src/core/org/apache/hadoop/security/authorize/AccessControlList.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.security.authorize;

 import java.util.Iterator;

 import java.io.DataInput;
 import java.io.DataOutput;
 import java.io.IOException;
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.Arrays;
 import java.util.List;
 import java.util.LinkedList;
 import java.util.ListIterator;

 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.io.Writable;
 import org.apache.hadoop.io.WritableFactories;
 import org.apache.hadoop.io.WritableFactory;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.Groups;
 import org.apache.hadoop.conf.Configuration;

 /**
  * Class representing a configured access control list.
  */
 public class AccessControlList implements Writable {

   static {                                      // register a ctor
     WritableFactories.setFactory
       (AccessControlList.class,
        new WritableFactory() {
          public Writable newInstance() { return new AccessControlList(); }
        });
   }

   // Indicates an ACL string that represents access to all users
   public static final String WILDCARD_ACL_VALUE = "*";
   private static final int INITIAL_CAPACITY = 256;

   // Set of users who are granted access.
   private Set<String> users;
   // Set of groups which are granted access
   private Set<String> groups;
   // Whether all users are granted access.
   private boolean allAllowed;

   /**
    * This constructor exists primarily for AccessControlList to be Writable.
    */
   public AccessControlList() {
   }

   /**
    * Construct a new ACL from a String representation of the same.
    *
    * The String is a a comma separated list of users and groups.
    * The user list comes first and is separated by a space followed
    * by the group list. For e.g. "user1,user2 group1,group2"
    *
    * @param aclString String representation of the ACL
    */
   public AccessControlList(String aclString) {
     buildACL(aclString);
   }

   // build ACL from the given string
   private void buildACL(String aclString) {
     users = new TreeSet<String>();
     groups = new TreeSet<String>();
     if (aclString.contains(WILDCARD_ACL_VALUE) &&
         aclString.trim().equals(WILDCARD_ACL_VALUE)) {
       allAllowed = true;
     } else {
       allAllowed = false;
       String[] userGroupStrings = aclString.split(" ", 2);
       Configuration conf = new Configuration();
       Groups groupsMapping = Groups.getUserToGroupsMappingService(conf);

       if (userGroupStrings.length >= 1) {
         List<String> usersList = new LinkedList<String>(
           Arrays.asList(userGroupStrings[0].split(",")));
         cleanupList(usersList);
         addToSet(users, usersList);
       }

       if (userGroupStrings.length == 2) {
         List<String> groupsList = new LinkedList<String>(
           Arrays.asList(userGroupStrings[1].split(",")));
         cleanupList(groupsList);
         addToSet(groups, groupsList);
         groupsMapping.cacheGroupsAdd(groupsList);
       }
     }
   }

   public boolean isAllAllowed() {
     return allAllowed;
   }

   public void addUser(String user) {
     users.add(user);
   }

   /**
    * Get the names of users allowed for this service.
    * @return the set of user names. the set must not be modified.
    */
   Set<String> getUsers() {
     return users;
   }

   /**
    * Get the names of user groups allowed for this service.
    * @return the set of group names. the set must not be modified.
    */
   Set<String> getGroups() {
     return groups;
   }

   public boolean isUserAllowed(UserGroupInformation ugi) {
     if (allAllowed || users.contains(ugi.getShortUserName())) {
       return true;
     } else {
       for(String group: ugi.getGroupNames()) {
         if (groups.contains(group)) {
           return true;
         }
       }
     }
     return false;
   }

   private static final void cleanupList(List<String> list) {
     ListIterator<String> i = list.listIterator();
     while(i.hasNext()) {
       String s = i.next();
       if(s.length() == 0) {
         i.remove();
       } else {
         s = s.trim();
         i.set(s);
       }
     }
   }

   private static final void addToSet(Set<String> set, List<String> list) {
     for(String s : list) {
       set.add(s);
     }
   }

   @Override
   public String toString() {
     String str = null;

     if (allAllowed) {
       str = "All users are allowed";
     }
     else if (users.isEmpty() && groups.isEmpty()) {
       str = "No users are allowed";
     }
     else {
       String usersStr = null;
       String groupsStr = null;
       if (!users.isEmpty()) {
         usersStr = users.toString();
       }
       if (!groups.isEmpty()) {
         groupsStr = groups.toString();
       }

       if (!users.isEmpty() && !groups.isEmpty()) {
         str = "Users " + usersStr + " and members of the groups "
             + groupsStr + " are allowed";
       }
       else if (!users.isEmpty()) {
         str = "Users " + usersStr + " are allowed";
       }
       else {// users is empty array and groups is nonempty
         str = "Members of the groups "
             + groupsStr + " are allowed";
       }
     }

     return str;
   }

   // Serializes the AccessControlList object
   public void write(DataOutput out) throws IOException {
     Text.writeString(out, getACLString());
   }

   // Deserialize
   public void readFields(DataInput in) throws IOException {
     String aclString = Text.readString(in);
     buildACL(aclString);
   }

   /** Returns the String representation of this ACL. Unlike toString() method's
    *  return value, this String can be directly given to the constructor of
    *  AccessControlList to build AccessControlList object.
    *  This is the method used by the serialization method write().
    */
   public String getACLString() {
     StringBuilder sb = new StringBuilder(INITIAL_CAPACITY);
     if (allAllowed) {
       sb.append('*');
     }
     else {
       sb.append(getUsersString());
       sb.append(" ");
       sb.append(getGroupsString());
     }
     return sb.toString();
   }

   // Returns comma-separated concatenated single String of the set 'users'
   private String getUsersString() {
     return getString(users);
   }

   // Returns comma-separated concatenated single String of the set 'groups'
   private String getGroupsString() {
     return getString(groups);
   }

   // Returns comma-separated concatenated single String of all strings of
   // the given set
   private String getString(Set<String> strings) {
     StringBuilder sb = new StringBuilder(INITIAL_CAPACITY);
     boolean first = true;
     for(String str: strings) {
       if (!first) {
         sb.append(",");
       } else {
         first = false;
       }
       sb.append(str);
     }
     return sb.toString();
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.security.authorize;

	import java.util.Iterator;

	import java.io.DataInput;
	import java.io.DataOutput;
	import java.io.IOException;
	import java.util.Set;
	import java.util.TreeSet;
	import java.util.Arrays;
	import java.util.List;
	import java.util.LinkedList;
	import java.util.ListIterator;

	import org.apache.hadoop.io.Text;
	import org.apache.hadoop.io.Writable;
	import org.apache.hadoop.io.WritableFactories;
	import org.apache.hadoop.io.WritableFactory;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.security.Groups;
	import org.apache.hadoop.conf.Configuration;

	/**
	* Class representing a configured access control list.
	*/
	public class AccessControlList implements Writable {

	static { // register a ctor
	WritableFactories.setFactory
	(AccessControlList.class,
	new WritableFactory() {
	public Writable newInstance() { return new AccessControlList(); }
	});
	}

	// Indicates an ACL string that represents access to all users
	public static final String WILDCARD_ACL_VALUE = "*";
	private static final int INITIAL_CAPACITY = 256;

	// Set of users who are granted access.
	private Set<String> users;
	// Set of groups which are granted access
	private Set<String> groups;
	// Whether all users are granted access.
	private boolean allAllowed;

	/**
	* This constructor exists primarily for AccessControlList to be Writable.
	*/
	public AccessControlList() {
	}

	/**
	* Construct a new ACL from a String representation of the same.
	*
	* The String is a a comma separated list of users and groups.
	* The user list comes first and is separated by a space followed
	* by the group list. For e.g. "user1,user2 group1,group2"
	*
	* @param aclString String representation of the ACL
	*/
	public AccessControlList(String aclString) {
	buildACL(aclString);
	}

	// build ACL from the given string
	private void buildACL(String aclString) {
	users = new TreeSet<String>();
	groups = new TreeSet<String>();
	if (aclString.contains(WILDCARD_ACL_VALUE) &&
	aclString.trim().equals(WILDCARD_ACL_VALUE)) {
	allAllowed = true;
	} else {
	allAllowed = false;
	String[] userGroupStrings = aclString.split(" ", 2);
	Configuration conf = new Configuration();
	Groups groupsMapping = Groups.getUserToGroupsMappingService(conf);

	if (userGroupStrings.length >= 1) {
	List<String> usersList = new LinkedList<String>(
	Arrays.asList(userGroupStrings[0].split(",")));
	cleanupList(usersList);
	addToSet(users, usersList);
	}

	if (userGroupStrings.length == 2) {
	List<String> groupsList = new LinkedList<String>(
	Arrays.asList(userGroupStrings[1].split(",")));
	cleanupList(groupsList);
	addToSet(groups, groupsList);
	groupsMapping.cacheGroupsAdd(groupsList);
	}
	}
	}

	public boolean isAllAllowed() {
	return allAllowed;
	}

	public void addUser(String user) {
	users.add(user);
	}

	/**
	* Get the names of users allowed for this service.
	* @return the set of user names. the set must not be modified.
	*/
	Set<String> getUsers() {
	return users;
	}

	/**
	* Get the names of user groups allowed for this service.
	* @return the set of group names. the set must not be modified.
	*/
	Set<String> getGroups() {
	return groups;
	}

	public boolean isUserAllowed(UserGroupInformation ugi) {
	if (allAllowed \|\| users.contains(ugi.getShortUserName())) {
	return true;
	} else {
	for(String group: ugi.getGroupNames()) {
	if (groups.contains(group)) {
	return true;
	}
	}
	}
	return false;
	}

	private static final void cleanupList(List<String> list) {
	ListIterator<String> i = list.listIterator();
	while(i.hasNext()) {
	String s = i.next();
	if(s.length() == 0) {
	i.remove();
	} else {
	s = s.trim();
	i.set(s);
	}
	}
	}

	private static final void addToSet(Set<String> set, List<String> list) {
	for(String s : list) {
	set.add(s);
	}
	}

	@Override
	public String toString() {
	String str = null;

	if (allAllowed) {
	str = "All users are allowed";
	}
	else if (users.isEmpty() && groups.isEmpty()) {
	str = "No users are allowed";
	}
	else {
	String usersStr = null;
	String groupsStr = null;
	if (!users.isEmpty()) {
	usersStr = users.toString();
	}
	if (!groups.isEmpty()) {
	groupsStr = groups.toString();
	}

	if (!users.isEmpty() && !groups.isEmpty()) {
	str = "Users " + usersStr + " and members of the groups "
	+ groupsStr + " are allowed";
	}
	else if (!users.isEmpty()) {
	str = "Users " + usersStr + " are allowed";
	}
	else {// users is empty array and groups is nonempty
	str = "Members of the groups "
	+ groupsStr + " are allowed";
	}
	}

	return str;
	}

	// Serializes the AccessControlList object
	public void write(DataOutput out) throws IOException {
	Text.writeString(out, getACLString());
	}

	// Deserialize
	public void readFields(DataInput in) throws IOException {
	String aclString = Text.readString(in);
	buildACL(aclString);
	}

	/** Returns the String representation of this ACL. Unlike toString() method's
	* return value, this String can be directly given to the constructor of
	* AccessControlList to build AccessControlList object.
	* This is the method used by the serialization method write().
	*/
	public String getACLString() {
	StringBuilder sb = new StringBuilder(INITIAL_CAPACITY);
	if (allAllowed) {
	sb.append('*');
	}
	else {
	sb.append(getUsersString());
	sb.append(" ");
	sb.append(getGroupsString());
	}
	return sb.toString();
	}

	// Returns comma-separated concatenated single String of the set 'users'
	private String getUsersString() {
	return getString(users);
	}

	// Returns comma-separated concatenated single String of the set 'groups'
	private String getGroupsString() {
	return getString(groups);
	}

	// Returns comma-separated concatenated single String of all strings of
	// the given set
	private String getString(Set<String> strings) {
	StringBuilder sb = new StringBuilder(INITIAL_CAPACITY);
	boolean first = true;
	for(String str: strings) {
	if (!first) {
	sb.append(",");
	} else {
	first = false;
	}
	sb.append(str);
	}
	return sb.toString();
	}
	}