List of usage examples for org.apache.hadoop.security UserGroupInformation getGroupNames
public String[] getGroupNames()
From source file:com.cloudera.impala.util.FsPermissionChecker.java
License:Apache License
private FsPermissionChecker() throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); groups_.addAll(Arrays.asList(ugi.getGroupNames())); user_ = ugi.getShortUserName();/*from w w w. j a v a 2 s . co m*/ }
From source file:de.tiqsolutions.hdfs.HadoopFileSystem.java
License:Apache License
void checkAccess(Path path, AccessMode... modes) throws IOException { try {// w w w . j a va 2s . c o m FileStatus fileStatus = getFileContext().getFileStatus(((HadoopFileSystemPath) path).getPath()); if (modes == null || modes.length == 0) return; String group = fileStatus.getGroup(); String owner = fileStatus.getOwner(); UserGroupInformation userGroupInformation = getFileContext().getUgi(); boolean checkuser = false; boolean checkgroup = false; if (owner.equals(userGroupInformation.getUserName())) { checkuser = true; } else { for (String g : userGroupInformation.getGroupNames()) { if (group.equals(g)) { checkgroup = true; break; } } } PosixFileAttributeView view = provider().getFileAttributeView(path, PosixFileAttributeView.class); PosixFileAttributes attributes = view.readAttributes(); Set<PosixFilePermission> permissions = attributes.permissions(); getFileContext().getUgi().getGroupNames(); for (AccessMode accessMode : modes) { switch (accessMode) { case READ: if (!permissions.contains(checkuser ? PosixFilePermission.OWNER_READ : (checkgroup ? PosixFilePermission.GROUP_READ : PosixFilePermission.OTHERS_READ))) throw new AccessDeniedException(path.toString()); break; case WRITE: if (!permissions.contains(checkuser ? PosixFilePermission.OWNER_WRITE : (checkgroup ? PosixFilePermission.GROUP_WRITE : PosixFilePermission.OTHERS_WRITE))) throw new AccessDeniedException(path.toString()); break; case EXECUTE: if (!permissions.contains(checkuser ? PosixFilePermission.OWNER_EXECUTE : (checkgroup ? PosixFilePermission.GROUP_EXECUTE : PosixFilePermission.OTHERS_EXECUTE))) throw new AccessDeniedException(path.toString()); break; } } } catch (FileNotFoundException e) { throw new NoSuchFileException(path.toString()); } }
From source file:org.apache.accumulo.server.util.ChangeSecret.java
License:Apache License
private static void checkHdfsAccessPermissions(FileStatus stat, FsAction mode) throws Exception { FsPermission perm = stat.getPermission(); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); String user = ugi.getShortUserName(); List<String> groups = Arrays.asList(ugi.getGroupNames()); if (user.equals(stat.getOwner())) { if (perm.getUserAction().implies(mode)) { return; }/*from ww w .j a v a2s . com*/ } else if (groups.contains(stat.getGroup())) { if (perm.getGroupAction().implies(mode)) { return; } } else { if (perm.getOtherAction().implies(mode)) { return; } } throw new Exception(String.format("Permission denied: user=%s, path=\"%s\":%s:%s:%s%s", user, stat.getPath(), stat.getOwner(), stat.getGroup(), stat.isDirectory() ? "d" : "-", perm)); }
From source file:org.apache.ambari.view.filebrowser.HdfsApi.java
License:Apache License
public static boolean checkAccessPermissions(FileStatus stat, FsAction mode, UserGroupInformation ugi) { FsPermission perm = stat.getPermission(); String user = ugi.getShortUserName(); List<String> groups = Arrays.asList(ugi.getGroupNames()); if (user.equals(stat.getOwner())) { if (perm.getUserAction().implies(mode)) { return true; }/*from w ww . j a v a 2 s . c o m*/ } else if (groups.contains(stat.getGroup())) { if (perm.getGroupAction().implies(mode)) { return true; } } else { if (perm.getOtherAction().implies(mode)) { return true; } } return false; }
From source file:org.apache.atlas.web.security.AtlasAbstractAuthenticationProvider.java
License:Apache License
public static List<GrantedAuthority> getAuthoritiesFromUGI(String userName) { List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>(); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName); if (ugi != null) { String[] userGroups = ugi.getGroupNames(); if (userGroups != null) { for (String group : userGroups) { grantedAuths.add(new SimpleGrantedAuthority(group)); }//from w w w. j a va 2 s .c o m } } // if group empty take groups from UGI LDAP-based group mapping if (grantedAuths != null && grantedAuths.isEmpty()) { try { Configuration config = new Configuration(); Groups gp = new Groups(config); List<String> userGroups = gp.getGroups(userName); if (userGroups != null) { for (String group : userGroups) { grantedAuths.add(new SimpleGrantedAuthority(group)); } } } catch (java.io.IOException e) { LOG.error("Exception while fetching groups ", e); } } return grantedAuths; }
From source file:org.apache.drill.exec.resourcemgr.config.selectors.AclSelector.java
License:Apache License
/** * Determines if a given query is selected by this ACL selector of a Resource Pool or not. Following rules are * followed to evaluate the selection. Assumption: There is an assumption made that if a user or group is configured * in both +ve/-ve respective lists then it will be treated to be present in -ve list. * * Rules:/*from w w w. j av a 2 s.c o m*/ * 1) Check if query user is present in -ve users list, If yes then query is not selected else go to 2 * 2) Check if query user is present in +ve users list, If yes then query is selected else go to 3 * 3) Check if * is present in -ve users list, if yes then query is not selected else go to 4 * 4) Check if * is present in +ve users list, if yes then query is selected else go to 5 * 5) If here that means query user or * is absent in both +ve and -ve users list so check for groups of query user * in step 6 * 6) Check if any of groups of query user is present in -ve groups list, If yes then query is not selected else go * to 7 * 7) Check if any of groups of query user is present in +ve groups list, If yes then query selected else go to 8 * 8) Check if * is present in -ve groups list, If yes then query is not selected else go to 9 * 9) Check if * is present in +ve groups list, If yes then query is selected else go to 10 * 10) Query user and groups of it is neither present is +ve/-ve users list not +ve/-ve groups list hence the query * is not selected * * @param queryContext QueryContext to get information about query user * @return true if a query is selected by this selector, false otherwise */ @Override public boolean isQuerySelected(QueryContext queryContext) { final String queryUser = queryContext.getQueryUserName(); final UserGroupInformation queryUserUGI = ImpersonationUtil.createProxyUgi(queryUser); final Set<String> queryGroups = Sets.newHashSet(queryUserUGI.getGroupNames()); return checkQueryUserGroups(queryUser, queryGroups); }
From source file:org.apache.drill.exec.rpc.user.InboundImpersonationManager.java
License:Apache License
/** * Checks if the proxy user is authorized to impersonate the target user based on the policies. * * @param proxyName proxy user name/*from w ww . jav a2 s. c o m*/ * @param targetName target user name * @param policies impersonation policies * @return true iff proxy user is authorized to impersonate the target user */ private static boolean hasImpersonationPrivileges(final String proxyName, final String targetName, final List<ImpersonationPolicy> policies) { final UserGroupInformation proxyUgi = ImpersonationUtil.createProxyUgi(proxyName); final Set<String> proxyGroups = Sets.newHashSet(proxyUgi.getGroupNames()); final UserGroupInformation targetUgi = ImpersonationUtil.createProxyUgi(targetName); final Set<String> targetGroups = Sets.newHashSet(targetUgi.getGroupNames()); for (final ImpersonationPolicy definition : policies) { // check if proxy user qualifies within this policy if (definition.proxy_principals.users.contains(proxyName) || !Sets.intersection(definition.proxy_principals.groups, proxyGroups).isEmpty()) { // check if target qualifies within this policy if (definition.target_principals.users.contains(targetName) || definition.target_principals.users.contains(STAR) || !Sets.intersection(definition.target_principals.groups, targetGroups).isEmpty() || definition.target_principals.groups.contains(STAR)) { return true; } } } return false; }
From source file:org.apache.drill.exec.util.ImpersonationUtil.java
License:Apache License
/** * Given admin user/group list, finds whether the given username has admin privileges. * * @param userName User who is checked for administrative privileges. * @param adminUsers Comma separated list of admin usernames, * @param adminGroups Comma separated list of admin usergroups * @return/*from w w w . j a v a 2 s . co m*/ */ public static boolean hasAdminPrivileges(final String userName, final String adminUsers, final String adminGroups) { // Process user is by default an admin if (getProcessUserName().equals(userName)) { return true; } final Set<String> adminUsersSet = Sets.newHashSet(SPLITTER.split(adminUsers)); if (adminUsersSet.contains(userName)) { return true; } final UserGroupInformation ugi = createProxyUgi(userName); final String[] userGroups = ugi.getGroupNames(); if (userGroups == null || userGroups.length == 0) { return false; } final Set<String> adminUserGroupsSet = Sets.newHashSet(SPLITTER.split(adminGroups)); for (String userGroup : userGroups) { if (adminUserGroupsSet.contains(userGroup)) { return true; } } return false; }
From source file:org.apache.falcon.entity.parser.EntityParser.java
License:Apache License
/** * Checks if the acl owner is a valid user by fetching the groups for the owner. * Also checks if the acl group is one of the fetched groups for membership. * The only limitation is that a user cannot add a group in ACL that he does not belong to. * * @param acl entity ACL//from ww w . ja v a2 s .c o m * @throws org.apache.falcon.entity.parser.ValidationException */ protected void validateACLOwnerAndGroup(AccessControlList acl) throws ValidationException { String aclOwner = acl.getOwner(); String aclGroup = acl.getGroup(); try { UserGroupInformation proxyACLUser = UserGroupInformation.createProxyUser(aclOwner, UserGroupInformation.getLoginUser()); Set<String> groups = new HashSet<String>(Arrays.asList(proxyACLUser.getGroupNames())); if (!groups.contains(aclGroup)) { throw new AuthorizationException("Invalid group: " + aclGroup + " for user: " + aclOwner); } } catch (IOException e) { throw new ValidationException( "Invalid acl owner " + aclOwner + ", does not exist or does not belong to group: " + aclGroup); } }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
protected Set<String> getGroupNames(UserGroupInformation proxyUgi) { return new HashSet<String>(Arrays.asList(proxyUgi.getGroupNames())); }