/** * This function is kept to provide backward compatibility. * @param user * @param remoteAddress * @param conf * @throws AuthorizationException * @deprecated use {@link #authorize(UserGroupInformation, String) instead. */ @Deprecated public static void authorize(UserGroupInformation user, String remoteAddress, Configuration conf) throws AuthorizationException { authorize(user,remoteAddress); }
public String getDelegationToken(final String owner, final String renewer, String remoteAddr) throws IOException, InterruptedException { /* * If the user asking the token is same as the 'owner' then don't do * any proxy authorization checks. For cases like oozie, where it gets * a delegation token for another user, we need to make sure oozie is * authorized to get a delegation token. */ // Do all checks on short names UserGroupInformation currUser = UserGroupInformation.getCurrentUser(); UserGroupInformation ownerUgi = UserGroupInformation.createRemoteUser(owner); if (!ownerUgi.getShortUserName().equals(currUser.getShortUserName())) { // in the case of proxy users, the getCurrentUser will return the // real user (for e.g. oozie) due to the doAs that happened just before the // server started executing the method getDelegationToken in the MetaStore ownerUgi = UserGroupInformation.createProxyUser(owner, UserGroupInformation.getCurrentUser()); ProxyUsers.authorize(ownerUgi, remoteAddr, null); } //if impersonation is turned on this called using the HiveSessionImplWithUGI //using sessionProxy. so the currentUser will be the impersonated user here eg. oozie //we cannot create a proxy user which represents Oozie's client user here since //we cannot authenticate it using Kerberos/Digest. We trust the user which opened //session using Kerberos in this case. //if impersonation is turned off, the current user is Hive which can open //kerberos connections to HMS if required. return secretManager.getDelegationToken(owner, renewer); }
ProxyUsers.authorize(ugi, request.getRemoteAddr()); } catch (AuthorizationException e) { throw new ServletException(e);
/** * Authorize proxy users to access this server * @throws RpcServerException - user is not allowed to proxy */ private void authorizeConnection() throws RpcServerException { try { // If auth method is TOKEN, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.TOKEN)) { ProxyUsers.authorize(user, this.getHostAddress()); } authorize(user, protocolName, getHostInetAddress()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + connectionContext); } rpcMetrics.incrAuthorizationSuccesses(); } catch (AuthorizationException ae) { LOG.info("Connection from " + this + " for protocol " + connectionContext.getProtocol() + " is unauthorized for user " + user); rpcMetrics.incrAuthorizationFailures(); throw new FatalRpcServerException( RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae); } }
ugi = UserGroupInformation.createProxyUser(doAsUser, ugi); try { ProxyUsers.authorize(ugi, request.getRemoteAddr()); } catch (AuthorizationException ex) { HttpExceptionUtils.createServletExceptionResponse(response,
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } catch(AuthorizationException e) { throw new ServletException(e.getMessage());
doAsUser, requestUgi); try { ProxyUsers.authorize(requestUgi, request.getRemoteAddr()); } catch (AuthorizationException ex) { HttpExceptionUtils.createServletExceptionResponse(response,
private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (ugi != null && ugi.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(ugi, this.getHostAddress(), this.rpcServer.conf); } this.rpcServer.authorize(ugi, connectionHeader, getHostInetAddress()); this.rpcServer.metrics.authorizationSuccess(); } catch (AuthorizationException ae) { if (RpcServer.LOG.isDebugEnabled()) { RpcServer.LOG.debug("Connection authorization failed: " + ae.getMessage(), ae); } this.rpcServer.metrics.authorizationFailure(); doRespond(getErrorResponse(ae.getMessage(), new AccessDeniedException(ae))); return false; } return true; }
public static void verifyProxyAccess(String realUser, String proxyUser, String ipAddress, HiveConf hiveConf) throws HiveSQLException { try { UserGroupInformation sessionUgi; if (UserGroupInformation.isSecurityEnabled()) { KerberosNameShim kerbName = ShimLoader.getHadoopShims().getKerberosNameShim(realUser); sessionUgi = UserGroupInformation.createProxyUser( kerbName.getServiceName(), UserGroupInformation.getLoginUser()); } else { sessionUgi = UserGroupInformation.createRemoteUser(realUser); } if (!proxyUser.equalsIgnoreCase(realUser)) { ProxyUsers.refreshSuperUserGroupsConfiguration(hiveConf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, sessionUgi), ipAddress, hiveConf); } } catch (IOException e) { throw new HiveSQLException( "Failed to validate proxy privilege of " + realUser + " for " + proxyUser, "08S01", e); } } }
@Override public String extract(HttpServletRequest request) throws RemoteUserExtractionException { if (request.getParameter(userExtractParam) != null) { String extractedUser = paramRemoteUserExtractor.extract(request); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser()); UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(extractedUser, ugi); // Check if this user is allowed to be impersonated. // Will throw AuthorizationException if the impersonation as this user is not allowed try { ProxyUsers.authorize(proxyUser, request.getRemoteAddr()); return extractedUser; } catch (AuthorizationException e) { throw new RemoteUserExtractionException(e.getMessage(), e); } } else { if (LOG.isDebugEnabled()) { LOG.debug("The parameter (" + userExtractParam + ") used to extract the remote user doesn't exist in the request."); } return requestRemoteUserExtractor.extract(request); } } }
ProxyUsers.authorize(ugi, getRemoteAddr(request));
/** * This function is kept to provide backward compatibility. * @param user * @param remoteAddress * @param conf * @throws AuthorizationException * @deprecated use {@link #authorize(UserGroupInformation, String) instead. */ @Deprecated public static void authorize(UserGroupInformation user, String remoteAddress, Configuration conf) throws AuthorizationException { authorize(user,remoteAddress); }
/** * This function is kept to provide backward compatibility. * @param user * @param remoteAddress * @param conf * @throws AuthorizationException * @deprecated use {@link #authorize(UserGroupInformation, String) instead. */ @Deprecated public static void authorize(UserGroupInformation user, String remoteAddress, Configuration conf) throws AuthorizationException { authorize(user,remoteAddress); }
/** * This function is kept to provide backward compatibility. * @param user * @param remoteAddress * @param conf * @throws AuthorizationException * @deprecated use {@link #authorize(UserGroupInformation, String) instead. */ @Deprecated public static void authorize(UserGroupInformation user, String remoteAddress, Configuration conf) throws AuthorizationException { authorize(user,remoteAddress); }
@Override public void authorizeProxyAccess(String proxyUser, UserGroupInformation realUserUgi, String ipAddress, Configuration conf) throws IOException { ProxyUsers.refreshSuperUserGroupsConfiguration(conf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, realUserUgi), ipAddress, conf); }
@Override public void authorizeProxyAccess(String proxyUser, UserGroupInformation realUserUgi, String ipAddress, Configuration conf) throws IOException { ProxyUsers.refreshSuperUserGroupsConfiguration(conf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, realUserUgi), ipAddress, conf); }
private void assertAuthorized(UserGroupInformation proxyUgi, String host) { try { ProxyUsers.authorize(proxyUgi, host); } catch (AuthorizationException e) { fail("Did not allow authorization of " + proxyUgi + " from " + host); } }
private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) { try { ProxyUsers.authorize(proxyUgi, host); fail("Allowed authorization of " + proxyUgi + " from " + host); } catch (AuthorizationException e) { // Expected } }
private void assertAuthorized(UserGroupInformation proxyUgi, String host) { try { ProxyUsers.authorize(proxyUgi, host); } catch (AuthorizationException e) { fail("Did not allow authorization of " + proxyUgi + " from " + host); } }
private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) { try { ProxyUsers.authorize(proxyUgi, host); fail("Allowed authorization of " + proxyUgi + " from " + host); } catch (AuthorizationException e) { // Expected } }