| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.falcon.security; |
| |
| import org.apache.falcon.FalconException; |
| import org.apache.falcon.entity.EntityNotRegisteredException; |
| import org.apache.falcon.entity.EntityUtil; |
| import org.apache.falcon.entity.v0.Entity; |
| import org.apache.falcon.entity.v0.EntityType; |
| import org.apache.falcon.util.Servlets; |
| import org.apache.hadoop.security.UserGroupInformation; |
| import org.apache.hadoop.security.authorize.AuthorizationException; |
| import org.codehaus.jettison.json.JSONException; |
| import org.codehaus.jettison.json.JSONObject; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import javax.servlet.Filter; |
| import javax.servlet.FilterChain; |
| import javax.servlet.FilterConfig; |
| import javax.servlet.ServletException; |
| import javax.servlet.ServletRequest; |
| import javax.servlet.ServletResponse; |
| import javax.servlet.http.HttpServletRequest; |
| import javax.servlet.http.HttpServletResponse; |
| import javax.ws.rs.HttpMethod; |
| import javax.ws.rs.core.MediaType; |
| import java.io.IOException; |
| |
| /** |
| * This enforces authorization as part of the filter before processing the request. |
| */ |
| public class FalconAuthorizationFilter implements Filter { |
| |
| private static final Logger LOG = LoggerFactory.getLogger(FalconAuthorizationFilter.class); |
| private static final String DO_AS_PARAM = "doAs"; |
| |
| private boolean isAuthorizationEnabled; |
| private AuthorizationProvider authorizationProvider; |
| |
| @Override |
| public void init(FilterConfig filterConfig) throws ServletException { |
| try { |
| isAuthorizationEnabled = SecurityUtil.isAuthorizationEnabled(); |
| if (isAuthorizationEnabled) { |
| LOG.info("Falcon is running with authorization enabled"); |
| } |
| |
| authorizationProvider = SecurityUtil.getAuthorizationProvider(); |
| } catch (FalconException e) { |
| throw new ServletException(e); |
| } |
| } |
| |
| @Override |
| public void doFilter(ServletRequest request, |
| ServletResponse response, |
| FilterChain filterChain) throws IOException, ServletException { |
| if (isAuthorizationEnabled) { |
| HttpServletRequest httpRequest = (HttpServletRequest) request; |
| RequestParts requestParts = getUserRequest(httpRequest); |
| LOG.info("Authorizing user={} against request={}", CurrentUser.getUser(), requestParts); |
| |
| try { |
| final UserGroupInformation authenticatedUGI = CurrentUser.getAuthenticatedUGI(); |
| authorizationProvider.authorizeResource(requestParts.getResource(), |
| requestParts.getAction(), requestParts.getEntityType(), |
| requestParts.getEntityName(), authenticatedUGI); |
| String doAsUser = request.getParameter(DO_AS_PARAM); |
| tryProxy(authenticatedUGI, |
| requestParts.getEntityType(), requestParts.getEntityName(), doAsUser); |
| LOG.info("Authorization succeeded for user={}, proxy={}", |
| authenticatedUGI.getShortUserName(), CurrentUser.getUser()); |
| } catch (AuthorizationException e) { |
| sendError((HttpServletResponse) response, |
| HttpServletResponse.SC_FORBIDDEN, e.getMessage()); |
| return; // do not continue processing |
| } catch (EntityNotRegisteredException e) { |
| if (!httpRequest.getMethod().equals(HttpMethod.DELETE)) { |
| sendError((HttpServletResponse) response, |
| HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); |
| return; // do not continue processing |
| } // else Falcon deletes a non-existing entity and returns success (idempotent operation). |
| } catch (IllegalArgumentException e) { |
| sendError((HttpServletResponse) response, |
| HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); |
| return; // do not continue processing |
| } |
| } |
| |
| // continue processing if there was no authorization error |
| filterChain.doFilter(request, response); |
| } |
| |
| @Override |
| public void destroy() { |
| authorizationProvider = null; |
| } |
| |
| /** |
| * Returns the resource and action for the given request. |
| * |
| * @param httpRequest an HTTP servlet request |
| * @return the parts of a path |
| */ |
| private static RequestParts getUserRequest(HttpServletRequest httpRequest) { |
| String pathInfo = httpRequest.getPathInfo(); |
| final String[] pathSplits = pathInfo.substring(1).split("/"); |
| |
| final String resource = pathSplits[0]; |
| final String action = pathSplits[1]; |
| if (resource.equalsIgnoreCase("entities") || resource.equalsIgnoreCase("instance")) { |
| final String entityType = pathSplits.length > 2 ? pathSplits[2] : null; |
| final String entityName = pathSplits.length > 3 ? pathSplits[3] : null; |
| return new RequestParts(resource, action, entityName, entityType); |
| } else { |
| return new RequestParts(resource, action, null, null); |
| } |
| } |
| |
| private void tryProxy(UserGroupInformation authenticatedUGI, |
| String entityType, String entityName, |
| final String doAsUser) throws IOException { |
| if (entityType == null || entityName == null) { |
| return; |
| } |
| |
| try { |
| EntityType type = EntityType.getEnum(entityType); |
| Entity entity = EntityUtil.getEntity(type, entityName); |
| SecurityUtil.tryProxy(entity, doAsUser); |
| } catch (FalconException ignore) { |
| // do nothing |
| } |
| } |
| |
| private void sendError(HttpServletResponse httpResponse, |
| int errorCode, String errorMessage) throws IOException { |
| LOG.error("Authorization failed : {}/{}", errorCode, errorMessage); |
| if (!httpResponse.isCommitted()) { // handle authorization error |
| httpResponse.setStatus(errorCode); |
| httpResponse.setContentType(MediaType.APPLICATION_JSON); |
| httpResponse.getOutputStream().print(getJsonResponse(errorCode, errorMessage)); |
| } |
| } |
| |
| private String getJsonResponse(int errorCode, String errorMessage) throws IOException { |
| try { |
| JSONObject response = new JSONObject(); |
| response.put("errorCode", errorCode); |
| response.put("errorMessage", errorMessage); |
| response.put(Servlets.REQUEST_ID, Thread.currentThread().getName()); |
| return response.toString(); |
| } catch (JSONException e) { |
| throw new IOException(e); |
| } |
| } |
| |
| private static class RequestParts { |
| private final String resource; |
| private final String action; |
| private final String entityName; |
| private final String entityType; |
| |
| public RequestParts(String resource, String action, |
| String entityName, String entityType) { |
| this.resource = resource; |
| this.action = action; |
| this.entityName = entityName; |
| this.entityType = entityType; |
| } |
| |
| public String getResource() { |
| return resource; |
| } |
| |
| public String getAction() { |
| return action; |
| } |
| |
| public String getEntityName() { |
| return entityName; |
| } |
| |
| public String getEntityType() { |
| return entityType; |
| } |
| |
| @Override |
| public String toString() { |
| StringBuilder sb = new StringBuilder(); |
| sb.append("RequestParts{") |
| .append("resource='").append(resource).append("'") |
| .append(", action='").append(action).append("'"); |
| if (entityName != null) { |
| sb.append(", entityName='").append(entityName).append("'"); |
| } |
| if (entityType != null) { |
| sb.append(", entityType='").append(entityType).append("'"); |
| } |
| sb.append("}"); |
| return sb.toString(); |
| } |
| } |
| } |
