HADOOP-10649. Allow overriding the default ACL for service authorization (Contributed by Benoy Antony)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1606179 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
f911f5495b
commit
bbbbd270c7
|
@ -483,6 +483,9 @@ Release 2.5.0 - UNRELEASED
|
||||||
HADOOP-10565. Support IP ranges (CIDR) in proxyuser.hosts. (Benoy Antony
|
HADOOP-10565. Support IP ranges (CIDR) in proxyuser.hosts. (Benoy Antony
|
||||||
via Arpit Agarwal)
|
via Arpit Agarwal)
|
||||||
|
|
||||||
|
HADOOP-10649. Allow overriding the default ACL for service authorization
|
||||||
|
(Benoy Antony via Arpit Agarwal)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
BUG FIXES
|
BUG FIXES
|
||||||
|
|
|
@ -131,6 +131,9 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
|
||||||
* Service Authorization
|
* Service Authorization
|
||||||
*/
|
*/
|
||||||
public static final String
|
public static final String
|
||||||
|
HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL =
|
||||||
|
"security.service.authorization.default.acl";
|
||||||
|
public static final String
|
||||||
HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY =
|
HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY =
|
||||||
"security.refresh.policy.protocol.acl";
|
"security.refresh.policy.protocol.acl";
|
||||||
public static final String
|
public static final String
|
||||||
|
|
|
@ -131,6 +131,10 @@ public class ServiceAuthorizationManager {
|
||||||
PolicyProvider provider) {
|
PolicyProvider provider) {
|
||||||
final Map<Class<?>, AccessControlList> newAcls =
|
final Map<Class<?>, AccessControlList> newAcls =
|
||||||
new IdentityHashMap<Class<?>, AccessControlList>();
|
new IdentityHashMap<Class<?>, AccessControlList>();
|
||||||
|
|
||||||
|
String defaultAcl = conf.get(
|
||||||
|
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
|
||||||
|
AccessControlList.WILDCARD_ACL_VALUE);
|
||||||
|
|
||||||
// Parse the config file
|
// Parse the config file
|
||||||
Service[] services = provider.getServices();
|
Service[] services = provider.getServices();
|
||||||
|
@ -139,7 +143,7 @@ public class ServiceAuthorizationManager {
|
||||||
AccessControlList acl =
|
AccessControlList acl =
|
||||||
new AccessControlList(
|
new AccessControlList(
|
||||||
conf.get(service.getServiceKey(),
|
conf.get(service.getServiceKey(),
|
||||||
AccessControlList.WILDCARD_ACL_VALUE)
|
defaultAcl)
|
||||||
);
|
);
|
||||||
newAcls.put(service.getProtocol(), acl);
|
newAcls.put(service.getProtocol(), acl);
|
||||||
}
|
}
|
||||||
|
|
|
@ -100,11 +100,15 @@ security.ha.service.protocol.acl | ACL for HAService protocol used by HAAdm
|
||||||
Example: <<<user1,user2 group1,group2>>>.
|
Example: <<<user1,user2 group1,group2>>>.
|
||||||
|
|
||||||
Add a blank at the beginning of the line if only a list of groups is to
|
Add a blank at the beginning of the line if only a list of groups is to
|
||||||
be provided, equivalently a comman-separated list of users followed by
|
be provided, equivalently a comma-separated list of users followed by
|
||||||
a space or nothing implies only a set of given users.
|
a space or nothing implies only a set of given users.
|
||||||
|
|
||||||
A special value of <<<*>>> implies that all users are allowed to access the
|
A special value of <<<*>>> implies that all users are allowed to access the
|
||||||
service.
|
service.
|
||||||
|
|
||||||
|
If access control list is not defined for a service, the value of
|
||||||
|
<<<security.service.authorization.default.acl>>> is applied. If
|
||||||
|
<<<security.service.authorization.default.acl>>> is not defined, <<<*>>> is applied.
|
||||||
|
|
||||||
** Refreshing Service Level Authorization Configuration
|
** Refreshing Service Level Authorization Configuration
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.security.authorize;
|
||||||
|
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||||
|
import org.apache.hadoop.ipc.TestRPC.TestProtocol;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
public class TestServiceAuthorization {
|
||||||
|
|
||||||
|
private static final String ACL_CONFIG = "test.protocol.acl";
|
||||||
|
private static final String ACL_CONFIG1 = "test.protocol1.acl";
|
||||||
|
|
||||||
|
public interface TestProtocol1 extends TestProtocol {};
|
||||||
|
|
||||||
|
private static class TestPolicyProvider extends PolicyProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Service[] getServices() {
|
||||||
|
return new Service[] { new Service(ACL_CONFIG, TestProtocol.class),
|
||||||
|
new Service(ACL_CONFIG1, TestProtocol1.class),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultAcl() {
|
||||||
|
ServiceAuthorizationManager serviceAuthorizationManager =
|
||||||
|
new ServiceAuthorizationManager();
|
||||||
|
Configuration conf = new Configuration ();
|
||||||
|
//test without setting a default acl
|
||||||
|
conf.set(ACL_CONFIG, "user1 group1");
|
||||||
|
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
|
||||||
|
AccessControlList acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
|
||||||
|
assertEquals("user1 group1", acl.getAclString());
|
||||||
|
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
|
||||||
|
assertEquals(AccessControlList.WILDCARD_ACL_VALUE, acl.getAclString());
|
||||||
|
|
||||||
|
//test with a default acl
|
||||||
|
conf.set(
|
||||||
|
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
|
||||||
|
"user2 group2");
|
||||||
|
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
|
||||||
|
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
|
||||||
|
assertEquals("user1 group1", acl.getAclString());
|
||||||
|
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
|
||||||
|
assertEquals("user2 group2", acl.getAclString());
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue