From f364837694e34da8672d43412409f0d5f739e446 Mon Sep 17 00:00:00 2001 From: Arpit Agarwal Date: Fri, 27 Jun 2014 18:44:31 +0000 Subject: [PATCH] HADOOP-10649: Merging r1606179 from trunk to branch-2. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1606181 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES.txt | 3 + .../hadoop/fs/CommonConfigurationKeys.java | 3 + .../ServiceAuthorizationManager.java | 6 +- .../src/site/apt/ServiceLevelAuth.apt.vm | 8 ++- .../authorize/TestServiceAuthorization.java | 67 +++++++++++++++++++ 5 files changed, 84 insertions(+), 3 deletions(-) create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 6e24cfb4b3c..4dfd9772c19 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -117,6 +117,9 @@ Release 2.5.0 - UNRELEASED HADOOP-10565. Support IP ranges (CIDR) in proxyuser.hosts. (Benoy Antony via Arpit Agarwal) + HADOOP-10649. Allow overriding the default ACL for service authorization + (Benoy Antony via Arpit Agarwal) + OPTIMIZATIONS BUG FIXES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java index a1932c07c38..3345e3c93d5 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java @@ -131,6 +131,9 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic { * Service Authorization */ public static final String + HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL = + "security.service.authorization.default.acl"; + public static final String HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY = "security.refresh.policy.protocol.acl"; public static final String diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java index 29d4a6ac47b..d12ab79c798 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java @@ -131,6 +131,10 @@ public class ServiceAuthorizationManager { PolicyProvider provider) { final Map, AccessControlList> newAcls = new IdentityHashMap, AccessControlList>(); + + String defaultAcl = conf.get( + CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, + AccessControlList.WILDCARD_ACL_VALUE); // Parse the config file Service[] services = provider.getServices(); @@ -139,7 +143,7 @@ public class ServiceAuthorizationManager { AccessControlList acl = new AccessControlList( conf.get(service.getServiceKey(), - AccessControlList.WILDCARD_ACL_VALUE) + defaultAcl) ); newAcls.put(service.getProtocol(), acl); } diff --git a/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm index 258819e1107..6a11f3f643d 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/ServiceLevelAuth.apt.vm @@ -100,11 +100,15 @@ security.ha.service.protocol.acl | ACL for HAService protocol used by HAAdm Example: <<>>. Add a blank at the beginning of the line if only a list of groups is to - be provided, equivalently a comman-separated list of users followed by + be provided, equivalently a comma-separated list of users followed by a space or nothing implies only a set of given users. A special value of <<<*>>> implies that all users are allowed to access the - service. + service. + + If access control list is not defined for a service, the value of + <<>> is applied. If + <<>> is not defined, <<<*>>> is applied. ** Refreshing Service Level Authorization Configuration diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java new file mode 100644 index 00000000000..f6cf8bce2e9 --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java @@ -0,0 +1,67 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.security.authorize; + +import static org.junit.Assert.assertEquals; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeys; +import org.apache.hadoop.ipc.TestRPC.TestProtocol; +import org.junit.Test; + +public class TestServiceAuthorization { + + private static final String ACL_CONFIG = "test.protocol.acl"; + private static final String ACL_CONFIG1 = "test.protocol1.acl"; + + public interface TestProtocol1 extends TestProtocol {}; + + private static class TestPolicyProvider extends PolicyProvider { + + @Override + public Service[] getServices() { + return new Service[] { new Service(ACL_CONFIG, TestProtocol.class), + new Service(ACL_CONFIG1, TestProtocol1.class), + }; + } + } + + @Test + public void testDefaultAcl() { + ServiceAuthorizationManager serviceAuthorizationManager = + new ServiceAuthorizationManager(); + Configuration conf = new Configuration (); + //test without setting a default acl + conf.set(ACL_CONFIG, "user1 group1"); + serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); + AccessControlList acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class); + assertEquals("user1 group1", acl.getAclString()); + acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class); + assertEquals(AccessControlList.WILDCARD_ACL_VALUE, acl.getAclString()); + + //test with a default acl + conf.set( + CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, + "user2 group2"); + serviceAuthorizationManager.refresh(conf, new TestPolicyProvider()); + acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class); + assertEquals("user1 group1", acl.getAclString()); + acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class); + assertEquals("user2 group2", acl.getAclString()); + } +}