/** * @return the user name set in hadoop.job.ugi param or the current user from System * @throws IOException if underlying Hadoop call throws LoginException */ public static String getUser() throws IOException { try { UserGroupInformation ugi = getUGI(); return ugi.getUserName(); } catch (LoginException le) { throw new IOException(le); } }
/** * Check the permissions on a file. * @param fs Filesystem the file is contained in * @param stat Stat info for the file * @param action action to be performed * @throws IOException If thrown by Hadoop * @throws AccessControlException if the file cannot be accessed */ public static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action) throws IOException, LoginException { checkFileAccess(fs, stat, action, SecurityUtils.getUGI()); }
private static void logAuditEvent(String cmd) { if (cmd == null) { return; } UserGroupInformation ugi; try { ugi = SecurityUtils.getUGI(); } catch (Exception ex) { throw new RuntimeException(ex); } String address = getIPAddress(); if (address == null) { address = "unknown-ip-addr"; } auditLog.info("ugi={} ip={} cmd={} ", ugi.getUserName(), address, cmd); }
private UserGroupInformation ugiInvalidUserValidGroups() throws LoginException, IOException { UserGroupInformation ugi = Mockito.mock(UserGroupInformation.class); Mockito.when(ugi.getShortUserName()).thenReturn("nosuchuser"); Mockito.when(ugi.getGroupNames()).thenReturn(SecurityUtils.getUGI().getGroupNames()); return ugi; }
private void authorizeProxyPrivilege() throws Exception { // Skip the auth in embedded mode or if the auth is disabled if (!isMetaStoreRemote() || !MetastoreConf.getBoolVar(conf, ConfVars.EVENT_DB_NOTIFICATION_API_AUTH)) { return; } String user = null; try { user = SecurityUtils.getUGI().getShortUserName(); } catch (Exception ex) { LOG.error("Cannot obtain username", ex); throw ex; } if (!MetaStoreServerUtils.checkUserHasHostProxyPrivileges(user, conf, getIPAddress())) { throw new MetaException("User " + user + " is not allowed to perform this API call"); } }
@Test public void rootReadWriteExecute() throws IOException, LoginException { UserGroupInformation ugi = SecurityUtils.getUGI(); FileSystem fs = FileSystem.get(new Configuration()); String old = fs.getConf().get("dfs.permissions.supergroup"); try { fs.getConf().set("dfs.permissions.supergroup", ugi.getPrimaryGroupName()); Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.NONE, FsAction.NONE)); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi); } finally { fs.getConf().set("dfs.permissions.supergroup", old); } }
@Test(expected = AccessControlException.class) public void userNoWrite() throws IOException, LoginException { FileSystem fs = FileSystem.get(makeConf()); Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.ALL, FsAction.ALL)); UserGroupInformation ugi = SecurityUtils.getUGI(); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi); }
@Test(expected = AccessControlException.class) public void userNoExecute() throws IOException, LoginException { FileSystem fs = FileSystem.get(makeConf()); Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.ALL, FsAction.ALL)); UserGroupInformation ugi = SecurityUtils.getUGI(); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi); }
@Test(expected = AccessControlException.class) public void userNoRead() throws IOException, LoginException { FileSystem fs = FileSystem.get(makeConf()); Path p = createFile(fs, new FsPermission(FsAction.NONE, FsAction.ALL, FsAction.ALL)); UserGroupInformation ugi = SecurityUtils.getUGI(); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi); }
@Test public void userReadWriteExecute() throws IOException, LoginException { FileSystem fs = FileSystem.get(makeConf()); Path p = createFile(fs, new FsPermission(FsAction.ALL, FsAction.NONE, FsAction.NONE)); UserGroupInformation ugi = SecurityUtils.getUGI(); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.READ, ugi); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.WRITE, ugi); HdfsUtils.checkFileAccess(fs, fs.getFileStatus(p), FsAction.EXECUTE, ugi); }
UserGroupInformation ugi = SecurityUtils.getUGI(); client.set_ugi(ugi.getUserName(), Arrays.asList(ugi.getGroupNames())); } catch (LoginException e) {
UserGroupInformation ugi = SecurityUtils.getUGI(); client.set_ugi(ugi.getUserName(), Arrays.asList(ugi.getGroupNames())); } catch (LoginException e) {
UserGroupInformation ugi = SecurityUtils.getUGI(); client.set_ugi(ugi.getUserName(), Arrays.asList(ugi.getGroupNames())); } catch (LoginException e) {
/** * @return the user name set in hadoop.job.ugi param or the current user from System * @throws IOException if underlying Hadoop call throws LoginException */ public static String getUser() throws IOException { try { UserGroupInformation ugi = getUGI(); return ugi.getUserName(); } catch (LoginException le) { throw new IOException(le); } }
private static void logAuditEvent(String cmd) { if (cmd == null) { return; } UserGroupInformation ugi; try { ugi = SecurityUtils.getUGI(); } catch (Exception ex) { throw new RuntimeException(ex); } String address = getIPAddress(); if (address == null) { address = "unknown-ip-addr"; } auditLog.info("ugi={} ip={} cmd={} ", ugi.getUserName(), address, cmd); }
private void authorizeProxyPrivilege() throws Exception { // Skip the auth in embedded mode or if the auth is disabled if (!isMetaStoreRemote() || !MetastoreConf.getBoolVar(conf, ConfVars.EVENT_DB_NOTIFICATION_API_AUTH)) { return; } String user = null; try { user = SecurityUtils.getUGI().getShortUserName(); } catch (Exception ex) { LOG.error("Cannot obtain username", ex); throw ex; } if (!MetaStoreUtils.checkUserHasHostProxyPrivileges(user, conf, getIPAddress())) { throw new MetaException("User " + user + " is not allowed to perform this API call"); } }