HADOOP-10649. Allow overriding the default ACL for service authorization (Contributed by Benoy Antony)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1606179 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Arpit Agarwal 2014-06-27 18:43:42 +00:00
parent f911f5495b
commit bbbbd270c7
5 changed files with 84 additions and 3 deletions

View File

@ -483,6 +483,9 @@ Release 2.5.0 - UNRELEASED
HADOOP-10565. Support IP ranges (CIDR) in proxyuser.hosts. (Benoy Antony HADOOP-10565. Support IP ranges (CIDR) in proxyuser.hosts. (Benoy Antony
via Arpit Agarwal) via Arpit Agarwal)
HADOOP-10649. Allow overriding the default ACL for service authorization
(Benoy Antony via Arpit Agarwal)
OPTIMIZATIONS OPTIMIZATIONS
BUG FIXES BUG FIXES

View File

@ -131,6 +131,9 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
* Service Authorization * Service Authorization
*/ */
public static final String public static final String
HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL =
"security.service.authorization.default.acl";
public static final String
HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY = HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY =
"security.refresh.policy.protocol.acl"; "security.refresh.policy.protocol.acl";
public static final String public static final String

View File

@ -132,6 +132,10 @@ public class ServiceAuthorizationManager {
final Map<Class<?>, AccessControlList> newAcls = final Map<Class<?>, AccessControlList> newAcls =
new IdentityHashMap<Class<?>, AccessControlList>(); new IdentityHashMap<Class<?>, AccessControlList>();
String defaultAcl = conf.get(
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
AccessControlList.WILDCARD_ACL_VALUE);
// Parse the config file // Parse the config file
Service[] services = provider.getServices(); Service[] services = provider.getServices();
if (services != null) { if (services != null) {
@ -139,7 +143,7 @@ public class ServiceAuthorizationManager {
AccessControlList acl = AccessControlList acl =
new AccessControlList( new AccessControlList(
conf.get(service.getServiceKey(), conf.get(service.getServiceKey(),
AccessControlList.WILDCARD_ACL_VALUE) defaultAcl)
); );
newAcls.put(service.getProtocol(), acl); newAcls.put(service.getProtocol(), acl);
} }

View File

@ -100,12 +100,16 @@ security.ha.service.protocol.acl | ACL for HAService protocol used by HAAdm
Example: <<<user1,user2 group1,group2>>>. Example: <<<user1,user2 group1,group2>>>.
Add a blank at the beginning of the line if only a list of groups is to Add a blank at the beginning of the line if only a list of groups is to
be provided, equivalently a comman-separated list of users followed by be provided, equivalently a comma-separated list of users followed by
a space or nothing implies only a set of given users. a space or nothing implies only a set of given users.
A special value of <<<*>>> implies that all users are allowed to access the A special value of <<<*>>> implies that all users are allowed to access the
service. service.
If access control list is not defined for a service, the value of
<<<security.service.authorization.default.acl>>> is applied. If
<<<security.service.authorization.default.acl>>> is not defined, <<<*>>> is applied.
** Refreshing Service Level Authorization Configuration ** Refreshing Service Level Authorization Configuration
The service-level authorization configuration for the NameNode and The service-level authorization configuration for the NameNode and

View File

@ -0,0 +1,67 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.security.authorize;
import static org.junit.Assert.assertEquals;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.ipc.TestRPC.TestProtocol;
import org.junit.Test;
public class TestServiceAuthorization {
private static final String ACL_CONFIG = "test.protocol.acl";
private static final String ACL_CONFIG1 = "test.protocol1.acl";
public interface TestProtocol1 extends TestProtocol {};
private static class TestPolicyProvider extends PolicyProvider {
@Override
public Service[] getServices() {
return new Service[] { new Service(ACL_CONFIG, TestProtocol.class),
new Service(ACL_CONFIG1, TestProtocol1.class),
};
}
}
@Test
public void testDefaultAcl() {
ServiceAuthorizationManager serviceAuthorizationManager =
new ServiceAuthorizationManager();
Configuration conf = new Configuration ();
//test without setting a default acl
conf.set(ACL_CONFIG, "user1 group1");
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
AccessControlList acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
assertEquals("user1 group1", acl.getAclString());
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
assertEquals(AccessControlList.WILDCARD_ACL_VALUE, acl.getAclString());
//test with a default acl
conf.set(
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
"user2 group2");
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
assertEquals("user1 group1", acl.getAclString());
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
assertEquals("user2 group2", acl.getAclString());
}
}