From c04751b1b42658b60789209105b784a6f92670f8 Mon Sep 17 00:00:00 2001 From: Todd Lipcon Date: Thu, 6 Jan 2011 18:45:15 +0000 Subject: [PATCH] HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. Contributed by Todd Lipcon git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1056006 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES.txt | 3 + .../content/xdocs/Superusers.xml | 3 + .../hadoop/security/authorize/ProxyUsers.java | 21 ++- .../security/authorize/TestProxyUsers.java | 152 ++++++++++++++++++ 4 files changed, 176 insertions(+), 3 deletions(-) create mode 100644 src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java diff --git a/CHANGES.txt b/CHANGES.txt index f979b929e82..ad393a0482b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -39,6 +39,9 @@ Trunk (unreleased changes) HADOOP-7078. Improve javadocs for RawComparator interface. (Harsh J Chouraria via todd) + HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. + (todd) + OPTIMIZATIONS BUG FIXES diff --git a/src/docs/src/documentation/content/xdocs/Superusers.xml b/src/docs/src/documentation/content/xdocs/Superusers.xml index 94409c49d8d..b5fe3be4ebe 100644 --- a/src/docs/src/documentation/content/xdocs/Superusers.xml +++ b/src/docs/src/documentation/content/xdocs/Superusers.xml @@ -89,6 +89,9 @@

If these configurations are not present, impersonation will not be allowed and connection will fail.

+

+ If more lax security is preferred, the wildcard value * may be used to allow impersonation from any host or of any user. +

diff --git a/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java b/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java index 2d11afabc68..341285e1a75 100644 --- a/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java +++ b/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java @@ -126,7 +126,9 @@ public class ProxyUsers { Collection allowedUserGroups = proxyGroups.get( getProxySuperuserGroupConfKey(superUser.getShortUserName())); - if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) { + if (isWildcardList(allowedUserGroups)) { + groupAuthorized = true; + } else if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) { for (String group : user.getGroupNames()) { if (allowedUserGroups.contains(group)) { groupAuthorized = true; @@ -142,8 +144,10 @@ public class ProxyUsers { Collection ipList = proxyHosts.get( getProxySuperuserIpConfKey(superUser.getShortUserName())); - - if (ipList != null && !ipList.isEmpty()) { + + if (isWildcardList(ipList)) { + ipAuthorized = true; + } else if (ipList != null && !ipList.isEmpty()) { for (String allowedHost : ipList) { InetAddress hostAddr; try { @@ -162,4 +166,15 @@ public class ProxyUsers { + superUser.getUserName() + " from IP " + remoteAddress); } } + + /** + * Return true if the configuration specifies the special configuration value + * "*", indicating that any group or host list is allowed to use this configuration. + */ + private static boolean isWildcardList(Collection list) { + return (list != null) && + (list.size() == 1) && + (list.contains("*")); + } + } diff --git a/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java b/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java new file mode 100644 index 00000000000..6f346a117c1 --- /dev/null +++ b/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java @@ -0,0 +1,152 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.security.authorize; + +import java.util.Arrays; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.util.StringUtils; +import org.apache.hadoop.security.UserGroupInformation; + +import org.junit.Test; +import static org.junit.Assert.*; + +public class TestProxyUsers { + private static final String REAL_USER_NAME = "proxier"; + private static final String PROXY_USER_NAME = "proxied_user"; + private static final String[] GROUP_NAMES = + new String[] { "foo_group" }; + private static final String[] OTHER_GROUP_NAMES = + new String[] { "bar_group" }; + private static final String PROXY_IP = "1.2.3.4"; + + @Test + public void testProxyUsers() throws Exception { + Configuration conf = new Configuration(); + conf.set( + ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME), + StringUtils.join(",", Arrays.asList(GROUP_NAMES))); + conf.set( + ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME), + PROXY_IP); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + + + // First try proxying a group that's allowed + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // From good IP + assertAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + + // Now try proxying a group that's not allowed + realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); + proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); + + // From good IP + assertNotAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + } + + @Test + public void testWildcardGroup() { + Configuration conf = new Configuration(); + conf.set( + ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME), + "*"); + conf.set( + ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME), + PROXY_IP); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + + // First try proxying a group that's allowed + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // From good IP + assertAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + + // Now try proxying a different group (just to make sure we aren't getting spill over + // from the other test case!) + realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); + proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); + + // From good IP + assertAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + } + + @Test + public void testWildcardIP() { + Configuration conf = new Configuration(); + conf.set( + ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME), + StringUtils.join(",", Arrays.asList(GROUP_NAMES))); + conf.set( + ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME), + "*"); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + + // First try proxying a group that's allowed + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // From either IP should be fine + assertAuthorized(proxyUserUgi, "1.2.3.4"); + assertAuthorized(proxyUserUgi, "1.2.3.5"); + + // Now set up an unallowed group + realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); + proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); + + // Neither IP should be OK + assertNotAuthorized(proxyUserUgi, "1.2.3.4"); + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + } + + private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) { + try { + ProxyUsers.authorize(proxyUgi, host, null); + fail("Allowed authorization of " + proxyUgi + " from " + host); + } catch (AuthorizationException e) { + // Expected + } + } + + private void assertAuthorized(UserGroupInformation proxyUgi, String host) { + try { + ProxyUsers.authorize(proxyUgi, host, null); + } catch (AuthorizationException e) { + fail("Did not allowed authorization of " + proxyUgi + " from " + host); + } + } +}