HDFS-8634. OzoneHandler: Add userAuth Interface and Simple userAuth handler. (Contributed by Anu Engineer)

hadoop-hdfs-project/hadoop-hdfs/CHANGES-HDFS-7240.txt

@@ -14,3 +14,6 @@
 
     HDFS-8637. OzoneHandler : Add Error Table. (Anu Engineer via Arpit Agarwal)
 
+    HDFS-8634. OzoneHandler: Add userAuth Interface and Simple userAuth
+    handler. (Anu Engineer via Arpit Agarwal)
+

hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/headers/Header.java

@@ -29,7 +29,10 @@ public final class Header {
   public static final String OZONE_QUOTA_REMOVE = "remove";
   public static final String OZONE_QUOTA_UNDEFINED = "undefined";
 
-  public static final String OZONE_LIST_QUERY_BUCKET ="bucket";
+  public static final String OZONE_LIST_QUERY_BUCKET = "bucket";
+
+  public static final String OZONE_USER = "x-ozone-user";
+  public static final String OZONE_SIMPLE_AUTHENTICATION_SCHEME = "OZONE";
 
   private Header() {
     // Never constructed.

hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/interfaces/UserAuth.java

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.web.interfaces;
+
+import org.apache.hadoop.ozone.web.exceptions.OzoneException;
+import org.apache.hadoop.ozone.web.handlers.UserArgs;
+
+/**
+ * This interface is used by Ozone to determine user identity.
+ *
+ * Please see concrete implementations for more information
+ */
+public interface UserAuth {
+  /**
+   * Returns the user name as a string from the URI and HTTP headers.
+   *
+   * @param userArgs - userArgs
+   *
+   * @return String - User name
+   *
+   * @throws OzoneException
+   */
+  String getUser(UserArgs userArgs) throws OzoneException;
+
+  /**
+   * Returns all the Groups that user is a member of.
+   *
+   * @param userArgs - userArgs
+   *
+   * @return Array of Groups
+   *
+   * @throws OzoneException
+   */
+  String[] getGroups(UserArgs userArgs) throws OzoneException;
+
+  /**
+   * Returns true if a user is a Admin.
+   *
+   * @param userArgs - userArgs
+   *
+   * @return true if Admin , false otherwise
+   *
+   * @throws OzoneException -- Allows the underlying system
+   * to throw, that error will get propagated to clients
+   */
+  boolean isAdmin(UserArgs userArgs) throws OzoneException;
+
+  /**
+   * Returns true if the request is Anonymous.
+   *
+   * @param userArgs - userArgs
+   *
+   * @return true if the request is anonymous, false otherwise.
+   *
+   * @throws OzoneException - Will be propagated back to end user
+   */
+  boolean isAnonymous(UserArgs userArgs) throws OzoneException;
+
+  /**
+   * Returns true if the name is a recognizable user in the system.
+   *
+   * @param userName - User Name to check
+   * @param userArgs - userArgs
+   *
+   * @return true if the username string is the name of a valid user.
+   *
+   * @throws OzoneException - Will be propagated back to end user
+   */
+  boolean isUser(String userName, UserArgs userArgs) throws OzoneException;
+
+  /**
+   * Returns the x-ozone-user or the user on behalf of, This is
+   * used in Volume creation path.
+   *
+   * @param userArgs - userArgs
+   *
+   * @return a user name if it has x-ozone-user args in header.
+   *
+   * @throws OzoneException
+   */
+  String getOzoneUser(UserArgs userArgs) throws OzoneException;
+
+}

hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/userauth/Simple.java

@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.hadoop.ozone.web.userauth;
+
+
+import org.apache.hadoop.ozone.web.exceptions.ErrorTable;
+import org.apache.hadoop.ozone.web.exceptions.OzoneException;
+import org.apache.hadoop.ozone.web.handlers.UserArgs;
+import org.apache.hadoop.ozone.web.headers.Header;
+import org.apache.hadoop.ozone.web.interfaces.UserAuth;
+import org.apache.hadoop.ozone.web.utils.OzoneConsts;
+
+import javax.ws.rs.core.HttpHeaders;
+import java.util.List;
+
+/**
+ * Simple is an UserAuth class that is used in the insecure
+ * mode of ozone. This maps more or less to the simple user scheme in
+ * HDFS.
+ */
+public class Simple implements UserAuth {
+  /**
+   * Returns the x-ozone-user or the user on behalf of, This is
+   * used in volume creation path.
+   *
+   * @param userArgs - UserArgs
+   *
+   * @throws OzoneException
+   */
+  @Override
+  public String getOzoneUser(UserArgs userArgs) throws OzoneException {
+    assert userArgs != null : "userArgs cannot be null";
+
+    HttpHeaders headers = userArgs.getHeaders();
+    List<String> users = headers.getRequestHeader(Header.OZONE_USER);
+
+    if ((users == null) || (users.size() == 0)) {
+      return null;
+    }
+    if (users.size() > 1) {
+      throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
+    }
+    return users.get(0).toLowerCase().trim();
+  }
+
+  /**
+   * Returns the user name as a string from the URI and HTTP headers.
+   *
+   * @param userArgs - user args
+   *
+   * @throws OzoneException -- Allows the underlying system
+   * to throw, that error will get propagated to clients
+   */
+  @Override
+  public String getUser(UserArgs userArgs) throws OzoneException {
+    assert userArgs != null : "userArgs cannot be null";
+
+    HttpHeaders headers = userArgs.getHeaders();
+    List<String> users = headers.getRequestHeader(HttpHeaders.AUTHORIZATION);
+    if (users == null || users.size() > 1) {
+      throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
+    }
+
+    if (users.size() == 0) {
+      return null;
+    }
+
+    String user = users.get(0).trim();
+    if (user.startsWith(Header.OZONE_SIMPLE_AUTHENTICATION_SCHEME)) {
+      user = user.replace(Header.OZONE_SIMPLE_AUTHENTICATION_SCHEME, "");
+      return user.toLowerCase().trim();
+    } else {
+      throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
+    }
+  }
+
+
+  /**
+   * Returns true if a user is a Admin - {root and hdfs are treated as admins}.
+   *
+   * @param userArgs - User Args
+   *
+   * @throws OzoneException -- Allows the underlying system
+   * to throw, that error will get propagated to clients
+   */
+  @Override
+  public boolean isAdmin(UserArgs userArgs) throws OzoneException {
+    assert userArgs != null : "userArgs cannot be null";
+
+    String user = getUser(userArgs);
+
+    return
+        (user.compareToIgnoreCase(OzoneConsts.OZONE_SIMPLE_ROOT_USER) == 0) ||
+            (user.compareToIgnoreCase(OzoneConsts.OZONE_SIMPLE_HDFS_USER) == 0);
+  }
+
+  /**
+   * Returns true if the request is Anonymous.
+   *
+   * @param userArgs - user Args
+   *
+   * @throws OzoneException -- Allows the underlying system
+   * to throw, that error will get propagated to clients
+   */
+  @Override
+  public boolean isAnonymous(UserArgs userArgs) throws OzoneException {
+    assert userArgs != null : "userArgs cannot be null";
+
+    return getUser(userArgs) == null;
+  }
+
+  /**
+   * Returns true if the name is a recognizable user in the system.
+   *
+   * @param userName - Name of the user
+   * @param userArgs - user Args
+   *
+   * @throws OzoneException -- Allows the underlying system
+   * to throw, that error will get propagated to clients
+   */
+  @Override
+  public boolean isUser(String userName, UserArgs userArgs)
+      throws OzoneException {
+    // In the simple case, all non-null users names are users :)
+    return userName != null;
+  }
+
+  /**
+   * Returns all the Groups that user is a member of.
+   *
+   * @param userArgs - User Args
+   *
+   * @return String Array which contains 0 or more group names
+   *
+   * @throws OzoneException
+   */
+  @Override
+  public String[] getGroups(UserArgs userArgs) throws OzoneException {
+    // Not implemented
+    return null;
+  }
+
+}

hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/utils/OzoneConsts.java

@@ -0,0 +1,31 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.web.utils;
+
+/**
+ * Set of constants used in Ozone implementation.
+ */
+public final class OzoneConsts {
+  public static final String OZONE_SIMPLE_ROOT_USER = "root";
+  public static final String OZONE_SIMPLE_HDFS_USER = "hdfs";
+
+  private OzoneConsts() {
+    // Never Constructed
+  }
+}