HDFS-8634. OzoneHandler: Add userAuth Interface and Simple userAuth handler. (Contributed by Anu Engineer)

This commit is contained in:
Arpit Agarwal 2015-06-23 14:56:32 -07:00
parent 7452cc5d8b
commit d9d9504102
5 changed files with 295 additions and 1 deletions

View File

@ -14,3 +14,6 @@
HDFS-8637. OzoneHandler : Add Error Table. (Anu Engineer via Arpit Agarwal)
HDFS-8634. OzoneHandler: Add userAuth Interface and Simple userAuth
handler. (Anu Engineer via Arpit Agarwal)

View File

@ -29,7 +29,10 @@ public final class Header {
public static final String OZONE_QUOTA_REMOVE = "remove";
public static final String OZONE_QUOTA_UNDEFINED = "undefined";
public static final String OZONE_LIST_QUERY_BUCKET ="bucket";
public static final String OZONE_LIST_QUERY_BUCKET = "bucket";
public static final String OZONE_USER = "x-ozone-user";
public static final String OZONE_SIMPLE_AUTHENTICATION_SCHEME = "OZONE";
private Header() {
// Never constructed.

View File

@ -0,0 +1,99 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.ozone.web.interfaces;
import org.apache.hadoop.ozone.web.exceptions.OzoneException;
import org.apache.hadoop.ozone.web.handlers.UserArgs;
/**
* This interface is used by Ozone to determine user identity.
*
* Please see concrete implementations for more information
*/
public interface UserAuth {
/**
* Returns the user name as a string from the URI and HTTP headers.
*
* @param userArgs - userArgs
*
* @return String - User name
*
* @throws OzoneException
*/
String getUser(UserArgs userArgs) throws OzoneException;
/**
* Returns all the Groups that user is a member of.
*
* @param userArgs - userArgs
*
* @return Array of Groups
*
* @throws OzoneException
*/
String[] getGroups(UserArgs userArgs) throws OzoneException;
/**
* Returns true if a user is a Admin.
*
* @param userArgs - userArgs
*
* @return true if Admin , false otherwise
*
* @throws OzoneException -- Allows the underlying system
* to throw, that error will get propagated to clients
*/
boolean isAdmin(UserArgs userArgs) throws OzoneException;
/**
* Returns true if the request is Anonymous.
*
* @param userArgs - userArgs
*
* @return true if the request is anonymous, false otherwise.
*
* @throws OzoneException - Will be propagated back to end user
*/
boolean isAnonymous(UserArgs userArgs) throws OzoneException;
/**
* Returns true if the name is a recognizable user in the system.
*
* @param userName - User Name to check
* @param userArgs - userArgs
*
* @return true if the username string is the name of a valid user.
*
* @throws OzoneException - Will be propagated back to end user
*/
boolean isUser(String userName, UserArgs userArgs) throws OzoneException;
/**
* Returns the x-ozone-user or the user on behalf of, This is
* used in Volume creation path.
*
* @param userArgs - userArgs
*
* @return a user name if it has x-ozone-user args in header.
*
* @throws OzoneException
*/
String getOzoneUser(UserArgs userArgs) throws OzoneException;
}

View File

@ -0,0 +1,158 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.ozone.web.userauth;
import org.apache.hadoop.ozone.web.exceptions.ErrorTable;
import org.apache.hadoop.ozone.web.exceptions.OzoneException;
import org.apache.hadoop.ozone.web.handlers.UserArgs;
import org.apache.hadoop.ozone.web.headers.Header;
import org.apache.hadoop.ozone.web.interfaces.UserAuth;
import org.apache.hadoop.ozone.web.utils.OzoneConsts;
import javax.ws.rs.core.HttpHeaders;
import java.util.List;
/**
* Simple is an UserAuth class that is used in the insecure
* mode of ozone. This maps more or less to the simple user scheme in
* HDFS.
*/
public class Simple implements UserAuth {
/**
* Returns the x-ozone-user or the user on behalf of, This is
* used in volume creation path.
*
* @param userArgs - UserArgs
*
* @throws OzoneException
*/
@Override
public String getOzoneUser(UserArgs userArgs) throws OzoneException {
assert userArgs != null : "userArgs cannot be null";
HttpHeaders headers = userArgs.getHeaders();
List<String> users = headers.getRequestHeader(Header.OZONE_USER);
if ((users == null) || (users.size() == 0)) {
return null;
}
if (users.size() > 1) {
throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
}
return users.get(0).toLowerCase().trim();
}
/**
* Returns the user name as a string from the URI and HTTP headers.
*
* @param userArgs - user args
*
* @throws OzoneException -- Allows the underlying system
* to throw, that error will get propagated to clients
*/
@Override
public String getUser(UserArgs userArgs) throws OzoneException {
assert userArgs != null : "userArgs cannot be null";
HttpHeaders headers = userArgs.getHeaders();
List<String> users = headers.getRequestHeader(HttpHeaders.AUTHORIZATION);
if (users == null || users.size() > 1) {
throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
}
if (users.size() == 0) {
return null;
}
String user = users.get(0).trim();
if (user.startsWith(Header.OZONE_SIMPLE_AUTHENTICATION_SCHEME)) {
user = user.replace(Header.OZONE_SIMPLE_AUTHENTICATION_SCHEME, "");
return user.toLowerCase().trim();
} else {
throw ErrorTable.newError(ErrorTable.BAD_AUTHORIZATION, userArgs);
}
}
/**
* Returns true if a user is a Admin - {root and hdfs are treated as admins}.
*
* @param userArgs - User Args
*
* @throws OzoneException -- Allows the underlying system
* to throw, that error will get propagated to clients
*/
@Override
public boolean isAdmin(UserArgs userArgs) throws OzoneException {
assert userArgs != null : "userArgs cannot be null";
String user = getUser(userArgs);
return
(user.compareToIgnoreCase(OzoneConsts.OZONE_SIMPLE_ROOT_USER) == 0) ||
(user.compareToIgnoreCase(OzoneConsts.OZONE_SIMPLE_HDFS_USER) == 0);
}
/**
* Returns true if the request is Anonymous.
*
* @param userArgs - user Args
*
* @throws OzoneException -- Allows the underlying system
* to throw, that error will get propagated to clients
*/
@Override
public boolean isAnonymous(UserArgs userArgs) throws OzoneException {
assert userArgs != null : "userArgs cannot be null";
return getUser(userArgs) == null;
}
/**
* Returns true if the name is a recognizable user in the system.
*
* @param userName - Name of the user
* @param userArgs - user Args
*
* @throws OzoneException -- Allows the underlying system
* to throw, that error will get propagated to clients
*/
@Override
public boolean isUser(String userName, UserArgs userArgs)
throws OzoneException {
// In the simple case, all non-null users names are users :)
return userName != null;
}
/**
* Returns all the Groups that user is a member of.
*
* @param userArgs - User Args
*
* @return String Array which contains 0 or more group names
*
* @throws OzoneException
*/
@Override
public String[] getGroups(UserArgs userArgs) throws OzoneException {
// Not implemented
return null;
}
}

View File

@ -0,0 +1,31 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.ozone.web.utils;
/**
* Set of constants used in Ozone implementation.
*/
public final class OzoneConsts {
public static final String OZONE_SIMPLE_ROOT_USER = "root";
public static final String OZONE_SIMPLE_HDFS_USER = "hdfs";
private OzoneConsts() {
// Never Constructed
}
}