| /** |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with this |
| * work for additional information regarding copyright ownership. The ASF |
| * licenses this file to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| * License for the specific language governing permissions and limitations under |
| * the License. |
| */ |
| package org.apache.hadoop.ozone.security.acl; |
| |
| import org.apache.hadoop.classification.InterfaceAudience; |
| import org.apache.hadoop.classification.InterfaceStability; |
| import org.apache.hadoop.ozone.om.BucketManager; |
| import org.apache.hadoop.ozone.om.KeyManager; |
| import org.apache.hadoop.ozone.om.PrefixManager; |
| import org.apache.hadoop.ozone.om.VolumeManager; |
| import org.apache.hadoop.ozone.om.exceptions.OMException; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import java.util.Objects; |
| |
| import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST; |
| |
| /** |
| * Public API for Ozone ACLs. Security providers providing support for Ozone |
| * ACLs should implement this. |
| */ |
| @InterfaceAudience.LimitedPrivate({"HDFS", "Yarn", "Ranger", "Hive", "HBase"}) |
| @InterfaceStability.Evolving |
| public class OzoneNativeAuthorizer implements IAccessAuthorizer { |
| |
| private static final Logger LOG = |
| LoggerFactory.getLogger(OzoneNativeAuthorizer.class); |
| private VolumeManager volumeManager; |
| private BucketManager bucketManager; |
| private KeyManager keyManager; |
| private PrefixManager prefixManager; |
| |
| public OzoneNativeAuthorizer() { |
| } |
| |
| public OzoneNativeAuthorizer(VolumeManager volumeManager, |
| BucketManager bucketManager, KeyManager keyManager, |
| PrefixManager prefixManager) { |
| this.volumeManager = volumeManager; |
| this.bucketManager = bucketManager; |
| this.keyManager = keyManager; |
| this.prefixManager = prefixManager; |
| } |
| |
| /** |
| * Check access for given ozoneObject. |
| * |
| * @param ozObject object for which access needs to be checked. |
| * @param context Context object encapsulating all user related information. |
| * @return true if user has access else false. |
| */ |
| public boolean checkAccess(IOzoneObj ozObject, RequestContext context) |
| throws OMException { |
| Objects.requireNonNull(ozObject); |
| Objects.requireNonNull(context); |
| OzoneObjInfo objInfo; |
| |
| if (ozObject instanceof OzoneObjInfo) { |
| objInfo = (OzoneObjInfo) ozObject; |
| } else { |
| throw new OMException("Unexpected input received. OM native acls are " + |
| "configured to work with OzoneObjInfo type only.", INVALID_REQUEST); |
| } |
| |
| switch (objInfo.getResourceType()) { |
| case VOLUME: |
| LOG.trace("Checking access for volume: {}", objInfo); |
| return volumeManager.checkAccess(objInfo, context); |
| case BUCKET: |
| LOG.trace("Checking access for bucket: {}", objInfo); |
| return (bucketManager.checkAccess(objInfo, context) |
| && volumeManager.checkAccess(objInfo, context)); |
| case KEY: |
| LOG.trace("Checking access for Key: {}", objInfo); |
| return (keyManager.checkAccess(objInfo, context) |
| && prefixManager.checkAccess(objInfo, context) |
| && bucketManager.checkAccess(objInfo, context) |
| && volumeManager.checkAccess(objInfo, context)); |
| case PREFIX: |
| LOG.trace("Checking access for Prefix: {]", objInfo); |
| return (prefixManager.checkAccess(objInfo, context) |
| && bucketManager.checkAccess(objInfo, context) |
| && volumeManager.checkAccess(objInfo, context)); |
| default: |
| throw new OMException("Unexpected object type:" + |
| objInfo.getResourceType(), INVALID_REQUEST); |
| } |
| } |
| |
| public void setVolumeManager(VolumeManager volumeManager) { |
| this.volumeManager = volumeManager; |
| } |
| |
| public void setBucketManager(BucketManager bucketManager) { |
| this.bucketManager = bucketManager; |
| } |
| |
| public void setKeyManager(KeyManager keyManager) { |
| this.keyManager = keyManager; |
| } |
| |
| public void setPrefixManager(PrefixManager prefixManager) { |
| this.prefixManager = prefixManager; |
| } |
| } |