List of usage examples for org.apache.hadoop.security UserGroupInformation getShortUserName
public String getShortUserName()
From source file:org.apache.tajo.master.QueryMaster.java
License:Apache License
/** * It initializes the final output and staging directory and sets * them to variables.//from www .j a v a 2 s . c o m */ private void initStagingDir() throws IOException { QueryConf conf = getContext().getConf(); String realUser; String currentUser; UserGroupInformation ugi; ugi = UserGroupInformation.getLoginUser(); realUser = ugi.getShortUserName(); currentUser = UserGroupInformation.getCurrentUser().getShortUserName(); String givenOutputTableName = conf.getOutputTable(); Path stagingDir; // If final output directory is not given by an user, // we use the query id as a output directory. if (givenOutputTableName.equals("")) { this.isCreateTableStmt = false; FileSystem defaultFS = FileSystem.get(conf); Path homeDirectory = defaultFS.getHomeDirectory(); if (!defaultFS.exists(homeDirectory)) { defaultFS.mkdirs(homeDirectory, new FsPermission(USER_DIR_PERMISSION)); } Path userQueryDir = new Path(homeDirectory, TajoConstants.USER_QUERYDIR_PREFIX); if (defaultFS.exists(userQueryDir)) { FileStatus fsStatus = defaultFS.getFileStatus(userQueryDir); String owner = fsStatus.getOwner(); if (!(owner.equals(currentUser) || owner.equals(realUser))) { throw new IOException("The ownership on the user's query " + "directory " + userQueryDir + " is not as expected. " + "It is owned by " + owner + ". The directory must " + "be owned by the submitter " + currentUser + " or " + "by " + realUser); } if (!fsStatus.getPermission().equals(USER_DIR_PERMISSION)) { LOG.info("Permissions on staging directory " + userQueryDir + " are " + "incorrect: " + fsStatus.getPermission() + ". Fixing permissions " + "to correct value " + USER_DIR_PERMISSION); defaultFS.setPermission(userQueryDir, new FsPermission(USER_DIR_PERMISSION)); } } else { defaultFS.mkdirs(userQueryDir, new FsPermission(USER_DIR_PERMISSION)); } stagingDir = StorageUtil.concatPath(userQueryDir, queryId.toString()); if (defaultFS.exists(stagingDir)) { throw new IOException("The staging directory " + stagingDir + "already exists. The directory must be unique to each query"); } else { defaultFS.mkdirs(stagingDir, new FsPermission(USER_DIR_PERMISSION)); } // Set the query id to the output table name conf.setOutputTable(queryId.toString()); } else { this.isCreateTableStmt = true; Path warehouseDir = new Path(conf.getVar(TajoConf.ConfVars.ROOT_DIR), TajoConstants.WAREHOUSE_DIR); stagingDir = new Path(warehouseDir, conf.getOutputTable()); FileSystem fs = warehouseDir.getFileSystem(conf); if (fs.exists(stagingDir)) { throw new IOException("The staging directory " + stagingDir + " already exists. The directory must be unique to each query"); } else { // TODO - should have appropriate permission fs.mkdirs(stagingDir, new FsPermission(USER_DIR_PERMISSION)); } } conf.setOutputPath(stagingDir); outputPath = stagingDir; LOG.info("Initialized Query Staging Dir: " + outputPath); }
From source file:org.apache.tajo.master.rule.FileSystemRule.java
License:Apache License
private void canAccessToPath(FileStatus fsStatus, FsAction action) throws Exception { FsPermission permission = fsStatus.getPermission(); UserGroupInformation userGroupInformation = UserGroupInformation.getCurrentUser(); String userName = userGroupInformation.getShortUserName(); List<String> groupList = Arrays.asList(userGroupInformation.getGroupNames()); if (userName.equals(fsStatus.getOwner())) { if (permission.getUserAction().implies(action)) { return; }//w ww . j a va2s. co m } else if (groupList.contains(fsStatus.getGroup())) { if (permission.getGroupAction().implies(action)) { return; } } else { if (permission.getOtherAction().implies(action)) { return; } } throw new AccessControlException( String.format("Permission denied: user=%s, path=\"%s\":%s:%s:%s%s", userName, fsStatus.getPath(), fsStatus.getOwner(), fsStatus.getGroup(), fsStatus.isDirectory() ? "d" : "-", permission)); }
From source file:org.apache.tajo.storage.FileTablespace.java
License:Apache License
public URI prepareStagingSpace(TajoConf conf, String queryId, OverridableConf context, TableMeta meta) throws IOException { String realUser;/*w ww. j av a2 s .c o m*/ String currentUser; UserGroupInformation ugi; ugi = UserGroupInformation.getLoginUser(); realUser = ugi.getShortUserName(); currentUser = UserGroupInformation.getCurrentUser().getShortUserName(); Path stagingDir = new Path(getStagingUri(context, queryId, meta)); //////////////////////////////////////////// // Create Output Directory //////////////////////////////////////////// if (fs.exists(stagingDir)) { throw new IOException("The staging directory '" + stagingDir + "' already exists"); } fs.mkdirs(stagingDir, new FsPermission(STAGING_DIR_PERMISSION)); FileStatus fsStatus = fs.getFileStatus(stagingDir); String owner = fsStatus.getOwner(); if (!owner.isEmpty() && !(owner.equals(currentUser) || owner.equals(realUser))) { throw new IOException("The ownership on the user's query " + "directory " + stagingDir + " is not as expected. " + "It is owned by " + owner + ". The directory must " + "be owned by the submitter " + currentUser + " or " + "by " + realUser); } if (!fsStatus.getPermission().equals(STAGING_DIR_PERMISSION)) { LOG.info("Permissions on staging directory " + stagingDir + " are " + "incorrect: " + fsStatus.getPermission() + ". Fixing permissions " + "to correct value " + STAGING_DIR_PERMISSION); fs.setPermission(stagingDir, new FsPermission(STAGING_DIR_PERMISSION)); } Path stagingResultDir = new Path(stagingDir, TajoConstants.RESULT_DIR_NAME); fs.mkdirs(stagingResultDir); return stagingDir.toUri(); }
From source file:org.apache.tajo.worker.TaskRunnerTest.java
License:Apache License
public void testInit() throws Exception { ProtoAsyncRpcClient mockClient = mock(ProtoAsyncRpcClient.class); mockClient.close();/*from ww w .ja v a2 s . c om*/ MasterWorkerProtocolService.Interface mockMaster = mock(MasterWorkerProtocolService.Interface.class); ApplicationAttemptId appAttemptId = BuilderUtils.newApplicationAttemptId(q1.getApplicationId(), q1.getAttemptId()); ContainerId cId = BuilderUtils.newContainerId(appAttemptId, 1); NodeId nodeId = RecordFactoryProvider.getRecordFactory(null).newRecordInstance(NodeId.class); nodeId.setHost("host1"); nodeId.setPort(9001); UserGroupInformation mockTaskOwner = mock(UserGroupInformation.class); when(mockTaskOwner.getShortUserName()).thenReturn("hyunsik"); TaskRunner runner = new TaskRunner(sq1, nodeId, mockTaskOwner, mockMaster, cId); QueryConf conf = new QueryConf(); conf.setOutputPath(new Path("/tmp/" + q1)); runner.init(conf); runner.start(); runner.stop(); }
From source file:org.apache.tez.client.TezClientUtils.java
License:Apache License
/** * Verify or create the Staging area directory on the configured Filesystem * @param stagingArea Staging area directory path * @return the FileSytem for the staging area directory * @throws IOException//from w w w . ja va 2 s . c o m */ public static FileSystem ensureStagingDirExists(Configuration conf, Path stagingArea) throws IOException { FileSystem fs = stagingArea.getFileSystem(conf); String realUser; String currentUser; UserGroupInformation ugi = UserGroupInformation.getLoginUser(); realUser = ugi.getShortUserName(); currentUser = UserGroupInformation.getCurrentUser().getShortUserName(); if (fs.exists(stagingArea)) { FileStatus fsStatus = fs.getFileStatus(stagingArea); String owner = fsStatus.getOwner(); if (!(owner.equals(currentUser) || owner.equals(realUser))) { throw new IOException("The ownership on the staging directory " + stagingArea + " is not as expected. " + "It is owned by " + owner + ". The directory must " + "be owned by the submitter " + currentUser + " or " + "by " + realUser); } if (!fsStatus.getPermission().equals(TezCommonUtils.TEZ_AM_DIR_PERMISSION)) { LOG.info("Permissions on staging directory " + stagingArea + " are " + "incorrect: " + fsStatus.getPermission() + ". Fixing permissions " + "to correct value " + TezCommonUtils.TEZ_AM_DIR_PERMISSION); fs.setPermission(stagingArea, TezCommonUtils.TEZ_AM_DIR_PERMISSION); } } else { TezCommonUtils.mkDirForAM(fs, stagingArea); } return fs; }
From source file:org.apache.tez.common.security.ACLManager.java
License:Apache License
@VisibleForTesting boolean checkAccess(UserGroupInformation ugi, ACLType aclType) { if (!aclsEnabled) { return true; }/* w w w .jav a2 s.co m*/ String user = ugi.getShortUserName(); if (amUser.equals(user)) { return true; } if (EnumSet.of(ACLType.DAG_MODIFY_ACL, ACLType.DAG_VIEW_ACL).contains(aclType)) { if (dagUser != null && dagUser.equals(user)) { return true; } } if (users != null && !users.isEmpty()) { Set<String> set = users.get(aclType); if (set != null) { if (set.contains(WILDCARD_ACL_VALUE)) { return true; } if (set.contains(user)) { return true; } } } Collection<String> userGroups = Arrays.asList(ugi.getGroupNames()); if (userGroups != null && !userGroups.isEmpty() && groups != null && !groups.isEmpty()) { Set<String> set = groups.get(aclType); if (set != null) { for (String userGrp : userGroups) { if (set.contains(userGrp)) { return true; } } } } return false; }
From source file:org.apache.tez.common.security.TestACLManager.java
License:Apache License
@Test(timeout = 5000) public void testCurrentUserACLChecks() { UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); UserGroupInformation dagUser = UserGroupInformation.createUserForTesting("dagUser", noGroups); UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", noGroups); ACLManager aclManager = new ACLManager(currentUser.getShortUserName()); UserGroupInformation user = user1;/*from w ww . j ava 2 s . c o m*/ Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); user = currentUser; Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); aclManager = new ACLManager(currentUser.getShortUserName(), new Configuration(false)); user = user1; Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); user = currentUser; Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); ACLManager dagAclManager = new ACLManager(aclManager, dagUser.getShortUserName(), new Configuration(false)); user = dagUser; Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL)); Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL)); user = user1; Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL)); Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL)); }
From source file:org.apache.tez.common.security.TestACLManager.java
License:Apache License
@Test(timeout = 5000) public void testOtherUserACLChecks() throws IOException { String[] groups1 = new String[] { "grp1", "grp2" }; String[] groups2 = new String[] { "grp3", "grp4" }; String[] groups3 = new String[] { "grp5", "grp6" }; UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. String viewACLs = user1.getShortUserName() + "," + user4.getShortUserName() + " " + "grp3,grp4 "; // Modify ACLs: user3, grp6, grp7 String modifyACLs = user3.getShortUserName() + " " + "grp6,grp7"; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf); Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL)); Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL)); Assert.assertTrue(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL)); }
From source file:org.apache.tez.common.security.TestACLManager.java
License:Apache License
@Test(timeout = 5000) public void testNoGroupsACLChecks() throws IOException { String[] groups1 = new String[] { "grp1", "grp2" }; String[] groups2 = new String[] { "grp3", "grp4" }; String[] groups3 = new String[] { "grp5", "grp6" }; UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4 String viewACLs = user1.getShortUserName() + "," + user4.getShortUserName() + " "; // Modify ACLs: user3 String modifyACLs = user3.getShortUserName() + " "; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf); Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_VIEW_ACL)); Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL)); Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL)); Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL)); Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL)); }
From source file:org.apache.tez.common.security.TestACLManager.java
License:Apache License
@Test(timeout = 5000) public void checkAMACLs() throws IOException { String[] groups1 = new String[] { "grp1", "grp2" }; String[] groups2 = new String[] { "grp3", "grp4" }; String[] groups3 = new String[] { "grp5", "grp6" }; UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. String viewACLs = "user1,user4,, grp3,grp4 "; // Modify ACLs: user3, grp6, grp7 String modifyACLs = "user3 grp6,grp7"; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf); Assert.assertTrue(aclManager.checkAMViewAccess(currentUser)); Assert.assertTrue(aclManager.checkAMViewAccess(user1)); Assert.assertTrue(aclManager.checkAMViewAccess(user2)); Assert.assertFalse(aclManager.checkAMViewAccess(user3)); Assert.assertTrue(aclManager.checkAMViewAccess(user4)); Assert.assertFalse(aclManager.checkAMViewAccess(user5)); Assert.assertFalse(aclManager.checkAMViewAccess(user6)); Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser)); Assert.assertFalse(aclManager.checkAMModifyAccess(user1)); Assert.assertFalse(aclManager.checkAMModifyAccess(user2)); Assert.assertTrue(aclManager.checkAMModifyAccess(user3)); Assert.assertFalse(aclManager.checkAMModifyAccess(user4)); Assert.assertTrue(aclManager.checkAMModifyAccess(user5)); Assert.assertFalse(aclManager.checkAMModifyAccess(user6)); Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser)); Assert.assertTrue(aclManager.checkDAGViewAccess(user1)); Assert.assertTrue(aclManager.checkDAGViewAccess(user2)); Assert.assertFalse(aclManager.checkDAGViewAccess(user3)); Assert.assertTrue(aclManager.checkDAGViewAccess(user4)); Assert.assertFalse(aclManager.checkDAGViewAccess(user5)); Assert.assertFalse(aclManager.checkDAGViewAccess(user6)); Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user1)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user2)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user3)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user4)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user5)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user6)); }