@Override public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { if (user == null) { throw new IllegalArgumentException("user is null."); } UserGroupInformation realUser = user.getRealUser(); if (realUser == null) { return; } AccessControlList acl = proxyUserAcl.get(configPrefix + realUser.getShortUserName()); if (acl == null || !acl.isUserAllowed(user)) { throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + user.getUserName()); } MachineList MachineList = proxyHosts.get( getProxySuperuserIpConfKey(realUser.getShortUserName())); if(MachineList == null || !MachineList.includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress); } }
/** * Authorize the incoming client connection. * * @param user client user * @param protocolName - the protocol * @param addr InetAddress of incoming connection * @throws AuthorizationException when the client isn't authorized to talk the protocol */ private void authorize(UserGroupInformation user, String protocolName, InetAddress addr) throws AuthorizationException { if (authorize) { if (protocolName == null) { throw new AuthorizationException("Null protocol not authorized"); } Class<?> protocol = null; try { protocol = getProtocolClass(protocolName, getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + protocolName); } serviceAuthorizationManager.authorize(user, protocol, getConf(), addr); } }
MachineList[] hosts = protocolToMachineLists.get(protocol); if (acls == null || hosts == null) { throw new AuthorizationException("Protocol " + protocol + " is not known."); conf.get(clientKey), addr); } catch (IOException e) { throw (AuthorizationException) new AuthorizationException( "Can't figure out Kerberos principal name for connection from " + addr + " for user=" + user + " protocol=" + protocol) AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol + cause); throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + cause); AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol + " from host = " + hostAddress); throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol) ;
@Override // RefreshAuthorizationPolicyProtocol public void refreshServiceAcl() throws IOException { checkNNStartup(); if (!serviceAuthEnabled) { throw new AuthorizationException("Service Level Authorization not enabled!"); } this.clientRpcServer.refreshServiceAcl(new Configuration(), new HDFSPolicyProvider()); if (this.serviceRpcServer != null) { this.serviceRpcServer.refreshServiceAcl(new Configuration(), new HDFSPolicyProvider()); } namesystem.logAuditEvent(true, "refreshServiceAcl", null); }
public long renewDelegationToken(String tokenStrForm) throws IOException { if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) { throw new AuthorizationException( "Delegation Token can be issued only with kerberos authentication. " + "Current AuthenticationMethod: " + authenticationMethod.get() ); } return secretManager.renewDelegationToken(tokenStrForm); }
public long renewDelegationToken(String tokenStrForm) throws IOException { if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) { throw new AuthorizationException( "Delegation Token can be issued only with kerberos authentication. " + "Current AuthenticationMethod: " + authenticationMethod.get() ); } return secretManager.renewDelegationToken(tokenStrForm); }
@Override public long renewDelegationToken(String tokenStrForm) throws IOException { if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) { throw new AuthorizationException( "Delegation Token can be issued only with kerberos authentication. " + "Current AuthenticationMethod: " + authenticationMethod.get() ); } return secretManager.renewDelegationToken(tokenStrForm); }
@Override public long renewDelegationToken(String tokenStrForm) throws IOException { if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) { throw new AuthorizationException( "Delegation Token can be issued only with kerberos authentication. " + "Current AuthenticationMethod: " + authenticationMethod.get() ); } return secretManager.renewDelegationToken(tokenStrForm); }
@Override public Void run() throws Exception { try { for(Permission permission : permissions) { AccessController.checkPermission(permission); } } catch (AccessControlException ace) { LOG.info("Authorization failed for " + UserGroupInformation.getCurrentUGI(), ace); throw new AuthorizationException(ace); } return null; } }
private void checkAccess(String aclName, UserGroupInformation ugi, KeyOpType opType) throws AuthorizationException { Preconditions.checkNotNull(aclName, "Key ACL name cannot be null"); Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null"); if (acls.isACLPresent(aclName, opType) && (acls.hasAccessToKey(aclName, ugi, opType) || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL))) { return; } else { throw new AuthorizationException(String.format("User [%s] is not" + " authorized to perform [%s] on key with ACL name [%s]!!", ugi.getShortUserName(), opType, aclName)); } }
@Override public void refreshServiceAcl() throws IOException { if (!serviceAuthEnabled) { throw new AuthorizationException("Service Level Authorization not enabled!"); } SecurityUtil.getPolicy().refresh(); }
public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { try { if (!user.getRealUser().getShortUserName().equals(UserGroupInformation.getCurrentUser().getShortUserName())) { throw new AuthorizationException(); } } catch (IOException ioe) { throw new AuthorizationException(ioe); } } }
public void assertAccess(KMSACLs.Type aclType, UserGroupInformation ugi, KMSOp operation, String key) throws AccessControlException { if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) { KMSWebApp.getUnauthorizedCallsMeter().mark(); KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key); throw new AuthorizationException(String.format( (key != null) ? UNAUTHORIZED_MSG_WITH_KEY : UNAUTHORIZED_MSG_WITHOUT_KEY, ugi.getShortUserName(), operation, key)); } }
@Override public void refreshServiceAcl() throws IOException { if (!conf.getBoolean( ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) { throw new AuthorizationException("Service Level Authorization not enabled!"); } SecurityUtil.getPolicy().refresh(); }
@Override // RefreshAuthorizationPolicyProtocol public void refreshServiceAcl() throws IOException { checkNNStartup(); if (!serviceAuthEnabled) { throw new AuthorizationException("Service Level Authorization not enabled!"); } this.clientRpcServer.refreshServiceAcl(new Configuration(), new HDFSPolicyProvider()); if (this.serviceRpcServer != null) { this.serviceRpcServer.refreshServiceAcl(new Configuration(), new HDFSPolicyProvider()); } }
@Override // RefreshAuthorizationPolicyProtocol public void refreshServiceAcl() throws IOException { checkNNStartup(); if (!serviceAuthEnabled) { throw new AuthorizationException("Service Level Authorization not enabled!"); } this.clientRpcServer.refreshServiceAcl(new Configuration(), new HDFSPolicyProvider()); if (this.serviceRpcServer != null) { this.serviceRpcServer.refreshServiceAcl(new Configuration(), new HDFSPolicyProvider()); } }
@Override public void refreshServiceAcl() throws IOException { if (!conf.getBoolean( CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) { throw new AuthorizationException("Service Level Authorization not enabled!"); } this.interTrackerServer.refreshServiceAcl(conf, new MapReducePolicyProvider()); }
/** * Authorize a user (superuser) to impersonate another user (user1) if the * superuser belongs to the group "sudo_user1" . */ public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException{ UserGroupInformation superUser = user.getRealUser(); String sudoGroupName = "sudo_" + user.getShortUserName(); if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){ throw new AuthorizationException("User: " + superUser.getUserName() + " is not allowed to impersonate " + user.getUserName()); } }
/** * Authorize a user (superuser) to impersonate another user (user1) if the * superuser belongs to the group "sudo_user1" . */ public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException{ UserGroupInformation superUser = user.getRealUser(); String sudoGroupName = "sudo_" + user.getShortUserName(); if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){ throw new AuthorizationException("User: " + superUser.getUserName() + " is not allowed to impersonate " + user.getUserName()); } }
@Override public void authorize(Subject user, ConnectionHeader connection) throws AuthorizationException { if (authorize) { Class<?> protocol = null; try { protocol = getProtocolClass(connection.getProtocol(), getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + connection.getProtocol()); } ServiceAuthorizationManager.authorize(user, protocol); } } }