common/src/main/java/org/apache/falcon/security/SecurityUtil.java - falcon - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.falcon.security;

 import org.apache.commons.lang3.StringUtils;
 import org.apache.falcon.FalconException;
 import org.apache.falcon.entity.v0.Entity;
 import org.apache.falcon.util.ReflectionUtils;
 import org.apache.falcon.util.StartupProperties;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.UnknownHostException;

 /**
  * Security Util - bunch of security related helper methods.
  */
 public final class SecurityUtil {

     /**
      * Constant for the configuration property that indicates the prefix.
      */
     private static final String CONFIG_PREFIX = "falcon.authentication.";

     /**
      * Constant for the configuration property that indicates the authentication type.
      */
     public static final String AUTHENTICATION_TYPE = CONFIG_PREFIX + "type";

     /**
      * Constant for the configuration property that indicates the Name node principal.
      */
     public static final String NN_PRINCIPAL = "dfs.namenode.kerberos.principal";

     /**
      * Constant for the configuration property that indicates the
      * Resource Manager principal.   This is useful when the remote cluster realm
      * (with cross domain trust) or the auth to local rule definition results in a
      * different RM principal than in Falcon server cluster.
      */
     public static final String RM_PRINCIPAL = "yarn.resourcemanager.principal";
     /**
      * Constant for the configuration property that indicates the Name node principal.
      * This is used to talk to Hive Meta Store during parsing and validations only.
      */
     public static final String HIVE_METASTORE_KERBEROS_PRINCIPAL = "hive.metastore.kerberos.principal";

     public static final String METASTORE_USE_THRIFT_SASL = "hive.metastore.sasl.enabled";

     public static final String METASTORE_PRINCIPAL = "hcat.metastore.principal";

     private static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class);

     private SecurityUtil() {
     }

     public static String getAuthenticationType() {
         return StartupProperties.get().getProperty(
                 AUTHENTICATION_TYPE, PseudoAuthenticationHandler.TYPE);
     }

     /**
      * Checks if kerberos authentication is enabled in the configuration.
      *
      * @return true if falcon.authentication.type is kerberos, false otherwise
      */
     public static boolean isSecurityEnabled() {
         String authenticationType = StartupProperties.get().getProperty(
                 AUTHENTICATION_TYPE, PseudoAuthenticationHandler.TYPE);

         final boolean useKerberos;
         if (authenticationType == null || PseudoAuthenticationHandler.TYPE.equals(authenticationType)) {
             useKerberos = false;
         } else if (KerberosAuthenticationHandler.TYPE.equals(authenticationType)) {
             useKerberos = true;
         } else {
             throw new IllegalArgumentException("Invalid attribute value for "
                     + AUTHENTICATION_TYPE + " of " + authenticationType);
         }

         return useKerberos;
     }

     public static String getLocalHostName() throws UnknownHostException {
         return InetAddress.getLocalHost().getCanonicalHostName();
     }

     /**
      * Checks if authorization is enabled in the configuration.
      *
      * @return true if falcon.security.authorization.enabled is enabled, false otherwise
      */
     public static boolean isAuthorizationEnabled() {
         return Boolean.valueOf(StartupProperties.get().getProperty(
                 "falcon.security.authorization.enabled", "false"));
     }

     /**
      * Checks if CSRF filter is enabled in the configuration.
      *
      * @return true if falcon.security.csrf.enabled is enabled, false otherwise
      */
     public static boolean isCSRFFilterEnabled() {
         return Boolean.valueOf(StartupProperties.get().getProperty(
                 "falcon.security.csrf.enabled", "false"));
     }

     public static AuthorizationProvider getAuthorizationProvider() throws FalconException {
         String providerClassName = StartupProperties.get().getProperty(
                 "falcon.security.authorization.provider",
                 "org.apache.falcon.security.DefaultAuthorizationProvider");
         return ReflectionUtils.getInstanceByClassName(providerClassName);
     }

     public static void tryProxy(Entity entity, final String doAsUser) throws IOException, FalconException {
         if (entity != null && entity.getACL() != null && SecurityUtil.isAuthorizationEnabled()) {
             final String aclOwner = entity.getACL().getOwner();
             final String aclGroup = entity.getACL().getGroup();

             if (StringUtils.isNotEmpty(doAsUser)) {
                 if (!doAsUser.equalsIgnoreCase(aclOwner)) {
                     LOG.warn("doAs user {} not same as acl owner {}. Ignoring acl owner.", doAsUser, aclOwner);
                     throw new FalconException("doAs user and ACL owner mismatch. doAs user " + doAsUser
                             +  " should be same as ACL owner " + aclOwner);
                 }
                 return;
             }
             if (SecurityUtil.getAuthorizationProvider().shouldProxy(
                     CurrentUser.getAuthenticatedUGI(), aclOwner, aclGroup)) {
                 CurrentUser.proxy(aclOwner, aclGroup);
             }
         }
     }

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.falcon.security;

	import org.apache.commons.lang3.StringUtils;
	import org.apache.falcon.FalconException;
	import org.apache.falcon.entity.v0.Entity;
	import org.apache.falcon.util.ReflectionUtils;
	import org.apache.falcon.util.StartupProperties;
	import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
	import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.io.IOException;
	import java.net.InetAddress;
	import java.net.UnknownHostException;

	/**
	* Security Util - bunch of security related helper methods.
	*/
	public final class SecurityUtil {

	/**
	* Constant for the configuration property that indicates the prefix.
	*/
	private static final String CONFIG_PREFIX = "falcon.authentication.";

	/**
	* Constant for the configuration property that indicates the authentication type.
	*/
	public static final String AUTHENTICATION_TYPE = CONFIG_PREFIX + "type";

	/**
	* Constant for the configuration property that indicates the Name node principal.
	*/
	public static final String NN_PRINCIPAL = "dfs.namenode.kerberos.principal";

	/**
	* Constant for the configuration property that indicates the
	* Resource Manager principal. This is useful when the remote cluster realm
	* (with cross domain trust) or the auth to local rule definition results in a
	* different RM principal than in Falcon server cluster.
	*/
	public static final String RM_PRINCIPAL = "yarn.resourcemanager.principal";
	/**
	* Constant for the configuration property that indicates the Name node principal.
	* This is used to talk to Hive Meta Store during parsing and validations only.
	*/
	public static final String HIVE_METASTORE_KERBEROS_PRINCIPAL = "hive.metastore.kerberos.principal";

	public static final String METASTORE_USE_THRIFT_SASL = "hive.metastore.sasl.enabled";

	public static final String METASTORE_PRINCIPAL = "hcat.metastore.principal";

	private static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class);

	private SecurityUtil() {
	}

	public static String getAuthenticationType() {
	return StartupProperties.get().getProperty(
	AUTHENTICATION_TYPE, PseudoAuthenticationHandler.TYPE);
	}

	/**
	* Checks if kerberos authentication is enabled in the configuration.
	*
	* @return true if falcon.authentication.type is kerberos, false otherwise
	*/
	public static boolean isSecurityEnabled() {
	String authenticationType = StartupProperties.get().getProperty(
	AUTHENTICATION_TYPE, PseudoAuthenticationHandler.TYPE);

	final boolean useKerberos;
	if (authenticationType == null \|\| PseudoAuthenticationHandler.TYPE.equals(authenticationType)) {
	useKerberos = false;
	} else if (KerberosAuthenticationHandler.TYPE.equals(authenticationType)) {
	useKerberos = true;
	} else {
	throw new IllegalArgumentException("Invalid attribute value for "
	+ AUTHENTICATION_TYPE + " of " + authenticationType);
	}

	return useKerberos;
	}

	public static String getLocalHostName() throws UnknownHostException {
	return InetAddress.getLocalHost().getCanonicalHostName();
	}

	/**
	* Checks if authorization is enabled in the configuration.
	*
	* @return true if falcon.security.authorization.enabled is enabled, false otherwise
	*/
	public static boolean isAuthorizationEnabled() {
	return Boolean.valueOf(StartupProperties.get().getProperty(
	"falcon.security.authorization.enabled", "false"));
	}

	/**
	* Checks if CSRF filter is enabled in the configuration.
	*
	* @return true if falcon.security.csrf.enabled is enabled, false otherwise
	*/
	public static boolean isCSRFFilterEnabled() {
	return Boolean.valueOf(StartupProperties.get().getProperty(
	"falcon.security.csrf.enabled", "false"));
	}

	public static AuthorizationProvider getAuthorizationProvider() throws FalconException {
	String providerClassName = StartupProperties.get().getProperty(
	"falcon.security.authorization.provider",
	"org.apache.falcon.security.DefaultAuthorizationProvider");
	return ReflectionUtils.getInstanceByClassName(providerClassName);
	}

	public static void tryProxy(Entity entity, final String doAsUser) throws IOException, FalconException {
	if (entity != null && entity.getACL() != null && SecurityUtil.isAuthorizationEnabled()) {
	final String aclOwner = entity.getACL().getOwner();
	final String aclGroup = entity.getACL().getGroup();

	if (StringUtils.isNotEmpty(doAsUser)) {
	if (!doAsUser.equalsIgnoreCase(aclOwner)) {
	LOG.warn("doAs user {} not same as acl owner {}. Ignoring acl owner.", doAsUser, aclOwner);
	throw new FalconException("doAs user and ACL owner mismatch. doAs user " + doAsUser
	+ " should be same as ACL owner " + aclOwner);
	}
	return;
	}
	if (SecurityUtil.getAuthorizationProvider().shouldProxy(
	CurrentUser.getAuthenticatedUGI(), aclOwner, aclGroup)) {
	CurrentUser.proxy(aclOwner, aclGroup);
	}
	}
	}

	}