org.apache.hadoop.security.authorize.AccessControlList Java Examples

@Test
public void testKeyAclDuplicateEntries() {
  final Configuration conf = new Configuration(false);
  conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt1");
  conf.set(KEY_ACL + "test_key_2.ALL", "all2");
  conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt2");
  conf.set(KEY_ACL + "test_key_2.ALL", "all1,all3");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "default1");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
  conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "");
  conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "whitelist1");
  conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
  final KMSACLs acls = new KMSACLs(conf);
  Assert.assertTrue("expected key ACL size is 2 but got "
    + acls.keyAcls.size(), acls.keyAcls.size() == 2);
  assertKeyAcl("test_key_1", acls, KeyOpType.DECRYPT_EEK, "decrypt2");
  assertKeyAcl("test_key_2", acls, KeyOpType.ALL, "all1", "all3");
  assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT);
  assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK);
  AccessControlList acl = acls.whitelistKeyAcls.get(KeyOpType.DECRYPT_EEK);
  Assert.assertNotNull(acl);
  Assert.assertTrue(acl.isAllAllowed());
}
 

private List<Queue> createQueues(Configuration conf) {
  String[] queueNameValues = conf.getStrings(
    MAPRED_QUEUE_NAMES_KEY);
  List<Queue> list = new ArrayList<Queue>();
  for (String name : queueNameValues) {
    try {
      Map<String, AccessControlList> acls = getQueueAcls(
        name, conf);
      QueueState state = getQueueState(name, conf);
      Queue q = new Queue(name, acls, state);
      list.add(q);
    } catch (Throwable t) {
      LOG.warn("Not able to initialize queue " + name);
    }
  }
  return list;
}
 

@Test
public void testGroups() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String user = "testuser2";
  String adminGroup = "adminGroup";
  conf.set(MRConfig.MR_ADMINS, " " + adminGroup);

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
   user, new String[] {adminGroup});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("user in admin group should have access", val);
}
 

public synchronized void write(DataOutput out) throws IOException {
  jobid.write(out);
  out.writeFloat(setupProgress);
  out.writeFloat(mapProgress);
  out.writeFloat(reduceProgress);
  out.writeFloat(cleanupProgress);
  WritableUtils.writeEnum(out, runState);
  out.writeLong(startTime);
  Text.writeString(out, user);
  WritableUtils.writeEnum(out, priority);
  Text.writeString(out, schedulingInfo);
  out.writeLong(finishTime);
  out.writeBoolean(isRetired);
  Text.writeString(out, historyFile);
  Text.writeString(out, jobName);
  Text.writeString(out, trackingUrl);
  Text.writeString(out, jobFile);
  out.writeBoolean(isUber);

  // Serialize the job's ACLs
  out.writeInt(jobACLs.size());
  for (Entry<JobACL, AccessControlList> entry : jobACLs.entrySet()) {
    WritableUtils.writeEnum(out, entry.getKey());
    entry.getValue().write(out);
  }
}
 

private List<Queue> createQueues(Configuration conf) {
  String[] queueNameValues = conf.getStrings(
    MAPRED_QUEUE_NAMES_KEY);
  List<Queue> list = new ArrayList<Queue>();
  for (String name : queueNameValues) {
    try {
      Map<String, AccessControlList> acls = getQueueAcls(
        name, conf);
      QueueState state = getQueueState(name, conf);
      Queue q = new Queue(name, acls, state);
      list.add(q);
    } catch (Throwable t) {
      LOG.warn("Not able to initialize queue " + name);
    }
  }
  return list;
}
 

public AllocationConfiguration(Configuration conf) {
  minQueueResources = new HashMap<String, Resource>();
  maxQueueResources = new HashMap<String, Resource>();
  queueWeights = new HashMap<String, ResourceWeights>();
  queueMaxApps = new HashMap<String, Integer>();
  userMaxApps = new HashMap<String, Integer>();
  queueMaxAMShares = new HashMap<String, Float>();
  userMaxAppsDefault = Integer.MAX_VALUE;
  queueMaxAppsDefault = Integer.MAX_VALUE;
  queueMaxAMShareDefault = 0.5f;
  queueAcls = new HashMap<String, Map<QueueACL, AccessControlList>>();
  minSharePreemptionTimeouts = new HashMap<String, Long>();
  fairSharePreemptionTimeouts = new HashMap<String, Long>();
  fairSharePreemptionThresholds = new HashMap<String, Float>();
  schedulingPolicies = new HashMap<String, SchedulingPolicy>();
  defaultSchedulingPolicy = SchedulingPolicy.DEFAULT_POLICY;
  reservableQueues = new HashSet<>();
  configuredQueues = new HashMap<FSQueueType, Set<String>>();
  for (FSQueueType queueType : FSQueueType.values()) {
    configuredQueues.put(queueType, new HashSet<String>());
  }
  placementPolicy = QueuePlacementPolicy.fromConfiguration(conf,
      configuredQueues);
}
 

@Override
public boolean checkPermission(AccessType accessType,
    PrivilegedEntity target, UserGroupInformation user) {
  boolean ret = false;
  Map<AccessType, AccessControlList> acls = allAcls.get(target);
  if (acls != null) {
    AccessControlList list = acls.get(accessType);
    if (list != null) {
      ret = list.isUserAllowed(user);
    }
  }

  // recursively look up the queue to see if parent queue has the permission.
  if (target.getType() == EntityType.QUEUE && !ret) {
    String queueName = target.getName();
    if (!queueName.contains(".")) {
      return ret;
    }
    String parentQueueName = queueName.substring(0, queueName.lastIndexOf("."));
    return checkPermission(accessType, new PrivilegedEntity(target.getType(),
      parentQueueName), user);
  }
  return ret;
}
 

@Test
public void testGroups() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String user = "testuser2";
  String adminGroup = "adminGroup";
  conf.set(MRConfig.MR_ADMINS, " " + adminGroup);

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
   user, new String[] {adminGroup});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("user in admin group should have access", val);
}
 

@Test
public void testAclsOff() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, false);
  String noAdminUser = "testuser2";

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
      noAdminUser, new String[] {});
  // acls off so anyone should have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("acls off so anyone should have access", val);
}
 

/**
 * Constructs and initializes this AdminACLsManager
 *
 * @param conf configuration for this object to use
 */
public AdminACLsManager(Configuration conf) {

  this.adminAcl = new AccessControlList(conf.get(
        YarnConfiguration.YARN_ADMIN_ACL,
        YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  try {
    owner = UserGroupInformation.getCurrentUser();
    adminAcl.addUser(owner.getShortUserName());
  } catch (IOException e){
    LOG.warn("Could not add current user to admin:" + e);
    throw new YarnRuntimeException(e);
  }

  aclsEnabled = conf.getBoolean(YarnConfiguration.YARN_ACL_ENABLE,
      YarnConfiguration.DEFAULT_YARN_ACL_ENABLE);
}
 

@Override
protected void serviceInit(Configuration conf) throws Exception {
  String auth =  conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION);
  if (auth == null || "simple".equals(auth)) {
    isSecurityEnabled = false;
  } else if ("kerberos".equals(auth)) {
    isSecurityEnabled = true;
  } else {
    LOG.warn("Unrecongized attribute value for " +
        CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION +
        " of " + auth);
  }
  String proxy = WebAppUtils.getProxyHostAndPort(conf);
  String[] proxyParts = proxy.split(":");
  proxyHost = proxyParts[0];

  fetcher = new AppReportFetcher(conf);
  bindAddress = conf.get(YarnConfiguration.PROXY_ADDRESS);
  if(bindAddress == null || bindAddress.isEmpty()) {
    throw new YarnRuntimeException(YarnConfiguration.PROXY_ADDRESS + 
        " is not set so the proxy will not run.");
  }
  LOG.info("Instantiating Proxy at " + bindAddress);
  String[] parts = StringUtils.split(bindAddress, ':');
  port = 0;
  if (parts.length == 2) {
    bindAddress = parts[0];
    port = Integer.parseInt(parts[1]);
  }
  acl = new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL, 
      YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  super.serviceInit(conf);
}
 

/**
 * Create a status server on the given port.
 * The jsp scripts are taken from src/hbase-webapps/<code>name</code>.
 * @param name The name of the server
 * @param bindAddress address to bind to
 * @param port The port to use on the server
 * @param findPort whether the server should start at the given port and increment by 1 until it
 *                 finds a free port.
 * @param c the {@link Configuration} to build the server
 * @throws IOException if getting one of the password fails or the server cannot be created
 */
public InfoServer(String name, String bindAddress, int port, boolean findPort,
    final Configuration c) throws IOException {
  HttpConfig httpConfig = new HttpConfig(c);
  HttpServer.Builder builder =
    new org.apache.hadoop.hbase.http.HttpServer.Builder();

  builder.setName(name).addEndpoint(URI.create(httpConfig.getSchemePrefix() +
    bindAddress + ":" +
    port)).setAppDir(HBASE_APP_DIR).setFindPort(findPort).setConf(c);
  String logDir = System.getProperty("hbase.log.dir");
  if (logDir != null) {
    builder.setLogDir(logDir);
  }
  if (httpConfig.isSecure()) {
    builder.keyPassword(HBaseConfiguration
            .getPassword(c, "ssl.server.keystore.keypassword", null))
      .keyStore(c.get("ssl.server.keystore.location"),
              HBaseConfiguration.getPassword(c,"ssl.server.keystore.password", null),
              c.get("ssl.server.keystore.type", "jks"))
      .trustStore(c.get("ssl.server.truststore.location"),
              HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", null),
              c.get("ssl.server.truststore.type", "jks"));
  }
  // Enable SPNEGO authentication
  if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) {
    builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY)
      .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY)
      .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY)
      .setSignatureSecretFileKey(
          HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY)
      .setSecurityEnabled(true);

    // Set an admin ACL on sensitive webUI endpoints
    AccessControlList acl = buildAdminAcl(c);
    builder.setACL(acl);
  }
  this.httpServer = builder.build();
}
 

public void addApplication(ApplicationId appId,
    Map<ApplicationAccessType, String> acls) {
  Map<ApplicationAccessType, AccessControlList> finalMap
      = new HashMap<ApplicationAccessType, AccessControlList>(acls.size());
  for (Entry<ApplicationAccessType, String> acl : acls.entrySet()) {
    finalMap.put(acl.getKey(), new AccessControlList(acl.getValue()));
  }
  this.applicationACLS.put(appId, finalMap);
}
 

public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi, RangerYarnAuditHandler auditHandler) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
	}

	boolean ret = false;

	for(Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> e : yarnAcl.entrySet()) {
		PrivilegedEntity                   aclEntity         = e.getKey();
		Map<AccessType, AccessControlList> entityPermissions = e.getValue();

		AccessControlList acl = entityPermissions == null ? null : entityPermissions.get(accessType);

		if(acl != null && acl.isUserAllowed(ugi) && isSelfOrChildOf(entity, aclEntity)) {
		    ret = true;
	    	break;
           }
	}

	if(auditHandler != null) {
		auditHandler.logYarnAclEvent(ret);
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret);
	}

	return ret;
}
 

private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 

@Before
public void setup() throws InterruptedException, IOException {
  conf = createConfiguration();
  rpc = YarnRPC.create(conf);
  rmAddress = conf.getSocketAddr(
    YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS,
    YarnConfiguration.DEFAULT_RM_PORT);
  
  AccessControlList adminACL = new AccessControlList("");
  conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACL.getAclString());

  resourceManager = new MockRM(conf) {
    protected ClientRMService createClientRMService() {
      return new ClientRMService(getRMContext(), this.scheduler,
        this.rmAppManager, this.applicationACLsManager,
        this.queueACLsManager, getRMContext().getRMDelegationTokenSecretManager());
    };

    @Override
    protected void doSecureLogin() throws IOException {
    }
  };
  new Thread() {
    public void run() {
      resourceManager.start();
    };
  }.start();
  int waitCount = 0;
  while (resourceManager.getServiceState() == STATE.INITED
      && waitCount++ < 60) {
    LOG.info("Waiting for RM to start...");
    Thread.sleep(1500);
  }
  if (resourceManager.getServiceState() != STATE.STARTED) {
    // RM could have failed.
    throw new IOException("ResourceManager failed to start. Final state is "
        + resourceManager.getServiceState());
  }
}
 

private void verifySuperUserAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol superUserClient = getRMClientForUser(SUPER_USER);

    // View as the superUser
    superUserClient.getApplicationReport(appReportRequest);

    // List apps as superUser
    Assert.assertEquals("App view by super-user should list the apps!!", 2,
        superUserClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the superUser
    superUserClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

private void verifyFriendAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol friendClient = getRMClientForUser(FRIEND);

    // View as the friend
    friendClient.getApplicationReport(appReportRequest);

    // List apps as friend
    Assert.assertEquals("App view by a friend should list the apps!!", 3,
        friendClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the friend
    friendClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

@Override
public void setAdmins(AccessControlList acl, UserGroupInformation ugi) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.setAdmins(" + acl + ", " + ugi + ")");
	}

	admins = acl;

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.setAdmins(" + acl + ", " + ugi + ")");
	}
}
 

private AccessControlListExt putDomainIntoCache(
    TimelineDomain domain) {
  Map<ApplicationAccessType, AccessControlList> acls
  = new HashMap<ApplicationAccessType, AccessControlList>(2);
  acls.put(ApplicationAccessType.VIEW_APP,
      new AccessControlList(StringHelper.cjoin(domain.getReaders())));
  acls.put(ApplicationAccessType.MODIFY_APP,
      new AccessControlList(StringHelper.cjoin(domain.getWriters())));
  AccessControlListExt aclExt =
      new AccessControlListExt(domain.getOwner(), acls);
  aclExts.put(domain.getId(), aclExt);
  return aclExt;
}
 

public synchronized void readFields(DataInput in) throws IOException {
  this.jobid = new JobID();
  this.jobid.readFields(in);
  this.setupProgress = in.readFloat();
  this.mapProgress = in.readFloat();
  this.reduceProgress = in.readFloat();
  this.cleanupProgress = in.readFloat();
  this.runState = WritableUtils.readEnum(in, State.class);
  this.startTime = in.readLong();
  this.user = StringInterner.weakIntern(Text.readString(in));
  this.priority = WritableUtils.readEnum(in, JobPriority.class);
  this.schedulingInfo = StringInterner.weakIntern(Text.readString(in));
  this.finishTime = in.readLong();
  this.isRetired = in.readBoolean();
  this.historyFile = StringInterner.weakIntern(Text.readString(in));
  this.jobName = StringInterner.weakIntern(Text.readString(in));
  this.trackingUrl = StringInterner.weakIntern(Text.readString(in));
  this.jobFile = StringInterner.weakIntern(Text.readString(in));
  this.isUber = in.readBoolean();

  // De-serialize the job's ACLs
  int numACLs = in.readInt();
  for (int i = 0; i < numACLs; i++) {
    JobACL aclType = WritableUtils.readEnum(in, JobACL.class);
    AccessControlList acl = new AccessControlList(" ");
    acl.readFields(in);
    this.jobACLs.put(aclType, acl);
  }
}
 

public MockJobForAcls(Job mockJob, Configuration conf) {
  this.mockJob = mockJob;
  this.conf = conf;
  AccessControlList viewAcl = new AccessControlList(FRIENDLY_USER);
  this.jobAcls = new HashMap<JobACL, AccessControlList>();
  this.jobAcls.put(JobACL.VIEW_JOB, viewAcl);
  this.aclsMgr = new JobACLsManager(conf); 
}
 

/**
 * Parse ACLs for the queue from the configuration.
 */
private Map<String, AccessControlList> getQueueAcls(
  String name,
  Configuration conf) {
  HashMap<String, AccessControlList> map =
    new HashMap<String, AccessControlList>();
  for (QueueACL qAcl : QueueACL.values()) {
    String aclKey = toFullPropertyName(name, qAcl.getAclName());
    map.put(
      aclKey, new AccessControlList(
        conf.get(
          aclKey, "*")));
  }
  return map;
}
 

private void verifyAdministerQueueUserAccess() throws Exception {
  isQueueUser = true;
  AccessControlList viewACL = new AccessControlList("");
  viewACL.addGroup(FRIENDLY_GROUP);
  AccessControlList modifyACL = new AccessControlList("");
  modifyACL.addUser(FRIEND);
  ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

  final GetApplicationReportRequest appReportRequest = recordFactory
      .newRecordInstance(GetApplicationReportRequest.class);
  appReportRequest.setApplicationId(applicationId);
  final KillApplicationRequest finishAppRequest = recordFactory
      .newRecordInstance(KillApplicationRequest.class);
  finishAppRequest.setApplicationId(applicationId);

  ApplicationClientProtocol administerQueueUserRmClient =
      getRMClientForUser(QUEUE_ADMIN_USER);

  // View as the administerQueueUserRmClient
  administerQueueUserRmClient.getApplicationReport(appReportRequest);

  // List apps as administerQueueUserRmClient
  Assert.assertEquals("App view by queue-admin-user should list the apps!!",
      5, administerQueueUserRmClient.getApplications(
             recordFactory.newRecordInstance(GetApplicationsRequest.class))
             .getApplicationList().size());

  // Kill app as the administerQueueUserRmClient
  administerQueueUserRmClient.forceKillApplication(finishAppRequest);
  resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
 

/**
 * First Check if user is in ACL for the KMS operation, if yes, then
 * return true if user is not present in any configured blacklist for
 * the operation
 * @param type KMS Operation
 * @param ugi UserGroupInformation of user
 * @return true is user has access
 */
public boolean hasAccess(Type type, UserGroupInformation ugi) {
  boolean access = acls.get(type).isUserAllowed(ugi);
  if (access) {
    AccessControlList blacklist = blacklistedAcls.get(type);
    access = (blacklist == null) || !blacklist.isUserInList(ugi);
  }
  return access;
}
 

/**
 * Return true if the given user is part of the ACL for the given
 * {@link QueueACL} name for the given queue.
 * <p>
 * An operation is allowed if all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 *
 * @param queueName Queue on which the operation needs to be performed.
 * @param qACL      The queue ACL name to be checked
 * @param ugi       The user and groups who wish to perform the operation.
 * @return true     if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(
  String queueName, QueueACL qACL, UserGroupInformation ugi) {

  Queue q = leafQueues.get(queueName);

  if (q == null) {
    LOG.info("Queue " + queueName + " is not present");
    return false;
  }

  if(q.getChildren() != null && !q.getChildren().isEmpty()) {
    LOG.info("Cannot submit job to parent queue " + q.getName());
    return false;
  }

  if (!areAclsEnabled()) {
    return true;
  }

  if (LOG.isDebugEnabled()) {
    LOG.debug("Checking access for the acl " + toFullPropertyName(queueName,
      qACL.getAclName()) + " for user " + ugi.getShortUserName());
  }

  AccessControlList acl = q.getAcls().get(
      toFullPropertyName(queueName, qACL.getAclName()));
  if (acl == null) {
    return false;
  }

  // Check if user is part of the ACL
  return acl.isUserAllowed(ugi);
}
 

/**
 * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI
 * which are meant only for administrators.
 */
AccessControlList buildAdminAcl(Configuration conf) {
  final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);
  final String adminGroups = conf.get(
      HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null);
  if (userGroups == null && adminGroups == null) {
    // Backwards compatibility - if the user doesn't have anything set, allow all users in.
    return new AccessControlList("*", null);
  }
  return new AccessControlList(userGroups, adminGroups);
}
 

/**
   * Create an event to record job submission
   * @param id The job Id of the job
   * @param jobName Name of the job
   * @param userName Name of the user who submitted the job
   * @param submitTime Time of submission
   * @param jobConfPath Path of the Job Configuration file
   * @param jobACLs The configured acls for the job.
   * @param jobQueueName The job-queue to which this job was submitted to
   * @param workflowId The Id of the workflow
   * @param workflowName The name of the workflow
   * @param workflowNodeName The node name of the workflow
   * @param workflowAdjacencies The adjacencies of the workflow
   * @param workflowTags Comma-separated tags for the workflow
   */
  public JobSubmittedEvent(JobID id, String jobName, String userName,
      long submitTime, String jobConfPath,
      Map<JobACL, AccessControlList> jobACLs, String jobQueueName,
      String workflowId, String workflowName, String workflowNodeName,
      String workflowAdjacencies, String workflowTags) {
  datum.jobid = new Utf8(id.toString());
  datum.jobName = new Utf8(jobName);
  datum.userName = new Utf8(userName);
  datum.submitTime = submitTime;
  datum.jobConfPath = new Utf8(jobConfPath);
  Map<CharSequence, CharSequence> jobAcls = new HashMap<CharSequence, CharSequence>();
  for (Entry<JobACL, AccessControlList> entry : jobACLs.entrySet()) {
    jobAcls.put(new Utf8(entry.getKey().getAclName()), new Utf8(
        entry.getValue().getAclString()));
  }
  datum.acls = jobAcls;
  if (jobQueueName != null) {
    datum.jobQueueName = new Utf8(jobQueueName);
  }
  if (workflowId != null) {
    datum.workflowId = new Utf8(workflowId);
  }
  if (workflowName != null) {
    datum.workflowName = new Utf8(workflowName);
  }
  if (workflowNodeName != null) {
    datum.workflowNodeName = new Utf8(workflowNodeName);
  }
  if (workflowAdjacencies != null) {
    datum.workflowAdjacencies = new Utf8(workflowAdjacencies);
  }
  if (workflowTags != null) {
    datum.workflowTags = new Utf8(workflowTags);
  }
}
 

@SuppressWarnings("deprecation")
private ApplicationId submitAppAndGetAppId(AccessControlList viewACL,
    AccessControlList modifyACL) throws Exception {
  SubmitApplicationRequest submitRequest = recordFactory
      .newRecordInstance(SubmitApplicationRequest.class);
  ApplicationSubmissionContext context = recordFactory
      .newRecordInstance(ApplicationSubmissionContext.class);

  ApplicationId applicationId = rmClient.getNewApplication(
      recordFactory.newRecordInstance(GetNewApplicationRequest.class))
      .getApplicationId();
  context.setApplicationId(applicationId);

  Map<ApplicationAccessType, String> acls
      = new HashMap<ApplicationAccessType, String>();
  acls.put(ApplicationAccessType.VIEW_APP, viewACL.getAclString());
  acls.put(ApplicationAccessType.MODIFY_APP, modifyACL.getAclString());

  ContainerLaunchContext amContainer = recordFactory
      .newRecordInstance(ContainerLaunchContext.class);
  Resource resource = BuilderUtils.newResource(1024, 1);
  context.setResource(resource);
  amContainer.setApplicationACLs(acls);
  context.setAMContainerSpec(amContainer);
  submitRequest.setApplicationSubmissionContext(context);
  rmClient.submitApplication(submitRequest);
  resourceManager.waitForState(applicationId, RMAppState.ACCEPTED);
  return applicationId;
}
 

@Test
public void testClusterNoAdmins() {
  Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
  Configuration conf = new Configuration();
  String jobOwner = "testuser";
  conf.set(JobACL.VIEW_JOB.getAclName(), "");
  conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  String noAdminUser = "testuser2";

  JobACLsManager aclsManager = new JobACLsManager(conf);
  tmpJobACLs = aclsManager.constructJobACLs(conf);
  final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

  UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
      noAdminUser, new String[] {});
  // random user should not have access
  boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertFalse("random user should not have view access", val);
  val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner,
      jobACLs.get(JobACL.MODIFY_JOB));
  assertFalse("random user should not have modify access", val);

  callerUGI = UserGroupInformation.createUserForTesting(jobOwner,
      new String[] {});
  // Owner should have access
  val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
      jobACLs.get(JobACL.VIEW_JOB));
  assertTrue("owner should have view access", val);
  val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner,
      jobACLs.get(JobACL.MODIFY_JOB));
  assertTrue("owner should have modify access", val);
}