Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getGroupNames()

@Test
public void testCacheGetGroupsRoot() throws Exception {
  // Windows users don't have a root user.
  // However pretty much every other *NIX os will have root.
  if (!SystemUtils.IS_OS_WINDOWS) {
    Configuration conf = HBaseConfiguration.create();
    UserProvider up = UserProvider.instantiate(conf);


    String rootUserName = "root";

    // Create two UGI's for this username
    UserGroupInformation ugiOne = UserGroupInformation.createRemoteUser(rootUserName);
    UserGroupInformation ugiTwo = UserGroupInformation.createRemoteUser(rootUserName);

    // Now try and get the user twice.
    User uOne = up.create(ugiOne);
    User uTwo = up.create(ugiTwo);

    // Make sure that we didn't break groups and everything worked well.
    assertArrayEquals(uOne.getGroupNames(),uTwo.getGroupNames());
    String[] groupNames = ugiOne.getGroupNames();
    assertTrue(groupNames.length > 0);
  }
}
 

/** HELPER FUNCTIONS **/

  private RangerPrestoAccessRequest createAccessRequest(RangerPrestoResource resource, SystemSecurityContext context, PrestoAccessType accessType) {
    Set<String> userGroups = null;

    if (useUgi) {
      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser());

      String[] groups = ugi != null ? ugi.getGroupNames() : null;

      if (groups != null && groups.length > 0) {
        userGroups = new HashSet<>(Arrays.asList(groups));
      }
    } else {
      userGroups = context.getIdentity().getGroups();
    }

    RangerPrestoAccessRequest request = new RangerPrestoAccessRequest(
      resource,
      context.getIdentity().getUser(),
      userGroups,
      accessType
    );

    return request;
  }
 

@Test
public void testOwnerGroup() throws Exception {
  final LocationFactory factory = locationFactoryCache.getUnchecked("ownergroup");

  UserGroupInformation testUGI = createTestUGI();
  Location location = testUGI.doAs(new PrivilegedExceptionAction<Location>() {
    @Override
    public Location run() throws Exception {
      return factory.create("ogtest");
    }
  });

  location.createNew();
  Assert.assertEquals(testUGI.getUserName(), location.getOwner());

  String group = testUGI.getGroupNames()[0];

  location.setGroup(group);
  Assert.assertEquals(group, location.getGroup());
}
 

/**
 * @param userName
 * @return
 */
static public Set<String> getGroupsForRequestUser(String userName) {
	if (userName != null) {
		try {
			UserGroupInformation ugi = UserGroupInformation
					.createRemoteUser(userName);
			String[] groups = ugi.getGroupNames();
			if (groups != null && groups.length > 0) {
				Set<String> groupsSet = new java.util.HashSet<String>();
				for (String group : groups) {
					groupsSet.add(group);
				}
				return groupsSet;
			}
		} catch (Throwable e) {
			logErrorMessageByInterval(logger,
					"Error getting groups for users. userName=" + userName, e);
		}
	}
	return Collections.emptySet();
}
 

/**
 * Given admin user/group list, finds whether the given username has admin privileges.
 *
 * @param userName User who is checked for administrative privileges.
 * @param adminUsers Comma separated list of admin usernames,
 * @param adminGroups Comma separated list of admin usergroups
 * @return True if the user has admin priveleges. False otherwise.
 */
public static boolean hasAdminPrivileges(final String userName, final String adminUsers, final String adminGroups) {
  // Process user is by default an admin
  if (getProcessUserName().equals(userName)) {
    return true;
  }

  final Set<String> adminUsersSet = Sets.newHashSet(SPLITTER.split(adminUsers));
  if (adminUsersSet.contains(userName)) {
    return true;
  }

  final UserGroupInformation ugi = createProxyUgi(userName);
  final String[] userGroups = ugi.getGroupNames();
  if (userGroups == null || userGroups.length == 0) {
    return false;
  }

  final Set<String> adminUserGroupsSet = Sets.newHashSet(SPLITTER.split(adminGroups));
  for (String userGroup : userGroups) {
    if (adminUserGroupsSet.contains(userGroup)) {
      return true;
    }
  }

  return false;
}
 

public void testGroupsEnabledACLForJobSubmission() 
                                  throws IOException, LoginException {
  // login as self, get one group, and add in allowed list.
  UserGroupInformation ugi = UnixUserGroupInformation.login();
  String[] groups = ugi.getGroupNames();
  assertTrue(groups.length > 0);
  JobConf conf = setupConf("mapred.queue.default.acl-submit-job",
                              "3698-junk-user1,3698-junk-user2 " 
                                + groups[groups.length-1] 
                                         + ",3698-junk-group");
  verifyJobSubmission(conf, true);
}
 

public void testGroupsEnabledACLForJobSubmission() 
                                  throws IOException, LoginException {
  // login as self, get one group, and add in allowed list.
  UserGroupInformation ugi = UnixUserGroupInformation.login();
  String[] groups = ugi.getGroupNames();
  assertTrue(groups.length > 0);
  JobConf conf = setupConf("mapred.queue.default.acl-submit-job",
                              "3698-junk-user1,3698-junk-user2 " 
                                + groups[groups.length-1] 
                                         + ",3698-junk-group");
  verifyJobSubmission(conf, true);
}
 

private static String getExpectedOutput(UserGroupInformation user) {
  String expectedOutput = user.getUserName() + " :";
  for (String group : user.getGroupNames()) {
    expectedOutput += " " + group;
  }
  return expectedOutput + System.getProperty("line.separator");
}
 

/**
 * Checks if a user represented by the provided {@link UserGroupInformation}
 * is a member of the Access Control List
 * @param ugi UserGroupInformation to check if contained in the ACL
 * @return true if ugi is member of the list
 */
public final boolean isUserInList(UserGroupInformation ugi) {
  if (allAllowed || users.contains(ugi.getShortUserName())) {
    return true;
  } else {
    for(String group: ugi.getGroupNames()) {
      if (groups.contains(group)) {
        return true;
      }
    }
  }
  return false;
}
 

private static String getExpectedOutput(UserGroupInformation user) {
  String expectedOutput = user.getUserName() + " :";
  for (String group : user.getGroupNames()) {
    expectedOutput += " " + group;
  }
  return expectedOutput + System.getProperty("line.separator");
}
 

/**
 * Checks if a user represented by the provided {@link UserGroupInformation}
 * is a member of the Access Control List
 * @param ugi UserGroupInformation to check if contained in the ACL
 * @return true if ugi is member of the list
 */
public final boolean isUserInList(UserGroupInformation ugi) {
  if (allAllowed || users.contains(ugi.getShortUserName())) {
    return true;
  } else {
    for(String group: ugi.getGroupNames()) {
      if (groups.contains(group)) {
        return true;
      }
    }
  }
  return false;
}
 

/**
 * Helper function to check acl access for OzoneAclType.
 * */
private boolean checkAccessForOzoneAclType(OzoneAclType identityType,
    ACLType acl, UserGroupInformation ugi) {

  switch (identityType) {
  case USER:
    return OzoneAclUtil.checkIfAclBitIsSet(acl, getAcl(identityType,
        ugi.getUserName()));
  case GROUP:
    // Check access for user groups.
    for (String userGroup : ugi.getGroupNames()) {
      if (OzoneAclUtil.checkIfAclBitIsSet(acl, getAcl(identityType,
          userGroup))) {
        // Return true if any user group has required permission.
        return true;
      }
    }
    break;
  default:
    // For type WORLD and ANONYMOUS we set acl type as name.
    if(OzoneAclUtil.checkIfAclBitIsSet(acl, getAcl(identityType,
        identityType.name()))) {
      return true;
    }

  }
  return false;
}
 

/**
    * permit() method is invoked for each incoming Thrift request.
    * @param aRequestContext request context includes info about
    * @param aOperationName operation name
    * @param aTopologyConfigMap configuration of targeted topology
    * @return true if the request is authorized, false if reject
    */

@Override
public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) {
	
	boolean accessAllowed = false;
	boolean isAuditEnabled = false;

	String topologyName = null;

	RangerPerfTracer perf = null;

	try {

		if(RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG)) {
			perf = RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()");
		}

		topologyName = (aTopologyConfigMap == null ? "" : (String)aTopologyConfigMap.get(Config.TOPOLOGY_NAME));

		if (LOG.isDebugEnabled()) {
			LOG.debug("[req "+ aRequestContext.requestID()+ "] Access "
	                + " from: [" + aRequestContext.remoteAddress() + "]"
	                + " user: [" + aRequestContext.principal() + "],"
	                + " op:   [" + aOperationName + "],"
	                + "topology: [" + topologyName + "]");
			
			if (aTopologyConfigMap != null) {
				for(Object keyObj : aTopologyConfigMap.keySet()) {
					Object valObj = aTopologyConfigMap.get(keyObj);
					LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]");
				}
			}
			else {
				LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
			}
		}

		if(noAuthzOperations.contains(aOperationName)) {
			accessAllowed = true;
		} else if(plugin == null) {
			LOG.info("Ranger plugin not initialized yet! Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
		} else {
			String userName = null;
			String[] groups = null;

			Principal user = aRequestContext.principal();
		
			if (user != null) {
				userName = user.getName();
				if (userName != null) {
					UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
					userName = ugi.getShortUserName();
					groups = ugi.getGroupNames();
					if (LOG.isDebugEnabled()) {
						LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]");
					}
				}
			}
			
			
			if (userName != null) {
				String clientIp =  (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() );
				RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName);
				RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
				accessAllowed = result != null && result.getIsAllowed();
				isAuditEnabled = result != null && result.getIsAudited();
			
				if (LOG.isDebugEnabled()) {
					LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
				}
			}
			else {
				LOG.info("NULL User found from principal [" + user + "]: Skipping authorization;  allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
			}
		}
	}
	catch(Throwable t) {
		LOG.error("RangerStormAuthorizer found this exception", t);
	}
	finally {
		RangerPerfTracer.log(perf);
		if (LOG.isDebugEnabled()) {
			LOG.debug("[req "+ aRequestContext.requestID()+ "] Access "
	                + " from: [" + aRequestContext.remoteAddress() + "]"
	                + " user: [" + aRequestContext.principal() + "],"
	                + " op:   [" + aOperationName + "],"
	                + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled);
		}
	}
	
	return accessAllowed;
}
 

@Test
public void
    testRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider()
        throws IOException, YarnException {
  configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
      "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");

  String[] defaultTestUserGroups = {"dummy_group1", "dummy_group2"};
  UserGroupInformation ugi = UserGroupInformation.createUserForTesting
      ("dummyUser", defaultTestUserGroups);

  String user = ugi.getUserName();
  List<String> groupWithInit = new ArrayList<String>(2);
   for(int i = 0; i < ugi.getGroupNames().length; i++ ) {
     groupWithInit.add(ugi.getGroupNames()[i]);
   }

  // upload default configurations
  uploadDefaultConfiguration();
  Configuration conf = new Configuration();
  conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  uploadConfiguration(conf, "core-site.xml");

  try {
    rm = new MockRM(configuration);
    rm.init(configuration);
    rm.start();
  } catch (Exception ex) {
    fail("Should not get any exceptions");
  }

  // Make sure RM will use the updated GroupMappingServiceProvider
  List<String> groupBefore =
      new ArrayList<String>(Groups.getUserToGroupsMappingService(
          configuration).getGroups(user));
  Assert.assertTrue(groupBefore.contains("test_group_A")
      && groupBefore.contains("test_group_B")
      && groupBefore.contains("test_group_C") && groupBefore.size() == 3);
  Assert.assertTrue(groupWithInit.size() != groupBefore.size());
  Assert.assertFalse(groupWithInit.contains("test_group_A")
      || groupWithInit.contains("test_group_B")
      || groupWithInit.contains("test_group_C"));

  // update the groups
  MockUnixGroupsMapping.updateGroups();

  rm.adminService
      .refreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest
          .newInstance());
  List<String> groupAfter =
      Groups.getUserToGroupsMappingService(configuration).getGroups(user);

  // should get the updated groups
  Assert.assertTrue(groupAfter.contains("test_group_D")
      && groupAfter.contains("test_group_E")
      && groupAfter.contains("test_group_F") && groupAfter.size() == 3);

}
 

/**
 * Return true if the given {@link QueueManager.QueueOperation} can be 
 * performed by the specified user on the specified job in the given queue.
 * 
 * An operation is allowed either if the owner of the job is the user 
 * performing the task, all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 * 
 * If the {@link QueueManager.QueueOperation} is not job specific then the 
 * job parameter is ignored.
 * 
 * @param queueName Queue on which the operation needs to be performed.
 * @param job The {@link JobInProgress} on which the operation is being
 *            performed. 
 * @param oper The operation to perform
 * @param ugi The user and groups who wish to perform the operation.
 * 
 * @return true if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(String queueName, JobInProgress job, 
                              QueueOperation oper, 
                              UserGroupInformation ugi) {
  if (!aclsEnabled) {
    return true;
  }
  
  if (LOG.isDebugEnabled()) {
    LOG.debug("checking access for : " + toFullPropertyName(queueName, 
                                          oper.getAclName()));      
  }
  
  if (oper.isJobOwnerAllowed()) {
    if (job != null && job.getJobConf().getUser().equals(ugi.getUserName())) {
      return true;
    }
  }
  
  AccessControlList acl = aclsMap.get(toFullPropertyName(queueName, oper.getAclName()));
  if (acl == null) {
    return false;
  }
  
  // Check the ACL list
  boolean allowed = acl.allAllowed();
  if (!allowed) {
    // Check the allowed users list
    if (acl.getUsers().contains(ugi.getUserName())) {
      allowed = true;
    } else {
      // Check the allowed groups list
      Set<String> allowedGroups = acl.getGroups();
      for (String group : ugi.getGroupNames()) {
        if (allowedGroups.contains(group)) {
          allowed = true;
          break;
        }
      }
    }
  }
  
  return allowed;    
}
 

@Test
public void
    testRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider()
        throws IOException, YarnException {
  configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
      "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");

  String[] defaultTestUserGroups = {"dummy_group1", "dummy_group2"};
  UserGroupInformation ugi = UserGroupInformation.createUserForTesting
      ("dummyUser", defaultTestUserGroups);

  String user = ugi.getUserName();
  List<String> groupWithInit = new ArrayList<String>(2);
   for(int i = 0; i < ugi.getGroupNames().length; i++ ) {
     groupWithInit.add(ugi.getGroupNames()[i]);
   }

  // upload default configurations
  uploadDefaultConfiguration();
  Configuration conf = new Configuration();
  conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  uploadConfiguration(conf, "core-site.xml");

  try {
    rm = new MockRM(configuration);
    rm.init(configuration);
    rm.start();
  } catch (Exception ex) {
    fail("Should not get any exceptions");
  }

  // Make sure RM will use the updated GroupMappingServiceProvider
  List<String> groupBefore =
      new ArrayList<String>(Groups.getUserToGroupsMappingService(
          configuration).getGroups(user));
  Assert.assertTrue(groupBefore.contains("test_group_A")
      && groupBefore.contains("test_group_B")
      && groupBefore.contains("test_group_C") && groupBefore.size() == 3);
  Assert.assertTrue(groupWithInit.size() != groupBefore.size());
  Assert.assertFalse(groupWithInit.contains("test_group_A")
      || groupWithInit.contains("test_group_B")
      || groupWithInit.contains("test_group_C"));

  // update the groups
  MockUnixGroupsMapping.updateGroups();

  rm.adminService
      .refreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest
          .newInstance());
  List<String> groupAfter =
      Groups.getUserToGroupsMappingService(configuration).getGroups(user);

  // should get the updated groups
  Assert.assertTrue(groupAfter.contains("test_group_D")
      && groupAfter.contains("test_group_E")
      && groupAfter.contains("test_group_F") && groupAfter.size() == 3);

}
 

/**
 * Return true if the given {@link QueueManager.QueueOperation} can be 
 * performed by the specified user on the specified job in the given queue.
 * 
 * An operation is allowed either if the owner of the job is the user 
 * performing the task, all users are provided access for this
 * operation, or if either the user or any of the groups specified is
 * provided access.
 * 
 * If the {@link QueueManager.QueueOperation} is not job specific then the 
 * job parameter is ignored.
 * 
 * @param queueName Queue on which the operation needs to be performed.
 * @param job The {@link JobInProgress} on which the operation is being
 *            performed. 
 * @param oper The operation to perform
 * @param ugi The user and groups who wish to perform the operation.
 * 
 * @return true if the operation is allowed, false otherwise.
 */
public synchronized boolean hasAccess(String queueName, JobInProgress job, 
                              QueueOperation oper, 
                              UserGroupInformation ugi) {
  if (!aclsEnabled) {
    return true;
  }
  
  if (LOG.isDebugEnabled()) {
    LOG.debug("checking access for : " + toFullPropertyName(queueName, 
                                          oper.getAclName()));      
  }
  
  if (oper.isJobOwnerAllowed()) {
    if (job.getJobConf().getUser().equals(ugi.getUserName())) {
      return true;
    }
  }
  
  AccessControlList acl = aclsMap.get(toFullPropertyName(queueName, oper.getAclName()));
  if (acl == null) {
    return false;
  }
  
  // Check the ACL list
  boolean allowed = acl.allAllowed();
  if (!allowed) {
    // Check the allowed users list
    if (acl.getUsers().contains(ugi.getUserName())) {
      allowed = true;
    } else {
      // Check the allowed groups list
      Set<String> allowedGroups = acl.getGroups();
      for (String group : ugi.getGroupNames()) {
        if (allowedGroups.contains(group)) {
          allowed = true;
          break;
        }
      }
    }
  }
  
  return allowed;    
}
 

private Set<String> getGrantorGroupNames(HivePrincipal grantorPrincipal) {
	Set<String> ret = null;

	String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null;

	UserGroupInformation ugi = StringUtil.isEmpty(grantor) ? this.getCurrentUserGroupInfo() : UserGroupInformation.createRemoteUser(grantor);

	String[] groups = ugi != null ? ugi.getGroupNames() : null;

	if (groups != null && groups.length > 0) {
		ret = new HashSet<>(Arrays.asList(groups));
	}

	return ret;
}