List of usage examples for org.apache.hadoop.security UserGroupInformation getShortUserName
public String getShortUserName()
From source file:org.apache.tez.common.security.TestACLManager.java
License:Apache License
@Test(timeout = 5000) public void checkDAGACLs() throws IOException { String[] groups1 = new String[] { "grp1", "grp2" }; String[] groups2 = new String[] { "grp3", "grp4" }; String[] groups3 = new String[] { "grp5", "grp6" }; UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. String viewACLs = "user1,user4,, grp3,grp4 "; // Modify ACLs: user3, grp6, grp7 String modifyACLs = "user3 grp6,grp7"; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); // DAG View ACLs: user1, user4, grp3, grp4. String dagViewACLs = "user6, grp5 "; // DAG Modify ACLs: user3, grp6, grp7 String dagModifyACLs = "user6,user5 "; conf.set(TezConstants.TEZ_DAG_VIEW_ACLS, dagViewACLs); conf.set(TezConstants.TEZ_DAG_MODIFY_ACLS, dagModifyACLs); UserGroupInformation dagUser = UserGroupInformation.createUserForTesting("dagUser", noGroups); ACLManager amAclManager = new ACLManager(currentUser.getShortUserName(), conf); ACLManager aclManager = new ACLManager(amAclManager, dagUser.getShortUserName(), conf); Assert.assertTrue(aclManager.checkAMViewAccess(currentUser)); Assert.assertFalse(aclManager.checkAMViewAccess(dagUser)); Assert.assertTrue(aclManager.checkAMViewAccess(user1)); Assert.assertTrue(aclManager.checkAMViewAccess(user2)); Assert.assertFalse(aclManager.checkAMViewAccess(user3)); Assert.assertTrue(aclManager.checkAMViewAccess(user4)); Assert.assertFalse(aclManager.checkAMViewAccess(user5)); Assert.assertFalse(aclManager.checkAMViewAccess(user6)); Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser)); Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser)); Assert.assertFalse(aclManager.checkAMModifyAccess(user1)); Assert.assertFalse(aclManager.checkAMModifyAccess(user2)); Assert.assertTrue(aclManager.checkAMModifyAccess(user3)); Assert.assertFalse(aclManager.checkAMModifyAccess(user4)); Assert.assertTrue(aclManager.checkAMModifyAccess(user5)); Assert.assertFalse(aclManager.checkAMModifyAccess(user6)); Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser)); Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser)); Assert.assertTrue(aclManager.checkDAGViewAccess(user1)); Assert.assertTrue(aclManager.checkDAGViewAccess(user2)); Assert.assertFalse(aclManager.checkDAGViewAccess(user3)); Assert.assertTrue(aclManager.checkDAGViewAccess(user4)); Assert.assertTrue(aclManager.checkDAGViewAccess(user5)); Assert.assertTrue(aclManager.checkDAGViewAccess(user6)); Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser)); Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user1)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user2)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user3)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user4)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user5)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user6)); }
From source file:org.apache.tez.common.security.TestACLManager.java
License:Apache License
@Test(timeout = 5000) public void testWildCardCheck() { Configuration conf = new Configuration(false); String viewACLs = " * "; String modifyACLs = " * "; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups); UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups); ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf); Assert.assertTrue(aclManager.checkAMViewAccess(a1)); Assert.assertTrue(aclManager.checkAMViewAccess(u1)); Assert.assertTrue(aclManager.checkAMModifyAccess(a1)); Assert.assertTrue(aclManager.checkAMModifyAccess(u1)); Assert.assertTrue(aclManager.checkDAGViewAccess(a1)); Assert.assertTrue(aclManager.checkDAGViewAccess(u1)); Assert.assertTrue(aclManager.checkDAGModifyAccess(a1)); Assert.assertTrue(aclManager.checkDAGModifyAccess(u1)); }
From source file:org.apache.tez.common.security.TestACLManager.java
License:Apache License
@Test(timeout = 5000) public void testACLsDisabled() { Configuration conf = new Configuration(false); conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, false); String viewACLs = "a2,u2 "; String modifyACLs = "a2,u2 "; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups); UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups); ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf); Assert.assertTrue(aclManager.checkAMViewAccess(a1)); Assert.assertTrue(aclManager.checkAMViewAccess(u1)); Assert.assertTrue(aclManager.checkAMModifyAccess(a1)); Assert.assertTrue(aclManager.checkAMModifyAccess(u1)); Assert.assertTrue(aclManager.checkDAGViewAccess(a1)); Assert.assertTrue(aclManager.checkDAGViewAccess(u1)); Assert.assertTrue(aclManager.checkDAGModifyAccess(a1)); Assert.assertTrue(aclManager.checkDAGModifyAccess(u1)); ACLManager dagAclManager = new ACLManager(aclManager, "dagUser", null); Assert.assertTrue(dagAclManager.checkAMViewAccess(a1)); Assert.assertTrue(dagAclManager.checkAMViewAccess(u1)); Assert.assertTrue(dagAclManager.checkAMModifyAccess(a1)); Assert.assertTrue(dagAclManager.checkAMModifyAccess(u1)); Assert.assertTrue(dagAclManager.checkDAGViewAccess(a1)); Assert.assertTrue(dagAclManager.checkDAGViewAccess(u1)); Assert.assertTrue(dagAclManager.checkDAGModifyAccess(a1)); Assert.assertTrue(dagAclManager.checkDAGModifyAccess(u1)); }
From source file:org.kitesdk.spring.hbase.example.service.WebPageSnapshotService.java
License:Apache License
/** * Get the most recent WebPageSnapshotModel from HBase * * @param url The URL to get the snapshotted page from HBase * @return The WebPageSnapshotModel, or null if there are no fetches for this * URL/* w w w .ja v a 2 s . co m*/ */ private WebPageSnapshotModel getMostRecentWebPageSnapshot(String url, final String user) throws IOException { WebPageSnapshotModel snapshot = null; final String normalizedUrl = normalizeUrl(url, user); UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); LOG.error("Created proxy user " + ugi.getShortUserName() + " ugi: " + ugi); snapshot = ugi.doAs(new PrivilegedAction<WebPageSnapshotModel>() { @Override public WebPageSnapshotModel run() { DatasetReader<WebPageSnapshotModel> reader = null; try { // we don't know the exact timestamp in the key, but we know since keys // are in timestamp descending order that the first row for an URL will be // the most recent. reader = webPageSnapshotModels(user).from("url", normalizedUrl).from("fetchedAtRevTs", 0L) .to("url", normalizedUrl).to("fetchedAtRevTs", Long.MAX_VALUE).newReader(); if (reader.hasNext()) { return reader.next(); } else { return null; } } finally { if (reader != null) { reader.close(); } } } }); return snapshot; }
From source file:skewtune.mapreduce.STJobTracker.java
License:Apache License
/** * Is the calling user a super user? Or part of the supergroup? * /* w w w . j ava2 s . co m*/ * @return true, if it is a super user */ static boolean isSuperUserOrSuperGroup(UserGroupInformation callerUGI, UserGroupInformation superUser, String superGroup) { if (superUser.getShortUserName().equals(callerUGI.getShortUserName())) { return true; } String[] groups = callerUGI.getGroupNames(); for (int i = 0; i < groups.length; ++i) { if (groups[i].equals(superGroup)) { return true; } } return false; }
From source file:uk.ac.gla.terrier.probos.controller.ControllerServer.java
License:Open Source License
@Override public int submitJob(final PBSJob job, byte[] scriptSource) throws IOException { UserGroupInformation caller = Server.getRemoteUser(); LOG.info(caller + " submitted a job!"); final String requestorUserName = caller.getShortUserName(); //check for ProBoS queue limits final int maxUserQueueable = pConf.getInt(PConfiguration.KEY_JOB_MAX_USER_QUEUE, 5000); final int maxQueueable = pConf.getInt(PConfiguration.KEY_JOB_MAX_QUEUE, 10000); if (jobArray.size() > maxQueueable) { rejectedJobs.inc();//from ww w . j a v a2s . c om return -1; } if (user2QueuedCount.get(requestorUserName) > maxUserQueueable) { rejectedJobs.inc(); return -1; } int newId = nextJobId.incrementAndGet(); JobInformation ji = new JobInformation(newId, job); jobArray.put(newId, ji); ji.jobId = newId; ji.modify(); user2QueuedCount.adjustOrPutValue(requestorUserName, 1, 1); if (!storeJobScript(ji, requestorUserName, scriptSource)) { jobArray.remove(newId); user2QueuedCount.adjustOrPutValue(requestorUserName, -1, 0); rejectedJobs.inc(); return -1; } if (job.getUserHold()) { jobHolds.put(newId, new JobHold(HoldType.USER, requestorUserName)); return newId; } else { //yarnJob returns the job id on success if (yarnJob(ji, requestorUserName) == newId) { return newId; } else { jobArray.remove(newId); user2QueuedCount.adjustOrPutValue(requestorUserName, -1, 0); rejectedJobs.inc(); return -1; } } }
From source file:uk.ac.gla.terrier.probos.controller.ControllerServer.java
License:Open Source License
protected void checkOwnerOrRoot(JobInformation ji) throws Exception { if (ji == null) return;// you can do what you want if there is no job to act upon it UserGroupInformation caller = Server.getRemoteUser(); if (ji != null) { //craigm@AD.DCS.GLA.AC.UK (auth:KERBEROS) denied access, //expected craigm (auth:PROXY) via probos/salt@DCS.GLA.AC.UK (auth:KERBEROS) //we just check that shortusername match if (!ji.proxyUser.getShortUserName().equals(caller.getShortUserName())) { SecurityException se = new SecurityException("No permission to access this information"); LOG.warn(caller.toString() + " denied access, job owner was " + ji.proxyUser.toString(), se); throw se; }//from w ww. ja va 2s . com } }