| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.hadoop.security.authorize; |
| |
| import java.security.Permission; |
| import java.security.PermissionCollection; |
| import java.security.Policy; |
| import java.security.Principal; |
| import java.security.ProtectionDomain; |
| import java.util.HashMap; |
| import java.util.HashSet; |
| import java.util.Map; |
| import java.util.Set; |
| |
| import org.apache.commons.logging.Log; |
| import org.apache.commons.logging.LogFactory; |
| import org.apache.hadoop.conf.Configurable; |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.hadoop.security.Group; |
| import org.apache.hadoop.security.User; |
| import org.apache.hadoop.security.SecurityUtil.AccessControlList; |
| |
| /** |
| * A {@link Configuration} based security {@link Policy} for Hadoop. |
| * |
| * {@link ConfiguredPolicy} works in conjunction with a {@link PolicyProvider} |
| * for providing service-level authorization for Hadoop. |
| */ |
| public class ConfiguredPolicy extends Policy implements Configurable { |
| public static final String HADOOP_POLICY_FILE = "hadoop-policy.xml"; |
| private static final Log LOG = LogFactory.getLog(ConfiguredPolicy.class); |
| |
| private Configuration conf; |
| private PolicyProvider policyProvider; |
| private volatile Map<Principal, Set<Permission>> permissions; |
| private volatile Set<Permission> allowedPermissions; |
| |
| public ConfiguredPolicy(Configuration conf, PolicyProvider policyProvider) { |
| this.conf = conf; |
| this.policyProvider = policyProvider; |
| refresh(); |
| } |
| |
| @Override |
| public Configuration getConf() { |
| return conf; |
| } |
| |
| @Override |
| public void setConf(Configuration conf) { |
| this.conf = conf; |
| refresh(); |
| } |
| |
| @Override |
| public boolean implies(ProtectionDomain domain, Permission permission) { |
| // Only make checks for domains having principals |
| if(domain.getPrincipals().length == 0) { |
| return true; |
| } |
| |
| return super.implies(domain, permission); |
| } |
| |
| @Override |
| public PermissionCollection getPermissions(ProtectionDomain domain) { |
| PermissionCollection permissionCollection = super.getPermissions(domain); |
| for (Principal principal : domain.getPrincipals()) { |
| Set<Permission> principalPermissions = permissions.get(principal); |
| if (principalPermissions != null) { |
| for (Permission permission : principalPermissions) { |
| permissionCollection.add(permission); |
| } |
| } |
| |
| for (Permission permission : allowedPermissions) { |
| permissionCollection.add(permission); |
| } |
| } |
| return permissionCollection; |
| } |
| |
| @Override |
| public void refresh() { |
| // Get the system property 'hadoop.policy.file' |
| String policyFile = |
| System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE); |
| |
| // Make a copy of the original config, and load the policy file |
| Configuration policyConf = new Configuration(conf); |
| policyConf.addResource(policyFile); |
| |
| Map<Principal, Set<Permission>> newPermissions = |
| new HashMap<Principal, Set<Permission>>(); |
| Set<Permission> newAllowPermissions = new HashSet<Permission>(); |
| |
| // Parse the config file |
| Service[] services = policyProvider.getServices(); |
| if (services != null) { |
| for (Service service : services) { |
| AccessControlList acl = |
| new AccessControlList( |
| policyConf.get(service.getServiceKey(), |
| AccessControlList.WILDCARD_ACL_VALUE) |
| ); |
| |
| if (acl.allAllowed()) { |
| newAllowPermissions.add(service.getPermission()); |
| if (LOG.isDebugEnabled()) { |
| LOG.debug("Policy - " + service.getPermission() + " * "); |
| } |
| } else { |
| for (String user : acl.getUsers()) { |
| addPermission(newPermissions, new User(user), service.getPermission()); |
| } |
| |
| for (String group : acl.getGroups()) { |
| addPermission(newPermissions, new Group(group), service.getPermission()); |
| } |
| } |
| } |
| } |
| |
| // Flip to the newly parsed permissions |
| allowedPermissions = newAllowPermissions; |
| permissions = newPermissions; |
| } |
| |
| private void addPermission(Map<Principal, Set<Permission>> permissions, |
| Principal principal, Permission permission) { |
| Set<Permission> principalPermissions = permissions.get(principal); |
| if (principalPermissions == null) { |
| principalPermissions = new HashSet<Permission>(); |
| permissions.put(principal, principalPermissions); |
| } |
| principalPermissions.add(permission); |
| if (LOG.isDebugEnabled()) { |
| LOG.debug("Policy - Adding " + permission + " to " + principal); |
| } |
| } |
| } |