (IOException)e.getCause(); } }
@Test public void testCacheEntriesExpire() throws Exception { conf.setLong( CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS, 1); FakeTimer timer = new FakeTimer(); final Groups groups = new Groups(conf, timer); groups.cacheGroupsAdd(Arrays.asList(myGroups)); groups.refresh(); FakeGroupMapping.clearBlackList(); // We make an entry groups.getGroups("me"); int startingRequestCount = FakeGroupMapping.getRequestCount(); timer.advance(20 * 1000); // Cache entry has expired so it results in a new fetch groups.getGroups("me"); assertEquals(startingRequestCount + 1, FakeGroupMapping.getRequestCount()); }
@Override // RefreshAuthorizationPolicyProtocol public void refreshUserToGroupsMappings() throws IOException { LOG.info("Refreshing all user-to-groups mappings. Requested by user: " + getRemoteUser().getShortUserName()); Groups.getUserToGroupsMappingService().refresh(); namesystem.logAuditEvent(true, "refreshUserToGroupsMappings", null); }
@Override public List<String> getGroups(String user) throws IOException { List<String> result = userToGroupsMapping.get(user); if (result == null) { result = underlyingImplementation.getGroups(user); } return result; }
/** * Get the groups being used to map user-to-groups. * @param conf * @return the groups being used to map user-to-groups. */ public static synchronized Groups getUserToGroupsMappingService( Configuration conf) { if(GROUPS == null) { if(LOG.isDebugEnabled()) { LOG.debug(" Creating new Groups object"); } GROUPS = new Groups(conf); } return GROUPS; }
final Groups groups = new Groups(conf); groups.cacheGroupsAdd(Arrays.asList(myGroups)); groups.refresh(); FakeGroupMapping.clearBlackList(); FakeGroupMapping.setGetGroupsDelayMs(100);
private static Groups getGroups(Configuration conf) { if (conf.getBoolean(USE_NEW_GROUPS, false)) { return new Groups(conf); } else { return Groups.getUserToGroupsMappingService(conf); } } }
@GET @Produces(MediaType.TEXT_XML) @Path("/directgroups") public Groups getDirectGroupsForUser(@PathParam("userId") String userId) { try { Groups groups = new Groups(); groups.getGroup().addAll(service.getDirectGroupsForUser(userId, null, true)); return groups; } catch (UserServiceException e) { LOGGER.error(e); throw new RuntimeException(e.getMessage()); } }
/** * Refresh all user-to-groups mappings. */ public void refresh() { LOG.info("clearing userToGroupsMap cache"); try { impl.cacheGroupsRefresh(); } catch (IOException e) { LOG.warn("Error refreshing groups cache", e); } cache.invalidateAll(); if(isNegativeCacheEnabled()) { negativeCache.clear(); } }
@Test public void testCacheEntriesExpire() throws Exception { conf.setLong( CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS, 1); FakeTimer timer = new FakeTimer(); final Groups groups = new Groups(conf, timer); groups.cacheGroupsAdd(Arrays.asList(myGroups)); groups.refresh(); FakeGroupMapping.clearBlackList(); // We make an entry groups.getGroups("me"); int startingRequestCount = FakeGroupMapping.getRequestCount(); timer.advance(20 * 1000); // Cache entry has expired so it results in a new fetch groups.getGroups("me"); assertEquals(startingRequestCount + 1, FakeGroupMapping.getRequestCount()); }
@Override public void refreshUserToGroupsMappings() throws IOException { LOG.info("Refreshing all user-to-groups mappings. Requested by user: " + UserGroupInformation.getCurrentUser().getShortUserName()); Groups.getUserToGroupsMappingService().refresh(); }
@Override public List<String> getGroups(String user) throws IOException { List<String> result = userToGroupsMapping.get(user); if (result == null) { result = underlyingImplementation.getGroups(user); } return result; }
/** * Create new groups used to map user-to-groups with loaded configuration. * @param conf * @return the groups being used to map user-to-groups. */ @Private public static synchronized Groups getUserToGroupsMappingServiceWithLoadedConfiguration( Configuration conf) { GROUPS = new Groups(conf); return GROUPS; } }
final Groups groups = new Groups(conf); groups.cacheGroupsAdd(Arrays.asList(myGroups)); groups.refresh(); FakeGroupMapping.clearBlackList(); FakeGroupMapping.setGetGroupsDelayMs(100);
/** * Get the group memberships of a given user. * If the user's group is not cached, this method may block. * @param user User's name * @return the group memberships of the user * @throws IOException if user does not exist */ public List<String> getGroups(final String user) throws IOException { // No need to lookup for groups of static users List<String> staticMapping = staticUserToGroupsMap.get(user); if (staticMapping != null) { return staticMapping; } // Check the negative cache first if (isNegativeCacheEnabled()) { if (negativeCache.contains(user)) { throw noGroupsForUser(user); } } try { return cache.get(user); } catch (ExecutionException e) { throw (IOException)e.getCause(); } }
/** * Refresh all user-to-groups mappings. */ public void refresh() { LOG.info("clearing userToGroupsMap cache"); try { impl.cacheGroupsRefresh(); } catch (IOException e) { LOG.warn("Error refreshing groups cache", e); } cache.invalidateAll(); if(isNegativeCacheEnabled()) { negativeCache.clear(); } }
@Test public void testGroupsCaching() throws Exception { // Disable negative cache. conf.setLong( CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS, 0); Groups groups = new Groups(conf); groups.cacheGroupsAdd(Arrays.asList(myGroups)); groups.refresh(); FakeGroupMapping.clearBlackList(); FakeGroupMapping.addToBlackList("user1"); // regular entry assertTrue(groups.getGroups("me").size() == 2); // this must be cached. blacklisting should have no effect. FakeGroupMapping.addToBlackList("me"); assertTrue(groups.getGroups("me").size() == 2); // ask for a negative entry try { LOG.error("We are not supposed to get here." + groups.getGroups("user1").toString()); fail(); } catch (IOException ioe) { if(!ioe.getMessage().startsWith("No groups found")) { LOG.error("Got unexpected exception: " + ioe.getMessage()); fail(); } } // this shouldn't be cached. remove from the black list and retry. FakeGroupMapping.clearBlackList(); assertTrue(groups.getGroups("user1").size() == 2); }