@Override public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { UserGroupInformation realUser = user.getRealUser(); if (realUser == null) { return; } AccessControlList acl = proxyUserAcl.get(configPrefix + realUser.getShortUserName()); if (acl == null || !acl.isUserAllowed(user)) { throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + user.getUserName()); } MachineList MachineList = proxyHosts.get( getProxySuperuserIpConfKey(realUser.getShortUserName())); if(MachineList == null || !MachineList.includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress); } }
@Override public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { if (user == null) { throw new IllegalArgumentException("user is null."); } UserGroupInformation realUser = user.getRealUser(); if (realUser == null) { return; } AccessControlList acl = proxyUserAcl.get(configPrefix + realUser.getShortUserName()); if (acl == null || !acl.isUserAllowed(user)) { throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + user.getUserName()); } MachineList MachineList = proxyHosts.get( getProxySuperuserIpConfKey(realUser.getShortUserName())); if(MachineList == null || !MachineList.includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress); } }
@VisibleForTesting public Map<String, Collection<String>> getProxyHosts() { Map<String, Collection<String>> tmpProxyHosts = new HashMap<String, Collection<String>>(); for (Map.Entry<String, MachineList> proxyHostEntry :proxyHosts.entrySet()) { tmpProxyHosts.put(proxyHostEntry.getKey(), proxyHostEntry.getValue().getCollection()); } return tmpProxyHosts; }
/** * Authorize the user to access the protocol being used. * * @param user user accessing the service * @param protocol service being accessed * @param conf configuration to use * @param addr InetAddress of the client * @throws AuthorizationException on authorization failure */ public void authorize(UserGroupInformation user, Class<?> protocol, Configuration conf, InetAddress addr ) throws AuthorizationException { AccessControlList[] acls = protocolToAcls.get(protocol); MachineList[] hosts = protocolToMachineLists.get(protocol); if (acls == null || hosts == null) { throw new AuthorizationException("Protocol " + protocol + " is not known."); } // get client principal key to verify (if available) KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf); String clientPrincipal = null; if (krbInfo != null) { String clientKey = krbInfo.clientPrincipal(); if (clientKey != null && !clientKey.isEmpty()) { try { clientPrincipal = SecurityUtil.getServerPrincipal( conf.get(clientKey), addr); } catch (IOException e) { throw (AuthorizationException) new AuthorizationException( "Can't figure out Kerberos principal name for connection from " + addr + " for user=" + user + " protocol=" + protocol) .initCause(e); } } } if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { String cause = clientPrincipal != null ? ": this service is only accessible by " + clientPrincipal : ": denied by configured ACL"; AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol + cause); throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + cause); } if (addr != null) { String hostAddress = addr.getHostAddress(); if (hosts.length != 2 || !hosts[0].includes(hostAddress) || hosts[1].includes(hostAddress)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol + " from host = " + hostAddress); throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol) ; } } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); }
@Private public void refreshWithLoadedConfiguration(Configuration conf, PolicyProvider provider) { final Map<Class<?>, AccessControlList[]> newAcls = new IdentityHashMap<Class<?>, AccessControlList[]>(); final Map<Class<?>, MachineList[]> newMachineLists = new IdentityHashMap<Class<?>, MachineList[]>(); String defaultAcl = conf.get( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, AccessControlList.WILDCARD_ACL_VALUE); String defaultBlockedAcl = conf.get( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, ""); String defaultServiceHostsKey = getHostKey( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL); String defaultMachineList = conf.get(defaultServiceHostsKey, MachineList.WILDCARD_VALUE); String defaultBlockedMachineList= conf.get( defaultServiceHostsKey+ BLOCKED, ""); // Parse the config file Service[] services = provider.getServices(); if (services != null) { for (Service service : services) { AccessControlList acl = new AccessControlList( conf.get(service.getServiceKey(), defaultAcl) ); AccessControlList blockedAcl = new AccessControlList( conf.get(service.getServiceKey() + BLOCKED, defaultBlockedAcl)); newAcls.put(service.getProtocol(), new AccessControlList[] {acl, blockedAcl}); String serviceHostsKey = getHostKey(service.getServiceKey()); MachineList machineList = new MachineList (conf.get(serviceHostsKey, defaultMachineList)); MachineList blockedMachineList = new MachineList( conf.get(serviceHostsKey + BLOCKED, defaultBlockedMachineList)); newMachineLists.put(service.getProtocol(), new MachineList[] {machineList, blockedMachineList}); } } // Flip to the newly parsed permissions protocolToAcls = newAcls; protocolToMachineLists = newMachineLists; }
@VisibleForTesting public MachineList getProtocolsMachineList(Class<?> className) { return protocolToMachineLists.get(className)[0]; }
@VisibleForTesting public MachineList getProtocolsBlockedMachineList(Class<?> className) { return protocolToMachineLists.get(className)[1]; }
/** * Authorize the user to access the protocol being used. * * @param user user accessing the service * @param protocol service being accessed * @param conf configuration to use * @param addr InetAddress of the client * @throws AuthorizationException on authorization failure */ public void authorize(UserGroupInformation user, Class<?> protocol, Configuration conf, InetAddress addr ) throws AuthorizationException { AccessControlList[] acls = protocolToAcls.get(protocol); MachineList[] hosts = protocolToMachineLists.get(protocol); if (acls == null || hosts == null) { throw new AuthorizationException("Protocol " + protocol + " is not known."); } // get client principal key to verify (if available) KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf); String clientPrincipal = null; if (krbInfo != null) { String clientKey = krbInfo.clientPrincipal(); if (clientKey != null && !clientKey.isEmpty()) { try { clientPrincipal = SecurityUtil.getServerPrincipal( conf.get(clientKey), addr); } catch (IOException e) { throw (AuthorizationException) new AuthorizationException( "Can't figure out Kerberos principal name for connection from " + addr + " for user=" + user + " protocol=" + protocol) .initCause(e); } } } if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol + ", expected client Kerberos principal is " + clientPrincipal); throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + ", expected client Kerberos principal is " + clientPrincipal); } if (addr != null) { String hostAddress = addr.getHostAddress(); if (hosts.length != 2 || !hosts[0].includes(hostAddress) || hosts[1].includes(hostAddress)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol + " from host = " + hostAddress); throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol) ; } } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); }
