List of usage examples for org.apache.hadoop.security UserGroupInformation getShortUserName
public String getShortUserName()
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Checks if authenticated user should proxy the entity acl owner. * * @param authenticatedUGI proxy ugi for the authenticated user. * @param aclOwner entity ACL Owner. * @param aclGroup entity ACL group. * @throws IOException// w w w .java 2 s . c om */ @Override public boolean shouldProxy(UserGroupInformation authenticatedUGI, final String aclOwner, final String aclGroup) throws IOException { Validate.notNull(authenticatedUGI, "User cannot be empty or null"); Validate.notEmpty(aclOwner, "User cannot be empty or null"); Validate.notEmpty(aclGroup, "Group cannot be empty or null"); return isSuperUser(authenticatedUGI) || (!isUserACLOwner(authenticatedUGI.getShortUserName(), aclOwner) && isUserInGroup(aclGroup, authenticatedUGI)); }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Determines if the authenticated user is authorized to execute the action on the entity. * Throws an exception if not authorized. * * @param entityName entity in question, applicable for entities and instance resource * @param entityType entity in question, applicable for entities and instance resource * @param acl entity ACL/*w ww . ja va 2 s . co m*/ * @param action action being authorized on resource and entity if applicable * @param authenticatedUGI proxy ugi for the authenticated user * @throws org.apache.hadoop.security.authorize.AuthorizationException */ @Override public void authorizeEntity(String entityName, String entityType, AccessControlList acl, String action, UserGroupInformation authenticatedUGI) throws AuthorizationException { try { LOG.info("Authorizing authenticatedUser={}, action={}, entity={}, type{}", authenticatedUGI.getShortUserName(), action, entityName, entityType); if (isSuperUser(authenticatedUGI)) { return; } checkUser(entityName, acl.getOwner(), acl.getGroup(), action, authenticatedUGI); } catch (IOException e) { throw new AuthorizationException(e); } }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Validate if the entity owner is the logged-in authenticated user. * * @param entityName entity name. * @param aclOwner entity ACL Owner. * @param aclGroup entity ACL group. * @param action action being authorized on resource and entity if applicable. * @param authenticatedUGI proxy ugi for the authenticated user. * @throws AuthorizationException/*from www .j a v a2 s . co m*/ */ protected void checkUser(String entityName, String aclOwner, String aclGroup, String action, UserGroupInformation authenticatedUGI) throws AuthorizationException { final String authenticatedUser = authenticatedUGI.getShortUserName(); if (isUserACLOwner(authenticatedUser, aclOwner) || isUserInGroup(aclGroup, authenticatedUGI)) { return; } StringBuilder message = new StringBuilder("Permission denied: authenticatedUser="); message.append(authenticatedUser); message.append(!authenticatedUser.equals(aclOwner) ? " not entity owner=" + aclOwner : " not in group=" + aclGroup); message.append(", entity=").append(entityName).append(", action=").append(action); LOG.error(message.toString()); throw new AuthorizationException(message.toString()); }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Check if the user has admin privileges. * * @param authenticatedUGI proxy ugi for the authenticated user. * @param action admin action on the resource. * @throws AuthorizationException if the user does not have admin privileges. *//* w w w. j av a 2 s.co m*/ protected void authorizeAdminResource(UserGroupInformation authenticatedUGI, String action) throws AuthorizationException { final String authenticatedUser = authenticatedUGI.getShortUserName(); LOG.debug("Authorizing user={} for admin, action={}", authenticatedUser, action); if (adminUsers.contains(authenticatedUser) || isUserInAdminGroups(authenticatedUGI)) { return; } LOG.error("Permission denied: user {} does not have admin privilege for action={}", authenticatedUser, action); throw new AuthorizationException("Permission denied: user=" + authenticatedUser + " does not have admin privilege for action=" + action); }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
protected void authorizeEntityResource(UserGroupInformation authenticatedUGI, String entityName, String entityType, String action) throws AuthorizationException, EntityNotRegisteredException { Validate.notEmpty(entityType, "Entity type cannot be empty or null"); LOG.debug(//ww w . j a v a 2 s.co m "Authorizing authenticatedUser={} against entity/instance action={}, " + "entity name={}, entity type={}", authenticatedUGI.getShortUserName(), action, entityName, entityType); if (entityName != null) { // lifecycle actions Entity entity = getEntity(entityName, entityType); authorizeEntity(entity.getName(), entity.getEntityType().name(), entity.getACL(), action, authenticatedUGI); } else { // non lifecycle actions, lifecycle actions with null entity will validate later LOG.info("Authorization for action={} will be done in the API", action); } }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
protected void authorizeMetadataResource(UserGroupInformation authenticatedUGI, String action) throws AuthorizationException { LOG.debug("User {} authorized for action {} ", authenticatedUGI.getShortUserName(), action); // todo - read-only for all metadata but needs to be implemented }
From source file:org.apache.falcon.security.FalconAuthorizationFilter.java
License:Apache License
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { if (isAuthorizationEnabled) { HttpServletRequest httpRequest = (HttpServletRequest) request; RequestParts requestParts = getUserRequest(httpRequest); LOG.info("Authorizing user={} against request={}", CurrentUser.getUser(), requestParts); try {/*from w w w .ja v a 2s . c o m*/ final UserGroupInformation authenticatedUGI = CurrentUser.getAuthenticatedUGI(); authorizationProvider.authorizeResource(requestParts.getResource(), requestParts.getAction(), requestParts.getEntityType(), requestParts.getEntityName(), authenticatedUGI); String doAsUser = request.getParameter(DO_AS_PARAM); tryProxy(authenticatedUGI, requestParts.getEntityType(), requestParts.getEntityName(), doAsUser); LOG.info("Authorization succeeded for user={}, proxy={}", authenticatedUGI.getShortUserName(), CurrentUser.getUser()); } catch (AuthorizationException e) { sendError((HttpServletResponse) response, HttpServletResponse.SC_FORBIDDEN, e.getMessage()); return; // do not continue processing } catch (EntityNotRegisteredException e) { if (!httpRequest.getMethod().equals(HttpMethod.DELETE)) { sendError((HttpServletResponse) response, HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); return; // do not continue processing } // else Falcon deletes a non-existing entity and returns success (idempotent operation). } catch (IllegalArgumentException e) { sendError((HttpServletResponse) response, HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); return; // do not continue processing } } // continue processing if there was no authorization error filterChain.doFilter(request, response); }
From source file:org.apache.flink.mesos.runtime.clusterframework.MesosApplicationMasterRunner.java
License:Apache License
/** * The instance entry point for the Mesos AppMaster. Obtains user group * information and calls the main work method {@link #runPrivileged()} as a * privileged action.// w w w . j av a 2 s .c om * * @param args The command line arguments. * @return The process exit code. */ protected int run(String[] args) { try { LOG.debug("All environment variables: {}", ENV); final UserGroupInformation currentUser; try { currentUser = UserGroupInformation.getCurrentUser(); } catch (Throwable t) { throw new Exception("Cannot access UserGroupInformation information for current user", t); } LOG.info("Running Flink as user {}", currentUser.getShortUserName()); // run the actual work in a secured privileged action return currentUser.doAs(new PrivilegedAction<Integer>() { @Override public Integer run() { return runPrivileged(); } }); } catch (Throwable t) { // make sure that everything whatever ends up in the log LOG.error("Mesos AppMaster initialization failed", t); return INIT_ERROR_EXIT_CODE; } }
From source file:org.apache.flink.yarn.AbstractYarnFlinkApplicationMasterRunner.java
License:Apache License
/** * The instance entry point for the YARN application master. Obtains user group * information and calls the main work method {@link #runApplicationMaster(org.apache.flink.configuration.Configuration)} as a * privileged action./* w w w . j a v a2 s. co m*/ * * @param args The command line arguments. * @return The process exit code. */ protected int run(String[] args) { try { LOG.debug("All environment variables: {}", ENV); final String yarnClientUsername = ENV.get(YarnConfigKeys.ENV_HADOOP_USER_NAME); Preconditions.checkArgument(yarnClientUsername != null, "YARN client user name environment variable {} not set", YarnConfigKeys.ENV_HADOOP_USER_NAME); final String currDir = ENV.get(Environment.PWD.key()); Preconditions.checkArgument(currDir != null, "Current working directory variable (%s) not set", Environment.PWD.key()); LOG.debug("Current working directory: {}", currDir); final String remoteKeytabPath = ENV.get(YarnConfigKeys.KEYTAB_PATH); LOG.debug("Remote keytab path obtained {}", remoteKeytabPath); final String remoteKeytabPrincipal = ENV.get(YarnConfigKeys.KEYTAB_PRINCIPAL); LOG.info("Remote keytab principal obtained {}", remoteKeytabPrincipal); String keytabPath = null; if (remoteKeytabPath != null) { File f = new File(currDir, Utils.KEYTAB_FILE_NAME); keytabPath = f.getAbsolutePath(); LOG.debug("Keytab path: {}", keytabPath); } UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); LOG.info("YARN daemon is running as: {} Yarn client user obtainer: {}", currentUser.getShortUserName(), yarnClientUsername); // Flink configuration final Map<String, String> dynamicProperties = FlinkYarnSessionCli .getDynamicProperties(ENV.get(YarnConfigKeys.ENV_DYNAMIC_PROPERTIES)); LOG.debug("YARN dynamic properties: {}", dynamicProperties); final Configuration flinkConfig = createConfiguration(currDir, dynamicProperties); if (keytabPath != null && remoteKeytabPrincipal != null) { flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath); flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal); } org.apache.hadoop.conf.Configuration hadoopConfiguration = null; //To support Yarn Secure Integration Test Scenario File krb5Conf = new File(currDir, Utils.KRB5_FILE_NAME); if (krb5Conf.exists() && krb5Conf.canRead()) { String krb5Path = krb5Conf.getAbsolutePath(); LOG.info("KRB5 Conf: {}", krb5Path); hadoopConfiguration = new org.apache.hadoop.conf.Configuration(); hadoopConfiguration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); hadoopConfiguration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, "true"); } SecurityUtils.SecurityConfiguration sc; if (hadoopConfiguration != null) { sc = new SecurityUtils.SecurityConfiguration(flinkConfig, hadoopConfiguration); } else { sc = new SecurityUtils.SecurityConfiguration(flinkConfig); } SecurityUtils.install(sc); // Note that we use the "appMasterHostname" given by YARN here, to make sure // we use the hostnames given by YARN consistently throughout akka. // for akka "localhost" and "localhost.localdomain" are different actors. this.appMasterHostname = ENV.get(Environment.NM_HOST.key()); Preconditions.checkArgument(appMasterHostname != null, "ApplicationMaster hostname variable %s not set", Environment.NM_HOST.key()); LOG.info("YARN assigned hostname for application master: {}", appMasterHostname); return SecurityUtils.getInstalledContext().runSecured(new Callable<Integer>() { @Override public Integer call() throws Exception { return runApplicationMaster(flinkConfig); } }); } catch (Throwable t) { // make sure that everything whatever ends up in the log LOG.error("YARN Application Master initialization failed", t); return INIT_ERROR_EXIT_CODE; } }
From source file:org.apache.flink.yarn.entrypoint.YarnEntrypointUtils.java
License:Apache License
public static void logYarnEnvironmentInformation(Map<String, String> env, Logger log) throws IOException { final String yarnClientUsername = env.get(YarnConfigKeys.ENV_HADOOP_USER_NAME); Preconditions.checkArgument(yarnClientUsername != null, "YARN client user name environment variable %s not set", YarnConfigKeys.ENV_HADOOP_USER_NAME); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); log.info("YARN daemon is running as: {} Yarn client user obtainer: {}", currentUser.getShortUserName(), yarnClientUsername);// w w w .j a va2 s.com }