/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
@Override public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { if (user == null) { throw new IllegalArgumentException("user is null."); } UserGroupInformation realUser = user.getRealUser(); if (realUser == null) { return; } AccessControlList acl = proxyUserAcl.get(configPrefix + realUser.getShortUserName()); if (acl == null || !acl.isUserAllowed(user)) { throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + user.getUserName()); } MachineList MachineList = proxyHosts.get( getProxySuperuserIpConfKey(realUser.getShortUserName())); if(MachineList == null || !MachineList.includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress); } }
@Test public void testRequiresAuthorizationAccess() throws Exception { Configuration conf = new Configuration(); ServletContext context = Mockito.mock(ServletContext.class); Mockito.when(context.getAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE)).thenReturn(conf); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); //requires admin access to instrumentation, FALSE by default Assert.assertTrue(HttpServer.isInstrumentationAccessAllowed(context, request, response)); //requires admin access to instrumentation, TRUE conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN, true); conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true); AccessControlList acls = Mockito.mock(AccessControlList.class); Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false); Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls); Assert.assertFalse(HttpServer.isInstrumentationAccessAllowed(context, request, response)); }
acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { String cause = clientPrincipal != null ? ": this service is only accessible by " + clientPrincipal :
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false); Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls); Assert.assertFalse(HttpServer.hasAdministratorAccess(context, request, response)); Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(true); Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls); Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
@Override protected void checkRpcAdminAccess() throws IOException, AccessControlException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); UserGroupInformation zkfcUgi = UserGroupInformation.getLoginUser(); if (adminAcl.isUserAllowed(ugi) || ugi.getShortUserName().equals(zkfcUgi.getShortUserName())) { LOG.info("Allowed RPC access from " + ugi + " at " + Server.getRemoteAddress()); return; } String msg = "Disallowed RPC access from " + ugi + " at " + Server.getRemoteAddress() + ". Not listed in " + DFSConfigKeys.DFS_ADMIN; LOG.warn(msg); throw new AccessControlException(msg); }
/** * Returns whether the specified user/group is an administrator * * @param callerUGI user/group to to check * @return <tt>true</tt> if the UserGroupInformation specified * is a member of the access control list for administrators */ public boolean isAdmin(UserGroupInformation callerUGI) { return adminAcl.isUserAllowed(callerUGI); } }
/** * Returns whether the specified user/group is an administrator * * @param callerUGI user/group to to check * @return <tt>true</tt> if the UserGroupInformation specified * is a member of the access control list for administrators */ public boolean isAdmin(UserGroupInformation callerUGI) { return adminAcl.isUserAllowed(callerUGI); } }
/** * Is the calling user an admin for the mapreduce cluster * i.e. member of mapreduce.cluster.administrators * @return true, if user is an admin */ boolean isMRAdmin(UserGroupInformation callerUGI) { if (adminAcl.isUserAllowed(callerUGI)) { return true; } return false; }
/** * Is the calling user an admin for the mapreduce cluster * i.e. member of mapreduce.cluster.administrators * @return true, if user is an admin */ boolean isMRAdmin(UserGroupInformation callerUGI) { if (adminAcl.isUserAllowed(callerUGI)) { return true; } return false; }
/** * Is the calling user an admin for the mapreduce cluster ? * i.e. either cluster owner or cluster administrator * @return true, if user is an admin */ boolean isMRAdmin(UserGroupInformation callerUGI) { if (adminAcl.isUserAllowed(callerUGI)) { return true; } return false; }
public boolean hasAccess(String queueName, QueueACL acl, UserGroupInformation user) { int lastPeriodIndex = queueName.length(); while (lastPeriodIndex != -1) { String queue = queueName.substring(0, lastPeriodIndex); if (getQueueAcl(queue, acl).isUserAllowed(user)) { return true; } lastPeriodIndex = queueName.lastIndexOf('.', lastPeriodIndex - 1); } return false; }
public boolean hasAccess(String queueName, QueueACL acl, UserGroupInformation user) { int lastPeriodIndex = queueName.length(); while (lastPeriodIndex != -1) { String queue = queueName.substring(0, lastPeriodIndex); if (getQueueAcl(queue, acl).isUserAllowed(user)) { return true; } lastPeriodIndex = queueName.lastIndexOf('.', lastPeriodIndex - 1); } return false; }
private void assertUserAllowed(UserGroupInformation ugi, AccessControlList acl) { assertTrue("User " + ugi + " is not granted the access-control!!", acl.isUserAllowed(ugi)); }
private void assertUserAllowed(UserGroupInformation ugi, AccessControlList acl) { assertTrue("User " + ugi + " is not granted the access-control!!", acl.isUserAllowed(ugi)); }
private void assertUserNotAllowed(UserGroupInformation ugi, AccessControlList acl) { assertFalse("User " + ugi + " is incorrectly granted the access-control!!", acl.isUserAllowed(ugi)); } }
private void assertUserNotAllowed(UserGroupInformation ugi, AccessControlList acl) { assertFalse("User " + ugi + " is incorrectly granted the access-control!!", acl.isUserAllowed(ugi)); } }
private void assertUserAllowed(UserGroupInformation ugi, AccessControlList acl) { assertTrue("User " + ugi + " is not granted the access-control!!", acl.isUserAllowed(ugi)); }