/** * Refreshes configuration using the default Proxy user prefix for properties. * @param conf configuration */ public static void refreshSuperUserGroupsConfiguration(Configuration conf) { refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER); }
/** * refresh Impersonation rules */ public static void refreshSuperUserGroupsConfiguration() { //load server side configuration; refreshSuperUserGroupsConfiguration(new Configuration()); }
public static void init(Configuration conf, ServiceAuthorizationManager authManager) { // set service-level authorization security policy System.setProperty("hadoop.policy.file", "hbase-policy.xml"); if (conf.getBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) { authManager.refresh(conf, new HBasePolicyProvider()); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); } } }
/** * Authorize the superuser which is doing doAs * * @param user ugi of the effective or proxy user which contains a real user * @param remoteAddress the ip address of client * @throws AuthorizationException */ public static void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { if (sip==null) { // In a race situation, It is possible for multiple threads to satisfy this condition. // The last assignment will prevail. refreshSuperUserGroupsConfiguration(); } sip.authorize(user, remoteAddress); }
/** * Verify if the user is allowed to make DB notification related calls. * Only the superusers defined in the Hadoop proxy user settings have the permission. * * @param user the short user name * @param conf that contains the proxy user settings * @return if the user has the permission */ public static boolean checkUserHasHostProxyPrivileges(String user, Configuration conf, String ipAddress) { DefaultImpersonationProvider sip = ProxyUsers.getDefaultImpersonationProvider(); // Just need to initialize the ProxyUsers for the first time, given that the conf will not change on the fly if (sip == null) { ProxyUsers.refreshSuperUserGroupsConfiguration(conf); sip = ProxyUsers.getDefaultImpersonationProvider(); } Map<String, Collection<String>> proxyHosts = sip.getProxyHosts(); Collection<String> hostEntries = proxyHosts.get(sip.getProxySuperuserIpConfKey(user)); MachineList machineList = new MachineList(hostEntries); ipAddress = (ipAddress == null) ? StringUtils.EMPTY : ipAddress; return machineList.includes(ipAddress); }
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@Override public void init(FilterConfig filterConfig) throws ServletException { super.init(filterConfig); AuthenticationHandler handler = getAuthenticationHandler(); AbstractDelegationTokenSecretManager dtSecretManager = (AbstractDelegationTokenSecretManager) filterConfig.getServletContext(). getAttribute(DELEGATION_TOKEN_SECRET_MANAGER_ATTR); if (dtSecretManager != null && handler instanceof DelegationTokenAuthenticationHandler) { DelegationTokenAuthenticationHandler dtHandler = (DelegationTokenAuthenticationHandler) getAuthenticationHandler(); dtHandler.setExternalDelegationTokenSecretManager(dtSecretManager); } if (handler instanceof PseudoAuthenticationHandler || handler instanceof PseudoDelegationTokenAuthenticationHandler) { setHandlerAuthMethod(SaslRpcServer.AuthMethod.SIMPLE); } if (handler instanceof KerberosAuthenticationHandler || handler instanceof KerberosDelegationTokenAuthenticationHandler) { setHandlerAuthMethod(SaslRpcServer.AuthMethod.KERBEROS); } // proxyuser configuration Configuration conf = getProxyuserConfiguration(filterConfig); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX); }
/** * Constructor with existing configuration * @param conf existing configuration * @param userProvider the login user provider * @throws IOException */ RESTServlet(final Configuration conf, final UserProvider userProvider) throws IOException { this.realUser = userProvider.getCurrent().getUGI(); this.conf = conf; registerCustomFilter(conf); int cleanInterval = conf.getInt(CLEANUP_INTERVAL, 10 * 1000); int maxIdleTime = conf.getInt(MAX_IDLETIME, 10 * 60 * 1000); connectionCache = new ConnectionCache( conf, userProvider, cleanInterval, maxIdleTime); if (supportsProxyuser()) { ProxyUsers.refreshSuperUserGroupsConfiguration(conf); } metrics = new MetricsREST(); pauseMonitor = new JvmPauseMonitor(conf, metrics.getSource()); pauseMonitor.start(); }
public static void verifyProxyAccess(String realUser, String proxyUser, String ipAddress, HiveConf hiveConf) throws HiveSQLException { try { UserGroupInformation sessionUgi; if (UserGroupInformation.isSecurityEnabled()) { KerberosNameShim kerbName = ShimLoader.getHadoopShims().getKerberosNameShim(realUser); sessionUgi = UserGroupInformation.createProxyUser( kerbName.getServiceName(), UserGroupInformation.getLoginUser()); } else { sessionUgi = UserGroupInformation.createRemoteUser(realUser); } if (!proxyUser.equalsIgnoreCase(realUser)) { ProxyUsers.refreshSuperUserGroupsConfiguration(hiveConf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, sessionUgi), ipAddress, hiveConf); } } catch (IOException e) { throw new HiveSQLException( "Failed to validate proxy privilege of " + realUser + " for " + proxyUser, "08S01", e); } } }
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@Override // RefreshAuthorizationPolicyProtocol public void refreshSuperUserGroupsConfiguration() throws IOException { LOG.info("Refreshing SuperUser proxy group mapping list "); ProxyUsers.refreshSuperUserGroupsConfiguration(); namesystem.logAuditEvent(true, "refreshSuperUserGroupsConfiguration", null); }
@Test public void testWithRemoteUserExtractorSuccess() { HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteUser()).thenReturn("proxyserver"); when(request.getParameter("doAs")).thenReturn("enduser"); when(request.getRemoteAddr()).thenReturn("localhost:1234"); Configuration conf = new Configuration(false); conf.set("hadoop.proxyuser.proxyserver.groups", "*"); conf.set("hadoop.proxyuser.proxyserver.hosts", "*"); conf.set("phoenix.queryserver.withRemoteUserExtractor", "true"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); PhoenixRemoteUserExtractor extractor = new PhoenixRemoteUserExtractor(conf); try { assertEquals("enduser", extractor.extract(request)); } catch (RemoteUserExtractionException e) { LOG.info(e.getMessage()); } }
@Test public void testNoRemoteUserExtractorParam() { HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteUser()).thenReturn("proxyserver"); when(request.getRemoteAddr()).thenReturn("localhost:1234"); Configuration conf = new Configuration(false); conf.set("hadoop.proxyuser.proxyserver.groups", "*"); conf.set("hadoop.proxyuser.proxyserver.hosts", "*"); conf.set("phoenix.queryserver.withRemoteUserExtractor", "true"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); PhoenixRemoteUserExtractor extractor = new PhoenixRemoteUserExtractor(conf); try { assertEquals("proxyserver", extractor.extract(request)); } catch (RemoteUserExtractionException e) { LOG.info(e.getMessage()); } }
ProxyUsers.refreshSuperUserGroupsConfiguration(getConf());
/** * Refreshes configuration using the default Proxy user prefix for properties. * @param conf configuration */ public static void refreshSuperUserGroupsConfiguration(Configuration conf) { refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER); }
/** * Refreshes configuration using the default Proxy user prefix for properties. * @param conf configuration */ public static void refreshSuperUserGroupsConfiguration(Configuration conf) { refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER); }
/** * refresh Impersonation rules */ public static void refreshSuperUserGroupsConfiguration() { //load server side configuration; refreshSuperUserGroupsConfiguration(new Configuration()); }
conf.set("hadoop.proxyuser.server.hosts", "*"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); UserGroupInformation serverUgi = UserGroupInformation.createUserForTesting("server", new String[0]); PhoenixDoAsCallback callback = new PhoenixDoAsCallback(serverUgi, conf);
@Override public void refreshSuperUserGroupsConfiguration() throws IOException { UserGroupInformation user = checkAcls("refreshSuperUserGroupsConfiguration"); ProxyUsers.refreshSuperUserGroupsConfiguration(createConf()); HSAuditLogger.logSuccess(user.getShortUserName(), "refreshSuperUserGroupsConfiguration", HISTORY_ADMIN_SERVER); }
@Test(expected = IllegalArgumentException.class) public void testProxyUsersWithNullPrefix() throws Exception { ProxyUsers.refreshSuperUserGroupsConfiguration(new Configuration(false), null); }