/** * Authorize the incoming client connection. * @param user client user * @param connection incoming connection * @param addr InetAddress of incoming connection * @throws AuthorizationException when the client isn't authorized to talk the protocol */ public void authorize(UserGroupInformation user, ConnectionHeader connection, InetAddress addr) throws AuthorizationException { if (authorize) { Class<?> c = getServiceInterface(services, connection.getServiceName()); synchronized (authManager) { authManager.authorize(user, c, getConf(), addr); } } }
@Override public void refreshAuthManager(PolicyProvider pp) { // Ignore warnings that this should be accessed in a static way instead of via an instance; // it'll break if you go via static route. synchronized (authManager) { authManager.refresh(this.conf, pp); } }
@Override public synchronized void start() { if (started) { return; } authTokenSecretMgr = createSecretManager(); if (authTokenSecretMgr != null) { setSecretManager(authTokenSecretMgr); authTokenSecretMgr.start(); } this.authManager = new ServiceAuthorizationManager(); HBasePolicyProvider.init(conf, authManager); scheduler.start(); started = true; }
@Test public void testMachineList() throws UnknownHostException { UserGroupInformation drwho = UserGroupInformation.createUserForTesting("drwho@EXAMPLE.COM", new String[] { "group1", "group2" }); ServiceAuthorizationManager serviceAuthorizationManager = new ServiceAuthorizationManager(); Configuration conf = new Configuration (); conf.set(HOST_CONFIG, "1.2.3.4"); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); try { serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf, InetAddress.getByName(AUTHORIZED_IP)); } catch (AuthorizationException e) { fail(); } try { serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf, InetAddress.getByName(UNAUTHORIZED_IP)); fail(); } catch (AuthorizationException e) { // expects Exception } }
@Test public void testDefaultAcl() { ServiceAuthorizationManager serviceAuthorizationManager = new ServiceAuthorizationManager(); Configuration conf = new Configuration (); // test without setting a default acl conf.set(ACL_CONFIG, "user1 group1"); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); AccessControlList acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class); assertEquals("user1 group1", acl.getAclString()); acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class); assertEquals(AccessControlList.WILDCARD_ACL_VALUE, acl.getAclString()); // test with a default acl conf.set( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, "user2 group2"); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class); assertEquals("user1 group1", acl.getAclString()); acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class); assertEquals("user2 group2", acl.getAclString()); }
/** * Authorize the incoming client connection. * * @param user client user * @param connection incoming connection * @param addr InetAddress of incoming connection * @throws AuthorizationException when the client isn't authorized to talk the * protocol */ @SuppressWarnings("static-access") public void authorize(UserGroupInformation user, ConnectionHeader connection, InetAddress addr) throws AuthorizationException { if (authorize) { Class<?> protocol = null; try { protocol = getProtocolClass(connection.getProtocol(), getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + connection.getProtocol()); } ServiceAuthorizationManager authManager = new ServiceAuthorizationManager(); authManager.authorize(user, protocol, getConf(), addr); } }
public void refresh(Configuration conf, PolicyProvider provider) { // Get the system property 'hadoop.policy.file' String policyFile = System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE); // Make a copy of the original config, and load the policy file Configuration policyConf = new Configuration(conf); policyConf.addResource(policyFile); refreshWithLoadedConfiguration(policyConf, provider); }
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, ""); String defaultServiceHostsKey = getHostKey( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL); String defaultMachineList = conf.get(defaultServiceHostsKey, defaultBlockedAcl)); newAcls.put(service.getProtocol(), new AccessControlList[] {acl, blockedAcl}); String serviceHostsKey = getHostKey(service.getServiceKey()); MachineList machineList = new MachineList (conf.get(serviceHostsKey, defaultMachineList)); MachineList blockedMachineList = new MachineList(
private void verifyServiceACLsRefresh(ServiceAuthorizationManager manager, Class<?> protocol, String aclString) { for (Class<?> protocolClass : manager.getProtocolsWithAcls()) { AccessControlList accessList = manager.getProtocolsAcls(protocolClass); if (protocolClass == protocol) { Assert.assertEquals(accessList.getAclString(), aclString); } else { Assert.assertEquals(accessList.getAclString(), "*"); } } }
.getServiceAuthorizationManager().getProtocolsWithAcls(); Service[] hdfsServices = new HDFSPolicyProvider().getServices(); for (Service service : hdfsServices) { .getServiceAuthorizationManager().getProtocolsWithAcls(); hdfsServices = new HDFSPolicyProvider().getServices(); for (Service service : hdfsServices) {
@Test public void testMachineList() throws UnknownHostException { UserGroupInformation drwho = UserGroupInformation.createUserForTesting("drwho@EXAMPLE.COM", new String[] { "group1", "group2" }); ServiceAuthorizationManager serviceAuthorizationManager = new ServiceAuthorizationManager(); Configuration conf = new Configuration (); conf.set(HOST_CONFIG, "1.2.3.4"); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); try { serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf, InetAddress.getByName(AUTHORIZED_IP)); } catch (AuthorizationException e) { fail(); } try { serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf, InetAddress.getByName(UNAUTHORIZED_IP)); fail(); } catch (AuthorizationException e) { // expects Exception } }
@Test public void testDefaultAcl() { ServiceAuthorizationManager serviceAuthorizationManager = new ServiceAuthorizationManager(); Configuration conf = new Configuration (); // test without setting a default acl conf.set(ACL_CONFIG, "user1 group1"); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); AccessControlList acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class); assertEquals("user1 group1", acl.getAclString()); acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class); assertEquals(AccessControlList.WILDCARD_ACL_VALUE, acl.getAclString()); // test with a default acl conf.set( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, "user2 group2"); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class); assertEquals("user1 group1", acl.getAclString()); acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class); assertEquals("user2 group2", acl.getAclString()); }
/** * Authorize the incoming client connection. * * @param user client user * @param connection incoming connection * @param addr InetAddress of incoming connection * @throws AuthorizationException when the client isn't authorized to talk the * protocol */ @SuppressWarnings("static-access") public void authorize(UserGroupInformation user, ConnectionHeader connection, InetAddress addr) throws AuthorizationException { if (authorize) { Class<?> protocol = null; try { protocol = getProtocolClass(connection.getProtocol(), getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + connection.getProtocol()); } ServiceAuthorizationManager authManager = new ServiceAuthorizationManager(); authManager.authorize(user, protocol, getConf(), addr); } }
/** * Refresh the service authorization ACL for the service handled by this server * using the specified Configuration. */ @Private public void refreshServiceAclWithLoadedConfiguration(Configuration conf, PolicyProvider provider) { serviceAuthorizationManager.refreshWithLoadedConfiguration(conf, provider); } /**
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, ""); String defaultServiceHostsKey = getHostKey( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL); String defaultMachineList = conf.get(defaultServiceHostsKey, defaultBlockedAcl)); newAcls.put(service.getProtocol(), new AccessControlList[] {acl, blockedAcl}); String serviceHostsKey = getHostKey(service.getServiceKey()); MachineList machineList = new MachineList (conf.get(serviceHostsKey, defaultMachineList)); MachineList blockedMachineList = new MachineList(
private void verifyServiceACLsRefresh(ServiceAuthorizationManager manager, Class<?> protocol, String aclString) { for (Class<?> protocolClass : manager.getProtocolsWithAcls()) { AccessControlList accessList = manager.getProtocolsAcls(protocolClass); if (protocolClass == protocol) { Assert.assertEquals(accessList.getAclString(), aclString); } else { Assert.assertEquals(accessList.getAclString(), "*"); } } }
new ServiceAuthorizationManager(); Configuration conf = new Configuration (); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); try { serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf, InetAddress.getByName("10.222.0.0")); } catch (AuthorizationException e) { serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); try { serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf, InetAddress.getByName("10.222.0.0")); fail(); serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); try { serviceAuthorizationManager.authorize(drwho, TestProtocol.class, conf, InetAddress.getByName("10.222.0.0")); } catch (AuthorizationException e) {
/** * Refresh the service authorization ACL for the service handled by this server. */ public void refreshServiceAcl(Configuration conf, PolicyProvider provider) { serviceAuthorizationManager.refresh(conf, provider); }
/** * Authorize the incoming client connection. * * @param user client user * @param protocolName - the protocol * @param addr InetAddress of incoming connection * @throws AuthorizationException when the client isn't authorized to talk the protocol */ private void authorize(UserGroupInformation user, String protocolName, InetAddress addr) throws AuthorizationException { if (authorize) { if (protocolName == null) { throw new AuthorizationException("Null protocol not authorized"); } Class<?> protocol = null; try { protocol = getProtocolClass(protocolName, getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + protocolName); } serviceAuthorizationManager.authorize(user, protocol, getConf(), addr); } }
public void refresh(Configuration conf, PolicyProvider provider) { // Get the system property 'hadoop.policy.file' String policyFile = System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE); // Make a copy of the original config, and load the policy file Configuration policyConf = new Configuration(conf); policyConf.addResource(policyFile); refreshWithLoadedConfiguration(policyConf, provider); }