HDFS-8634. OzoneHandler: Add userAuth Interface and Simple userAuth handler. (Contributed by Anu Engineer)
This commit is contained in:
parent
d65b373ec4
commit
2793b4c96f
|
@ -14,3 +14,6 @@
|
|||
|
||||
HDFS-8637. OzoneHandler : Add Error Table. (Anu Engineer via Arpit Agarwal)
|
||||
|
||||
HDFS-8634. OzoneHandler: Add userAuth Interface and Simple userAuth
|
||||
handler. (Anu Engineer via Arpit Agarwal)
|
||||
|
||||
|
|
|
@ -29,7 +29,10 @@ public final class Header {
|
|||
public static final String OZONE_QUOTA_REMOVE = "remove";
|
||||
public static final String OZONE_QUOTA_UNDEFINED = "undefined";
|
||||
|
||||
public static final String OZONE_LIST_QUERY_BUCKET ="bucket";
|
||||
public static final String OZONE_LIST_QUERY_BUCKET = "bucket";
|
||||
|
||||
public static final String OZONE_USER = "x-ozone-user";
|
||||
public static final String OZONE_SIMPLE_AUTHENTICATION_SCHEME = "OZONE";
|
||||
|
||||
private Header() {
|
||||
// Never constructed.
|
||||
|
|
|
@ -0,0 +1,99 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.apache.hadoop.ozone.web.interfaces;
|
||||
|
||||
import org.apache.hadoop.ozone.web.exceptions.OzoneException;
|
||||
import org.apache.hadoop.ozone.web.handlers.UserArgs;
|
||||
|
||||
/**
|
||||
* This interface is used by Ozone to determine user identity.
|
||||
*
|
||||
* Please see concrete implementations for more information
|
||||
*/
|
||||
public interface UserAuth {
|
||||
/**
|
||||
* Returns the user name as a string from the URI and HTTP headers.
|
||||
*
|
||||
* @param userArgs - userArgs
|
||||
*
|
||||
* @return String - User name
|
||||
*
|
||||
* @throws OzoneException
|
||||
*/
|
||||
String getUser(UserArgs userArgs) throws OzoneException;
|
||||
|
||||
/**
|
||||
* Returns all the Groups that user is a member of.
|
||||
*
|
||||
* @param userArgs - userArgs
|
||||
*
|
||||
* @return Array of Groups
|
||||
*
|
||||
* @throws OzoneException
|
||||
*/
|
||||
String[] getGroups(UserArgs userArgs) throws OzoneException;
|
||||
|
||||
/**
|
||||
* Returns true if a user is a Admin.
|
||||
*
|
||||
* @param userArgs - userArgs
|
||||
*
|
||||
* @return true if Admin , false otherwise
|
||||
*
|
||||
* @throws OzoneException -- Allows the underlying system
|
||||
* to throw, that error will get propagated to clients
|
||||
*/
|
||||
boolean isAdmin(UserArgs userArgs) throws OzoneException;
|
||||
|
||||
/**
|
||||
* Returns true if the request is Anonymous.
|
||||
*
|
||||
* @param userArgs - userArgs
|
||||
*
|
||||
* @return true if the request is anonymous, false otherwise.
|
||||
*
|
||||
* @throws OzoneException - Will be propagated back to end user
|
||||
*/
|
||||
boolean isAnonymous(UserArgs userArgs) throws OzoneException;
|
||||
|
||||
/**
|
||||
* Returns true if the name is a recognizable user in the system.
|
||||
*
|
||||
* @param userName - User Name to check
|
||||
* @param userArgs - userArgs
|
||||
*
|
||||
* @return true if the username string is the name of a valid user.
|
||||
*
|
||||
* @throws OzoneException - Will be propagated back to end user
|
||||
*/
|
||||
boolean isUser(String userName, UserArgs userArgs) throws OzoneException;
|
||||
|
||||
/**
|
||||
* Returns the x-ozone-user or the user on behalf of, This is
|
||||
* used in Volume creation path.
|
||||
*
|
||||
* @param userArgs - userArgs
|
||||
*
|
||||
* @return a user name if it has x-ozone-user args in header.
|
||||
*
|
||||
* @throws OzoneException
|
||||
*/
|
||||
String getOzoneUser(UserArgs userArgs) throws OzoneException;
|
||||
|
||||
}
|
|
@ -0,0 +1,158 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.ozone.web.userauth;
|
||||
|
||||
|
||||
import org.apache.hadoop.ozone.web.exceptions.ErrorTable;
|
||||
import org.apache.hadoop.ozone.web.exceptions.OzoneException;
|
||||
import org.apache.hadoop.ozone.web.handlers.UserArgs;
|
||||
import org.apache.hadoop.ozone.web.headers.Header;
|
||||
import org.apache.hadoop.ozone.web.interfaces.UserAuth;
|
||||
import org.apache.hadoop.ozone.web.utils.OzoneConsts;
|
||||
|
||||
import javax.ws.rs.core.HttpHeaders;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Simple is an UserAuth class that is used in the insecure
|
||||
* mode of ozone. This maps more or less to the simple user scheme in
|
||||
* HDFS.
|
||||
*/
|
||||
public class Simple implements UserAuth {
|
||||
/**
|
||||
* Returns the x-ozone-user or the user on behalf of, This is
|
||||
* used in volume creation path.
|
||||
*
|
||||
* @param userArgs - UserArgs
|
||||
*
|
||||
* @throws OzoneException
|
||||
*/
|
||||
@Override
|
||||
public String getOzoneUser(UserArgs userArgs) throws OzoneException {
|
||||
assert userArgs != null : "userArgs cannot be null";
|
||||
|
||||
HttpHeaders headers = userArgs.getHeaders();
|
||||
List<String> users = headers.getRequestHeader(Header.OZONE_USER);
|
||||
|
||||
if ((users == null) || (users.size() == 0)) {
|
||||
return null;
|
||||
}
|
||||
if (users.size() > 1) {
|
||||
throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
|
||||
}
|
||||
return users.get(0).toLowerCase().trim();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the user name as a string from the URI and HTTP headers.
|
||||
*
|
||||
* @param userArgs - user args
|
||||
*
|
||||
* @throws OzoneException -- Allows the underlying system
|
||||
* to throw, that error will get propagated to clients
|
||||
*/
|
||||
@Override
|
||||
public String getUser(UserArgs userArgs) throws OzoneException {
|
||||
assert userArgs != null : "userArgs cannot be null";
|
||||
|
||||
HttpHeaders headers = userArgs.getHeaders();
|
||||
List<String> users = headers.getRequestHeader(HttpHeaders.AUTHORIZATION);
|
||||
if (users == null || users.size() > 1) {
|
||||
throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
|
||||
}
|
||||
|
||||
if (users.size() == 0) {
|
||||
return null;
|
||||
}
|
||||
|
||||
String user = users.get(0).trim();
|
||||
if (user.startsWith(Header.OZONE_SIMPLE_AUTHENTICATION_SCHEME)) {
|
||||
user = user.replace(Header.OZONE_SIMPLE_AUTHENTICATION_SCHEME, "");
|
||||
return user.toLowerCase().trim();
|
||||
} else {
|
||||
throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns true if a user is a Admin - {root and hdfs are treated as admins}.
|
||||
*
|
||||
* @param userArgs - User Args
|
||||
*
|
||||
* @throws OzoneException -- Allows the underlying system
|
||||
* to throw, that error will get propagated to clients
|
||||
*/
|
||||
@Override
|
||||
public boolean isAdmin(UserArgs userArgs) throws OzoneException {
|
||||
assert userArgs != null : "userArgs cannot be null";
|
||||
|
||||
String user = getUser(userArgs);
|
||||
|
||||
return
|
||||
(user.compareToIgnoreCase(OzoneConsts.OZONE_SIMPLE_ROOT_USER) == 0) ||
|
||||
(user.compareToIgnoreCase(OzoneConsts.OZONE_SIMPLE_HDFS_USER) == 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if the request is Anonymous.
|
||||
*
|
||||
* @param userArgs - user Args
|
||||
*
|
||||
* @throws OzoneException -- Allows the underlying system
|
||||
* to throw, that error will get propagated to clients
|
||||
*/
|
||||
@Override
|
||||
public boolean isAnonymous(UserArgs userArgs) throws OzoneException {
|
||||
assert userArgs != null : "userArgs cannot be null";
|
||||
|
||||
return getUser(userArgs) == null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if the name is a recognizable user in the system.
|
||||
*
|
||||
* @param userName - Name of the user
|
||||
* @param userArgs - user Args
|
||||
*
|
||||
* @throws OzoneException -- Allows the underlying system
|
||||
* to throw, that error will get propagated to clients
|
||||
*/
|
||||
@Override
|
||||
public boolean isUser(String userName, UserArgs userArgs)
|
||||
throws OzoneException {
|
||||
// In the simple case, all non-null users names are users :)
|
||||
return userName != null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns all the Groups that user is a member of.
|
||||
*
|
||||
* @param userArgs - User Args
|
||||
*
|
||||
* @return String Array which contains 0 or more group names
|
||||
*
|
||||
* @throws OzoneException
|
||||
*/
|
||||
@Override
|
||||
public String[] getGroups(UserArgs userArgs) throws OzoneException {
|
||||
// Not implemented
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.apache.hadoop.ozone.web.utils;
|
||||
|
||||
/**
|
||||
* Set of constants used in Ozone implementation.
|
||||
*/
|
||||
public final class OzoneConsts {
|
||||
public static final String OZONE_SIMPLE_ROOT_USER = "root";
|
||||
public static final String OZONE_SIMPLE_HDFS_USER = "hdfs";
|
||||
|
||||
private OzoneConsts() {
|
||||
// Never Constructed
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue