Java Code Examples for org.apache.hadoop.security.authorize.AccessControlList#isUserAllowed()
The following examples show how to use
org.apache.hadoop.security.authorize.AccessControlList#isUserAllowed() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ConfiguredYarnAuthorizer.java From hadoop with Apache License 2.0 | 6 votes |
@Override public boolean checkPermission(AccessType accessType, PrivilegedEntity target, UserGroupInformation user) { boolean ret = false; Map<AccessType, AccessControlList> acls = allAcls.get(target); if (acls != null) { AccessControlList list = acls.get(accessType); if (list != null) { ret = list.isUserAllowed(user); } } // recursively look up the queue to see if parent queue has the permission. if (target.getType() == EntityType.QUEUE && !ret) { String queueName = target.getName(); if (!queueName.contains(".")) { return ret; } String parentQueueName = queueName.substring(0, queueName.lastIndexOf(".")); return checkPermission(accessType, new PrivilegedEntity(target.getType(), parentQueueName), user); } return ret; }
Example 2
Source File: RangerYarnAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
@Override public boolean isAdmin(UserGroupInformation ugi) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerYarnAuthorizer.isAdmin(" + ugi + ")"); } boolean ret = false; AccessControlList admins = this.admins; if(admins != null) { ret = admins.isUserAllowed(ugi); } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerYarnAuthorizer.isAdmin(" + ugi + "): " + ret); } return ret; }
Example 3
Source File: JobACLsManager.java From hadoop with Apache License 2.0 | 6 votes |
/** * If authorization is enabled, checks whether the user (in the callerUGI) * is authorized to perform the operation specified by 'jobOperation' on * the job by checking if the user is jobOwner or part of job ACL for the * specific job operation. * <ul> * <li>The owner of the job can do any operation on the job</li> * <li>For all other users/groups job-acls are checked</li> * </ul> * @param callerUGI * @param jobOperation * @param jobOwner * @param jobACL */ public boolean checkAccess(UserGroupInformation callerUGI, JobACL jobOperation, String jobOwner, AccessControlList jobACL) { if (LOG.isDebugEnabled()) { LOG.debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: " + jobOperation.toString() + " user: " + callerUGI.getShortUserName()); } String user = callerUGI.getShortUserName(); if (!areACLsEnabled()) { return true; } // Allow Job-owner for any operation on the job if (isMRAdmin(callerUGI) || user.equals(jobOwner) || jobACL.isUserAllowed(callerUGI)) { return true; } return false; }
Example 4
Source File: JobACLsManager.java From big-c with Apache License 2.0 | 6 votes |
/** * If authorization is enabled, checks whether the user (in the callerUGI) * is authorized to perform the operation specified by 'jobOperation' on * the job by checking if the user is jobOwner or part of job ACL for the * specific job operation. * <ul> * <li>The owner of the job can do any operation on the job</li> * <li>For all other users/groups job-acls are checked</li> * </ul> * @param callerUGI * @param jobOperation * @param jobOwner * @param jobACL */ public boolean checkAccess(UserGroupInformation callerUGI, JobACL jobOperation, String jobOwner, AccessControlList jobACL) { if (LOG.isDebugEnabled()) { LOG.debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: " + jobOperation.toString() + " user: " + callerUGI.getShortUserName()); } String user = callerUGI.getShortUserName(); if (!areACLsEnabled()) { return true; } // Allow Job-owner for any operation on the job if (isMRAdmin(callerUGI) || user.equals(jobOwner) || jobACL.isUserAllowed(callerUGI)) { return true; } return false; }
Example 5
Source File: ConfiguredYarnAuthorizer.java From big-c with Apache License 2.0 | 6 votes |
@Override public boolean checkPermission(AccessType accessType, PrivilegedEntity target, UserGroupInformation user) { boolean ret = false; Map<AccessType, AccessControlList> acls = allAcls.get(target); if (acls != null) { AccessControlList list = acls.get(accessType); if (list != null) { ret = list.isUserAllowed(user); } } // recursively look up the queue to see if parent queue has the permission. if (target.getType() == EntityType.QUEUE && !ret) { String queueName = target.getName(); if (!queueName.contains(".")) { return ret; } String parentQueueName = queueName.substring(0, queueName.lastIndexOf(".")); return checkPermission(accessType, new PrivilegedEntity(target.getType(), parentQueueName), user); } return ret; }
Example 6
Source File: QueueManager.java From big-c with Apache License 2.0 | 5 votes |
/** * Return true if the given user is part of the ACL for the given * {@link QueueACL} name for the given queue. * <p> * An operation is allowed if all users are provided access for this * operation, or if either the user or any of the groups specified is * provided access. * * @param queueName Queue on which the operation needs to be performed. * @param qACL The queue ACL name to be checked * @param ugi The user and groups who wish to perform the operation. * @return true if the operation is allowed, false otherwise. */ public synchronized boolean hasAccess( String queueName, QueueACL qACL, UserGroupInformation ugi) { Queue q = leafQueues.get(queueName); if (q == null) { LOG.info("Queue " + queueName + " is not present"); return false; } if(q.getChildren() != null && !q.getChildren().isEmpty()) { LOG.info("Cannot submit job to parent queue " + q.getName()); return false; } if (!areAclsEnabled()) { return true; } if (LOG.isDebugEnabled()) { LOG.debug("Checking access for the acl " + toFullPropertyName(queueName, qACL.getAclName()) + " for user " + ugi.getShortUserName()); } AccessControlList acl = q.getAcls().get( toFullPropertyName(queueName, qACL.getAclName())); if (acl == null) { return false; } // Check if user is part of the ACL return acl.isUserAllowed(ugi); }
Example 7
Source File: RangerYarnAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi, RangerYarnAuditHandler auditHandler) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + ")"); } boolean ret = false; for(Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> e : yarnAcl.entrySet()) { PrivilegedEntity aclEntity = e.getKey(); Map<AccessType, AccessControlList> entityPermissions = e.getValue(); AccessControlList acl = entityPermissions == null ? null : entityPermissions.get(accessType); if(acl != null && acl.isUserAllowed(ugi) && isSelfOrChildOf(entity, aclEntity)) { ret = true; break; } } if(auditHandler != null) { auditHandler.logYarnAclEvent(ret); } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret); } return ret; }
Example 8
Source File: KMSACLs.java From ranger with Apache License 2.0 | 5 votes |
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,UserGroupInformation ugi, KeyOpType opType) { AccessControlList acl = keyAcl.get(opType); if (acl == null) { // If no acl is specified for this operation, // deny access LOG.debug("No ACL available for key, denying access for {}", opType); return false; } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking user [{}] for: {}: {}" + ugi.getShortUserName(), opType.toString(), acl.getAclString()); } return acl.isUserAllowed(ugi); } }
Example 9
Source File: KMSACLs.java From big-c with Apache License 2.0 | 5 votes |
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl, UserGroupInformation ugi, KeyOpType opType) { AccessControlList acl = keyAcl.get(opType); if (acl == null) { // If no acl is specified for this operation, // deny access return false; } else { return acl.isUserAllowed(ugi); } }
Example 10
Source File: HttpServer2.java From hadoop-ozone with Apache License 2.0 | 5 votes |
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess( ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
Example 11
Source File: KMSACLs.java From hadoop with Apache License 2.0 | 5 votes |
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl, UserGroupInformation ugi, KeyOpType opType) { AccessControlList acl = keyAcl.get(opType); if (acl == null) { // If no acl is specified for this operation, // deny access return false; } else { return acl.isUserAllowed(ugi); } }
Example 12
Source File: QueueManager.java From hadoop with Apache License 2.0 | 5 votes |
/** * Return true if the given user is part of the ACL for the given * {@link QueueACL} name for the given queue. * <p> * An operation is allowed if all users are provided access for this * operation, or if either the user or any of the groups specified is * provided access. * * @param queueName Queue on which the operation needs to be performed. * @param qACL The queue ACL name to be checked * @param ugi The user and groups who wish to perform the operation. * @return true if the operation is allowed, false otherwise. */ public synchronized boolean hasAccess( String queueName, QueueACL qACL, UserGroupInformation ugi) { Queue q = leafQueues.get(queueName); if (q == null) { LOG.info("Queue " + queueName + " is not present"); return false; } if(q.getChildren() != null && !q.getChildren().isEmpty()) { LOG.info("Cannot submit job to parent queue " + q.getName()); return false; } if (!areAclsEnabled()) { return true; } if (LOG.isDebugEnabled()) { LOG.debug("Checking access for the acl " + toFullPropertyName(queueName, qACL.getAclName()) + " for user " + ugi.getShortUserName()); } AccessControlList acl = q.getAcls().get( toFullPropertyName(queueName, qACL.getAclName())); if (acl == null) { return false; } // Check if user is part of the ACL return acl.isUserAllowed(ugi); }
Example 13
Source File: ApplicationACLsManager.java From big-c with Apache License 2.0 | 4 votes |
/** * If authorization is enabled, checks whether the user (in the callerUGI) is * authorized to perform the access specified by 'applicationAccessType' on * the application by checking if the user is applicationOwner or part of * application ACL for the specific access-type. * <ul> * <li>The owner of the application can have all access-types on the * application</li> * <li>For all other users/groups application-acls are checked</li> * </ul> * * @param callerUGI * @param applicationAccessType * @param applicationOwner * @param applicationId */ public boolean checkAccess(UserGroupInformation callerUGI, ApplicationAccessType applicationAccessType, String applicationOwner, ApplicationId applicationId) { if (LOG.isDebugEnabled()) { LOG.debug("Verifying access-type " + applicationAccessType + " for " + callerUGI + " on application " + applicationId + " owned by " + applicationOwner); } String user = callerUGI.getShortUserName(); if (!areACLsEnabled()) { return true; } AccessControlList applicationACL = DEFAULT_YARN_APP_ACL; Map<ApplicationAccessType, AccessControlList> acls = this.applicationACLS .get(applicationId); if (acls == null) { if (LOG.isDebugEnabled()) { LOG.debug("ACL not found for application " + applicationId + " owned by " + applicationOwner + ". Using default [" + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]"); } } else { AccessControlList applicationACLInMap = acls.get(applicationAccessType); if (applicationACLInMap != null) { applicationACL = applicationACLInMap; } else if (LOG.isDebugEnabled()) { LOG.debug("ACL not found for access-type " + applicationAccessType + " for application " + applicationId + " owned by " + applicationOwner + ". Using default [" + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]"); } } // Allow application-owner for any type of access on the application if (this.adminAclsManager.isAdmin(callerUGI) || user.equals(applicationOwner) || applicationACL.isUserAllowed(callerUGI)) { return true; } return false; }
Example 14
Source File: ApplicationACLsManager.java From hadoop with Apache License 2.0 | 4 votes |
/** * If authorization is enabled, checks whether the user (in the callerUGI) is * authorized to perform the access specified by 'applicationAccessType' on * the application by checking if the user is applicationOwner or part of * application ACL for the specific access-type. * <ul> * <li>The owner of the application can have all access-types on the * application</li> * <li>For all other users/groups application-acls are checked</li> * </ul> * * @param callerUGI * @param applicationAccessType * @param applicationOwner * @param applicationId */ public boolean checkAccess(UserGroupInformation callerUGI, ApplicationAccessType applicationAccessType, String applicationOwner, ApplicationId applicationId) { if (LOG.isDebugEnabled()) { LOG.debug("Verifying access-type " + applicationAccessType + " for " + callerUGI + " on application " + applicationId + " owned by " + applicationOwner); } String user = callerUGI.getShortUserName(); if (!areACLsEnabled()) { return true; } AccessControlList applicationACL = DEFAULT_YARN_APP_ACL; Map<ApplicationAccessType, AccessControlList> acls = this.applicationACLS .get(applicationId); if (acls == null) { if (LOG.isDebugEnabled()) { LOG.debug("ACL not found for application " + applicationId + " owned by " + applicationOwner + ". Using default [" + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]"); } } else { AccessControlList applicationACLInMap = acls.get(applicationAccessType); if (applicationACLInMap != null) { applicationACL = applicationACLInMap; } else if (LOG.isDebugEnabled()) { LOG.debug("ACL not found for access-type " + applicationAccessType + " for application " + applicationId + " owned by " + applicationOwner + ". Using default [" + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]"); } } // Allow application-owner for any type of access on the application if (this.adminAclsManager.isAdmin(callerUGI) || user.equals(applicationOwner) || applicationACL.isUserAllowed(callerUGI)) { return true; } return false; }
Example 15
Source File: HttpServer.java From hbase with Apache License 2.0 | 4 votes |
public static boolean userHasAdministratorAccess(AccessControlList acl, String remoteUser) { UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return acl != null && acl.isUserAllowed(remoteUserUGI); }
Example 16
Source File: HttpServer2.java From knox with Apache License 2.0 | 3 votes |
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
Example 17
Source File: HttpServer2.java From big-c with Apache License 2.0 | 3 votes |
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
Example 18
Source File: HttpServer2.java From knox with Apache License 2.0 | 3 votes |
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
Example 19
Source File: HttpServer2.java From lucene-solr with Apache License 2.0 | 3 votes |
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
Example 20
Source File: HttpServer.java From hadoop with Apache License 2.0 | 3 votes |
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }