hdfs/src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/LdapIpDirFilter.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.hdfsproxy;

 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.util.ArrayList;
 import java.util.Hashtable;
 import java.util.regex.Pattern;

 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.BasicAttribute;
 import javax.naming.directory.BasicAttributes;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.InitialLdapContext;
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.UserGroupInformation;

 import org.apache.hadoop.hdfs.HdfsConfiguration;

 public class LdapIpDirFilter implements Filter {
   public static final Log LOG = LogFactory.getLog(LdapIpDirFilter.class);

   private static String baseName;
   private static String hdfsIpSchemaStr;
   private static String hdfsIpSchemaStrPrefix;
   private static String hdfsUidSchemaStr;
   private static String hdfsPathSchemaStr;

   private InitialLdapContext lctx;

   private class LdapRoleEntry {
     String userId;
     ArrayList<Path> paths;

     void init(String userId, ArrayList<Path> paths) {
       this.userId = userId;
       this.paths = paths;
     }

     boolean contains(Path path) {
       return paths != null && paths.contains(path);
     }

     @Override
     public String toString() {
       return "LdapRoleEntry{" +
           ", userId='" + userId + '\'' +
           ", paths=" + paths +
           '}';
     }
   }

   public void initialize(String bName, InitialLdapContext ctx) {
     // hook to cooperate unit test
     baseName = bName;
     hdfsIpSchemaStr = "uniqueMember";
     hdfsIpSchemaStrPrefix = "cn=";
     hdfsUidSchemaStr = "uid";
     hdfsPathSchemaStr = "documentLocation";
     lctx = ctx;
   }

   /** {@inheritDoc} */
   public void init(FilterConfig filterConfig) throws ServletException {
     ServletContext context = filterConfig.getServletContext();
     Configuration conf = new HdfsConfiguration(false);
     conf.addResource("hdfsproxy-default.xml");
     conf.addResource("hdfsproxy-site.xml");
     // extract namenode from source conf.
     String nn = ProxyUtil.getNamenode(conf);
     InetSocketAddress nAddr = NetUtils.createSocketAddr(nn);
     context.setAttribute("name.node.address", nAddr);
     context.setAttribute("name.conf", conf);

     // for storing hostname <--> cluster mapping to decide which source cluster
     // to forward
     context.setAttribute("org.apache.hadoop.hdfsproxy.conf", conf);

     if (lctx == null) {
       Hashtable<String, String> env = new Hashtable<String, String>();
       env.put(InitialLdapContext.INITIAL_CONTEXT_FACTORY, conf.get(
           "hdfsproxy.ldap.initial.context.factory",
           "com.sun.jndi.ldap.LdapCtxFactory"));
       env.put(InitialLdapContext.PROVIDER_URL, conf
           .get("hdfsproxy.ldap.provider.url"));

       try {
         lctx = new InitialLdapContext(env, null);
       } catch (NamingException ne) {
         throw new ServletException("NamingException in initializing ldap"
             + ne.toString());
       }

       baseName = conf.get("hdfsproxy.ldap.role.base");
       hdfsIpSchemaStr = conf.get("hdfsproxy.ldap.ip.schema.string",
           "uniqueMember");
       hdfsIpSchemaStrPrefix = conf.get(
           "hdfsproxy.ldap.ip.schema.string.prefix", "cn=");
       hdfsUidSchemaStr = conf.get("hdfsproxy.ldap.uid.schema.string", "uid");
       hdfsPathSchemaStr = conf.get("hdfsproxy.ldap.hdfs.path.schema.string",
           "documentLocation");
     }
     LOG.info("LdapIpDirFilter initialization successful");
   }

   /** {@inheritDoc} */
   public void destroy() {
   }

   /** {@inheritDoc} */
   public void doFilter(ServletRequest request, ServletResponse response,
       FilterChain chain) throws IOException, ServletException {

     String prevThreadName = Thread.currentThread().getName();

     try {
       HttpServletRequest rqst = (HttpServletRequest) request;
       HttpServletResponse rsp = (HttpServletResponse) response;

       String contextPath = rqst.getContextPath();
       Thread.currentThread().setName(contextPath);

       if (LOG.isDebugEnabled()) {
         StringBuilder b = new StringBuilder("Request from ").append(
             rqst.getRemoteHost()).append("/").append(rqst.getRemoteAddr())
             .append(":").append(rqst.getRemotePort());
         b.append("\n The Scheme is " + rqst.getScheme());
         b.append("\n The Path Info is " + rqst.getPathInfo());
         b.append("\n The Translated Path Info is " + rqst.getPathTranslated());
         b.append("\n The Context Path is " + rqst.getContextPath());
         b.append("\n The Query String is " + rqst.getQueryString());
         b.append("\n The Request URI is " + rqst.getRequestURI());
         b.append("\n The Request URL is " + rqst.getRequestURL());
         b.append("\n The Servlet Path is " + rqst.getServletPath());
         LOG.debug(b.toString());
       }
       LdapRoleEntry ldapent = new LdapRoleEntry();
       // check ip address
       String userIp = rqst.getRemoteAddr();
       try {
         boolean isAuthorized = getLdapRoleEntryFromUserIp(userIp, ldapent);
         if (!isAuthorized) {
           rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "IP " + userIp
               + " is not authorized to access");
           return;
         }
       } catch (NamingException ne) {
         throw new IOException("NamingException while searching ldap"
             + ne.toString());
       }

       // since we cannot pass ugi object cross context as they are from
       // different
       // classloaders in different war file, we have to use String attribute.
       rqst.setAttribute("org.apache.hadoop.hdfsproxy.authorized.userID",
         ldapent.userId);
       rqst.setAttribute("org.apache.hadoop.hdfsproxy.authorized.paths",
         ldapent.paths);
       LOG.info("User: " + ldapent.userId + ", Request: " + rqst.getPathInfo() +
               " From: " + rqst.getRemoteAddr());
       chain.doFilter(request, response);
     } finally {
       Thread.currentThread().setName(prevThreadName);
     }
   }

   /**
    * check if client's ip is listed in the Ldap Roles if yes, return true and
    * update ldapent. if not, return false
    * */
   @SuppressWarnings("unchecked")
   private boolean getLdapRoleEntryFromUserIp(String userIp,
       LdapRoleEntry ldapent) throws NamingException {
     String ipMember = hdfsIpSchemaStrPrefix + userIp;
     Attributes matchAttrs = new BasicAttributes(true);
     matchAttrs.put(new BasicAttribute(hdfsIpSchemaStr, ipMember));
     matchAttrs.put(new BasicAttribute(hdfsUidSchemaStr));
     matchAttrs.put(new BasicAttribute(hdfsPathSchemaStr));

     String[] attrIDs = { hdfsUidSchemaStr, hdfsPathSchemaStr };

     NamingEnumeration<SearchResult> results = lctx.search(baseName, matchAttrs,
         attrIDs);
     if (results.hasMore()) {
       String userId = null;
       ArrayList<Path> paths = new ArrayList<Path>();
       SearchResult sr = results.next();
       Attributes attrs = sr.getAttributes();
       for (NamingEnumeration ne = attrs.getAll(); ne.hasMore();) {
         Attribute attr = (Attribute) ne.next();
         if (hdfsUidSchemaStr.equalsIgnoreCase(attr.getID())) {
           userId = (String) attr.get();
         } else if (hdfsPathSchemaStr.equalsIgnoreCase(attr.getID())) {
           for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
             String pathStr = (String) e.next();
             paths.add(new Path(pathStr));
           }
         }
       }
       ldapent.init(userId, paths);
       if (LOG.isDebugEnabled()) LOG.debug(ldapent);
       return true;
     }
     LOG.info("Ip address " + userIp
         + " is not authorized to access the proxy server");
     return false;
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.hdfsproxy;

	import java.io.IOException;
	import java.net.InetSocketAddress;
	import java.util.ArrayList;
	import java.util.Hashtable;
	import java.util.regex.Pattern;

	import javax.naming.NamingEnumeration;
	import javax.naming.NamingException;
	import javax.naming.directory.Attribute;
	import javax.naming.directory.Attributes;
	import javax.naming.directory.BasicAttribute;
	import javax.naming.directory.BasicAttributes;
	import javax.naming.directory.SearchResult;
	import javax.naming.ldap.InitialLdapContext;
	import javax.servlet.Filter;
	import javax.servlet.FilterChain;
	import javax.servlet.FilterConfig;
	import javax.servlet.ServletContext;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.fs.Path;
	import org.apache.hadoop.net.NetUtils;
	import org.apache.hadoop.security.UserGroupInformation;

	import org.apache.hadoop.hdfs.HdfsConfiguration;

	public class LdapIpDirFilter implements Filter {
	public static final Log LOG = LogFactory.getLog(LdapIpDirFilter.class);

	private static String baseName;
	private static String hdfsIpSchemaStr;
	private static String hdfsIpSchemaStrPrefix;
	private static String hdfsUidSchemaStr;
	private static String hdfsPathSchemaStr;

	private InitialLdapContext lctx;

	private class LdapRoleEntry {
	String userId;
	ArrayList<Path> paths;

	void init(String userId, ArrayList<Path> paths) {
	this.userId = userId;
	this.paths = paths;
	}

	boolean contains(Path path) {
	return paths != null && paths.contains(path);
	}

	@Override
	public String toString() {
	return "LdapRoleEntry{" +
	", userId='" + userId + '\'' +
	", paths=" + paths +
	'}';
	}
	}

	public void initialize(String bName, InitialLdapContext ctx) {
	// hook to cooperate unit test
	baseName = bName;
	hdfsIpSchemaStr = "uniqueMember";
	hdfsIpSchemaStrPrefix = "cn=";
	hdfsUidSchemaStr = "uid";
	hdfsPathSchemaStr = "documentLocation";
	lctx = ctx;
	}

	/** {@inheritDoc} */
	public void init(FilterConfig filterConfig) throws ServletException {
	ServletContext context = filterConfig.getServletContext();
	Configuration conf = new HdfsConfiguration(false);
	conf.addResource("hdfsproxy-default.xml");
	conf.addResource("hdfsproxy-site.xml");
	// extract namenode from source conf.
	String nn = ProxyUtil.getNamenode(conf);
	InetSocketAddress nAddr = NetUtils.createSocketAddr(nn);
	context.setAttribute("name.node.address", nAddr);
	context.setAttribute("name.conf", conf);

	// for storing hostname <--> cluster mapping to decide which source cluster
	// to forward
	context.setAttribute("org.apache.hadoop.hdfsproxy.conf", conf);

	if (lctx == null) {
	Hashtable<String, String> env = new Hashtable<String, String>();
	env.put(InitialLdapContext.INITIAL_CONTEXT_FACTORY, conf.get(
	"hdfsproxy.ldap.initial.context.factory",
	"com.sun.jndi.ldap.LdapCtxFactory"));
	env.put(InitialLdapContext.PROVIDER_URL, conf
	.get("hdfsproxy.ldap.provider.url"));

	try {
	lctx = new InitialLdapContext(env, null);
	} catch (NamingException ne) {
	throw new ServletException("NamingException in initializing ldap"
	+ ne.toString());
	}

	baseName = conf.get("hdfsproxy.ldap.role.base");
	hdfsIpSchemaStr = conf.get("hdfsproxy.ldap.ip.schema.string",
	"uniqueMember");
	hdfsIpSchemaStrPrefix = conf.get(
	"hdfsproxy.ldap.ip.schema.string.prefix", "cn=");
	hdfsUidSchemaStr = conf.get("hdfsproxy.ldap.uid.schema.string", "uid");
	hdfsPathSchemaStr = conf.get("hdfsproxy.ldap.hdfs.path.schema.string",
	"documentLocation");
	}
	LOG.info("LdapIpDirFilter initialization successful");
	}

	/** {@inheritDoc} */
	public void destroy() {
	}

	/** {@inheritDoc} */
	public void doFilter(ServletRequest request, ServletResponse response,
	FilterChain chain) throws IOException, ServletException {

	String prevThreadName = Thread.currentThread().getName();

	try {
	HttpServletRequest rqst = (HttpServletRequest) request;
	HttpServletResponse rsp = (HttpServletResponse) response;

	String contextPath = rqst.getContextPath();
	Thread.currentThread().setName(contextPath);

	if (LOG.isDebugEnabled()) {
	StringBuilder b = new StringBuilder("Request from ").append(
	rqst.getRemoteHost()).append("/").append(rqst.getRemoteAddr())
	.append(":").append(rqst.getRemotePort());
	b.append("\n The Scheme is " + rqst.getScheme());
	b.append("\n The Path Info is " + rqst.getPathInfo());
	b.append("\n The Translated Path Info is " + rqst.getPathTranslated());
	b.append("\n The Context Path is " + rqst.getContextPath());
	b.append("\n The Query String is " + rqst.getQueryString());
	b.append("\n The Request URI is " + rqst.getRequestURI());
	b.append("\n The Request URL is " + rqst.getRequestURL());
	b.append("\n The Servlet Path is " + rqst.getServletPath());
	LOG.debug(b.toString());
	}
	LdapRoleEntry ldapent = new LdapRoleEntry();
	// check ip address
	String userIp = rqst.getRemoteAddr();
	try {
	boolean isAuthorized = getLdapRoleEntryFromUserIp(userIp, ldapent);
	if (!isAuthorized) {
	rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "IP " + userIp
	+ " is not authorized to access");
	return;
	}
	} catch (NamingException ne) {
	throw new IOException("NamingException while searching ldap"
	+ ne.toString());
	}

	// since we cannot pass ugi object cross context as they are from
	// different
	// classloaders in different war file, we have to use String attribute.
	rqst.setAttribute("org.apache.hadoop.hdfsproxy.authorized.userID",
	ldapent.userId);
	rqst.setAttribute("org.apache.hadoop.hdfsproxy.authorized.paths",
	ldapent.paths);
	LOG.info("User: " + ldapent.userId + ", Request: " + rqst.getPathInfo() +
	" From: " + rqst.getRemoteAddr());
	chain.doFilter(request, response);
	} finally {
	Thread.currentThread().setName(prevThreadName);
	}
	}

	/**
	* check if client's ip is listed in the Ldap Roles if yes, return true and
	* update ldapent. if not, return false
	* */
	@SuppressWarnings("unchecked")
	private boolean getLdapRoleEntryFromUserIp(String userIp,
	LdapRoleEntry ldapent) throws NamingException {
	String ipMember = hdfsIpSchemaStrPrefix + userIp;
	Attributes matchAttrs = new BasicAttributes(true);
	matchAttrs.put(new BasicAttribute(hdfsIpSchemaStr, ipMember));
	matchAttrs.put(new BasicAttribute(hdfsUidSchemaStr));
	matchAttrs.put(new BasicAttribute(hdfsPathSchemaStr));

	String[] attrIDs = { hdfsUidSchemaStr, hdfsPathSchemaStr };

	NamingEnumeration<SearchResult> results = lctx.search(baseName, matchAttrs,
	attrIDs);
	if (results.hasMore()) {
	String userId = null;
	ArrayList<Path> paths = new ArrayList<Path>();
	SearchResult sr = results.next();
	Attributes attrs = sr.getAttributes();
	for (NamingEnumeration ne = attrs.getAll(); ne.hasMore();) {
	Attribute attr = (Attribute) ne.next();
	if (hdfsUidSchemaStr.equalsIgnoreCase(attr.getID())) {
	userId = (String) attr.get();
	} else if (hdfsPathSchemaStr.equalsIgnoreCase(attr.getID())) {
	for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
	String pathStr = (String) e.next();
	paths.add(new Path(pathStr));
	}
	}
	}
	ldapent.init(userId, paths);
	if (LOG.isDebugEnabled()) LOG.debug(ldapent);
	return true;
	}
	LOG.info("Ip address " + userIp
	+ " is not authorized to access the proxy server");
	return false;
	}
	}