Refine search
public static void verifyProxyAccess(String realUser, String proxyUser, String ipAddress, HiveConf hiveConf) throws HiveSQLException { try { UserGroupInformation sessionUgi; if (UserGroupInformation.isSecurityEnabled()) { KerberosNameShim kerbName = ShimLoader.getHadoopShims().getKerberosNameShim(realUser); sessionUgi = UserGroupInformation.createProxyUser( kerbName.getServiceName(), UserGroupInformation.getLoginUser()); } else { sessionUgi = UserGroupInformation.createRemoteUser(realUser); } if (!proxyUser.equalsIgnoreCase(realUser)) { ProxyUsers.refreshSuperUserGroupsConfiguration(hiveConf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, sessionUgi), ipAddress, hiveConf); } } catch (IOException e) { throw new HiveSQLException( "Failed to validate proxy privilege of " + realUser + " for " + proxyUser, "08S01", e); } } }
/** * Verify if the user is allowed to make DB notification related calls. * Only the superusers defined in the Hadoop proxy user settings have the permission. * * @param user the short user name * @param conf that contains the proxy user settings * @return if the user has the permission */ public static boolean checkUserHasHostProxyPrivileges(String user, Configuration conf, String ipAddress) { DefaultImpersonationProvider sip = ProxyUsers.getDefaultImpersonationProvider(); // Just need to initialize the ProxyUsers for the first time, given that the conf will not change on the fly if (sip == null) { ProxyUsers.refreshSuperUserGroupsConfiguration(conf); sip = ProxyUsers.getDefaultImpersonationProvider(); } Map<String, Collection<String>> proxyHosts = sip.getProxyHosts(); Collection<String> hostEntries = proxyHosts.get(sip.getProxySuperuserIpConfKey(user)); MachineList machineList = new MachineList(hostEntries); ipAddress = (ipAddress == null) ? StringUtils.EMPTY : ipAddress; return machineList.includes(ipAddress); }
/** * Refreshes configuration using the specified Proxy user prefix for * properties. * * @param conf configuration * @param proxyUserPrefix proxy user configuration prefix */ public static void refreshSuperUserGroupsConfiguration(Configuration conf, String proxyUserPrefix) { Preconditions.checkArgument(proxyUserPrefix != null && !proxyUserPrefix.isEmpty(), "prefix cannot be NULL or empty"); // sip is volatile. Any assignment to it as well as the object's state // will be visible to all the other threads. ImpersonationProvider ip = getInstance(conf); ip.init(proxyUserPrefix); sip = ip; ProxyServers.refresh(conf); }
public String getDelegationToken(final String owner, final String renewer, String remoteAddr) throws IOException, InterruptedException { /* * If the user asking the token is same as the 'owner' then don't do * any proxy authorization checks. For cases like oozie, where it gets * a delegation token for another user, we need to make sure oozie is * authorized to get a delegation token. */ // Do all checks on short names UserGroupInformation currUser = UserGroupInformation.getCurrentUser(); UserGroupInformation ownerUgi = UserGroupInformation.createRemoteUser(owner); if (!ownerUgi.getShortUserName().equals(currUser.getShortUserName())) { // in the case of proxy users, the getCurrentUser will return the // real user (for e.g. oozie) due to the doAs that happened just before the // server started executing the method getDelegationToken in the MetaStore ownerUgi = UserGroupInformation.createProxyUser(owner, UserGroupInformation.getCurrentUser()); ProxyUsers.authorize(ownerUgi, remoteAddr, null); } //if impersonation is turned on this called using the HiveSessionImplWithUGI //using sessionProxy. so the currentUser will be the impersonated user here eg. oozie //we cannot create a proxy user which represents Oozie's client user here since //we cannot authenticate it using Kerberos/Digest. We trust the user which opened //session using Kerberos in this case. //if impersonation is turned off, the current user is Hive which can open //kerberos connections to HMS if required. return secretManager.getDelegationToken(owner, renewer); }
.getAclString().trim(); Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," + UserGroupInformation.getCurrentUser().getShortUserName()); ProxyUsers.refreshSuperUserGroupsConfiguration(configuration); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").contains("test_groups")); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").contains("test_hosts")); List<String> groupAfter = Groups.getUserToGroupsMappingService(configuration).getGroups( UserGroupInformation.getCurrentUser().getUserName()); Assert.assertTrue(groupAfter.contains("test_group_D") && groupAfter.contains("test_group_E")
final String remoteUser; if (UserGroupInformation.isSecurityEnabled()) { remoteUser = request.getRemoteUser(); final String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME); checkUsername(ugi.getShortUserName(), usernameFromQuery); checkUsername(ugi.getShortUserName(), doAsUserFromQuery); } else if (remoteUser == null) { throw new IOException( ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi); ProxyUsers.authorize(ugi, getRemoteAddr(request));
conf.set("hadoop.proxyuser." + Utils.getUGI().getShortUserName() + ".hosts", "*"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@Test public void testNoHostsForUsers() throws Exception { Configuration conf = new Configuration(false); conf.set("y." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y"); UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // IP doesn't matter assertNotAuthorized(proxyUserUgi, "1.2.3.4"); }
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser()); ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi); ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } catch(AuthorizationException e) { throw new ServletException(e.getMessage());
@Test public void testProxyUserConfiguration() throws Exception { MockRM rm = null; try { rm = new MockRM(conf); rm.start(); // wait for web server starting Thread.sleep(10000); UserGroupInformation proxyUser = UserGroupInformation.createProxyUser( BAR_USER.getShortUserName(), FOO_USER); try { ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser, ipAddress); } catch (AuthorizationException e) { // Exception is not expected Assert.fail(); } } finally { if (rm != null) { rm.stop(); rm.close(); } } }
public static void loadTest(String ipString, int testRange) { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(GROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), ipString ); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); long startTime = System.nanoTime(); SecureRandom sr = new SecureRandom(); for (int i=1; i < 1000000; i++){ try { ProxyUsers.authorize(proxyUserUgi, "1.2.3."+ sr.nextInt(testRange)); } catch (AuthorizationException e) { } } long stopTime = System.nanoTime(); long elapsedTime = stopTime - startTime; System.out.println(elapsedTime/1000000 + " ms"); }
/** * Authorize proxy users to access this server * @throws RpcServerException - user is not allowed to proxy */ private void authorizeConnection() throws RpcServerException { try { // If auth method is TOKEN, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.TOKEN)) { ProxyUsers.authorize(user, this.getHostAddress()); } authorize(user, protocolName, getHostInetAddress()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + connectionContext); } rpcMetrics.incrAuthorizationSuccesses(); } catch (AuthorizationException ae) { LOG.info("Connection from " + this + " for protocol " + connectionContext.getProtocol() + " is unauthorized for user " + user); rpcMetrics.incrAuthorizationFailures(); throw new FatalRpcServerException( RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae); } }
/** * Refreshes configuration using the default Proxy user prefix for properties. * @param conf configuration */ public static void refreshSuperUserGroupsConfiguration(Configuration conf) { refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER); }
@Override public void authorizeProxyAccess(String proxyUser, UserGroupInformation realUserUgi, String ipAddress, Configuration conf) throws IOException { ProxyUsers.refreshSuperUserGroupsConfiguration(conf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, realUserUgi), ipAddress, conf); }
@Test public void testProxyUsersWithProviderOverride() throws Exception { Configuration conf = new Configuration(); conf.set( CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS, "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, SUDO_GROUP_NAMES); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a group that's not allowed realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, GROUP_NAMES); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
conf.set("hadoop.proxyuser.server.hosts", "*"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); UserGroupInformation serverUgi = UserGroupInformation.createUserForTesting("server", new String[0]); PhoenixDoAsCallback callback = new PhoenixDoAsCallback(serverUgi, conf); assertNotEquals(user1.hashCode(), user2.hashCode()); assertEquals("These should be the same (cached) instance", user1.hashCode(), user1Reference.hashCode()); assertEquals("These should be the same (cached) instance", user1, user1Reference);
/** * This function is kept to provide backward compatibility. * @param user * @param remoteAddress * @param conf * @throws AuthorizationException * @deprecated use {@link #authorize(UserGroupInformation, String) instead. */ @Deprecated public static void authorize(UserGroupInformation user, String remoteAddress, Configuration conf) throws AuthorizationException { authorize(user,remoteAddress); }
Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").contains("test_groups")); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").contains("test_hosts")); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").contains("test_groups_1")); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").contains("test_hosts_1"));
effectiveUser = serviceUGI.getShortUserName(); UserGroupInformation remoteUser = UserGroupInformation.createRemoteUser(effectiveUser); UserGroupInformation ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, remoteUser); ProxyUsers.authorize(ugi, request.getRemoteAddr()); } catch (AuthorizationException e) { throw new ServletException(e);
.getAclString().trim(); Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," + UserGroupInformation.getCurrentUser().getShortUserName()); ProxyUsers.refreshSuperUserGroupsConfiguration(configuration); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").contains("test_groups")); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyHosts() .get("hadoop.proxyuser.test.hosts").contains("test_hosts")); UserGroupInformation.getCurrentUser().getUserName()); Assert.assertTrue(groupAfter.contains("test_group_D") && groupAfter.contains("test_group_E")