HADOOP-10649. Allow overriding the default ACL for service authorization (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1606179 13f79535-47bb-0310-9956-ffa450edef68

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -483,6 +483,9 @@ Release 2.5.0 - UNRELEASED
     HADOOP-10565. Support IP ranges (CIDR) in proxyuser.hosts. (Benoy Antony
     via Arpit Agarwal)
 
+    HADOOP-10649. Allow overriding the default ACL for service authorization
+    (Benoy Antony via Arpit Agarwal)
+
   OPTIMIZATIONS
 
   BUG FIXES 

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java

@@ -131,6 +131,9 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
    * Service Authorization
    */
   public static final String 
+  HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL = 
+      "security.service.authorization.default.acl";
+  public static final String 
   HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY = 
       "security.refresh.policy.protocol.acl";
   public static final String 

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java

@@ -132,6 +132,10 @@ public class ServiceAuthorizationManager {
     final Map<Class<?>, AccessControlList> newAcls =
         new IdentityHashMap<Class<?>, AccessControlList>();
     
+    String defaultAcl = conf.get(
+        CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
+        AccessControlList.WILDCARD_ACL_VALUE);
+
     // Parse the config file
     Service[] services = provider.getServices();
     if (services != null) {
@@ -139,7 +143,7 @@ public class ServiceAuthorizationManager {
         AccessControlList acl =
             new AccessControlList(
                 conf.get(service.getServiceKey(),
-                    AccessControlList.WILDCARD_ACL_VALUE)
+                    defaultAcl)
             );
         newAcls.put(service.getProtocol(), acl);
       }

hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm

@@ -100,12 +100,16 @@ security.ha.service.protocol.acl      | ACL for HAService protocol used by HAAdm
    Example: <<<user1,user2 group1,group2>>>.
 
    Add a blank at the beginning of the line if only a list of groups is to
-   be provided, equivalently a comman-separated list of users followed by
+   be provided, equivalently a comma-separated list of users followed by
    a space or nothing implies only a set of given users.
 
    A special value of <<<*>>> implies that all users are allowed to access the
    service. 
    
+   If access control list is not defined for a service, the value of
+   <<<security.service.authorization.default.acl>>> is applied. If 
+   <<<security.service.authorization.default.acl>>> is not defined, <<<*>>>  is applied.
+
 ** Refreshing Service Level Authorization Configuration
 
    The service-level authorization configuration for the NameNode and

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java

@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.authorize;
+
+import static org.junit.Assert.assertEquals;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.ipc.TestRPC.TestProtocol;
+import org.junit.Test;
+
+public class TestServiceAuthorization {
+
+  private static final String ACL_CONFIG = "test.protocol.acl";
+  private static final String ACL_CONFIG1 = "test.protocol1.acl";
+
+  public interface TestProtocol1 extends TestProtocol {};
+
+  private static class TestPolicyProvider extends PolicyProvider {
+
+    @Override
+    public Service[] getServices() {
+      return new Service[] { new Service(ACL_CONFIG, TestProtocol.class), 
+          new Service(ACL_CONFIG1, TestProtocol1.class),
+      };
+    }
+  }
+
+  @Test
+  public void testDefaultAcl() {
+    ServiceAuthorizationManager serviceAuthorizationManager = 
+        new ServiceAuthorizationManager();
+    Configuration conf = new Configuration ();
+    //test without setting a default acl
+    conf.set(ACL_CONFIG, "user1 group1");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    AccessControlList acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
+    assertEquals("user1 group1", acl.getAclString());
+    acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
+    assertEquals(AccessControlList.WILDCARD_ACL_VALUE, acl.getAclString());
+
+    //test with a default acl
+    conf.set(
+        CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, 
+        "user2 group2");
+    serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+    acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
+    assertEquals("user1 group1", acl.getAclString());
+    acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
+    assertEquals("user2 group2", acl.getAclString());
+  }
+}