common/src/java/org/apache/hadoop/security/authorize/ConfiguredPolicy.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.security.authorize;

 import java.security.Permission;
 import java.security.PermissionCollection;
 import java.security.Policy;
 import java.security.Principal;
 import java.security.ProtectionDomain;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.Group;
 import org.apache.hadoop.security.User;
 import org.apache.hadoop.security.SecurityUtil.AccessControlList;

 /**
  * A {@link Configuration} based security {@link Policy} for Hadoop.
  *
  * {@link ConfiguredPolicy} works in conjunction with a {@link PolicyProvider}
  * for providing service-level authorization for Hadoop.
  */
 public class ConfiguredPolicy extends Policy implements Configurable {
   public static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
   private static final Log LOG = LogFactory.getLog(ConfiguredPolicy.class);

   private Configuration conf;
   private PolicyProvider policyProvider;
   private volatile Map<Principal, Set<Permission>> permissions;
   private volatile Set<Permission> allowedPermissions;

   public ConfiguredPolicy(Configuration conf, PolicyProvider policyProvider) {
     this.conf = conf;
     this.policyProvider = policyProvider;
     refresh();
   }

   @Override
   public Configuration getConf() {
     return conf;
   }

   @Override
   public void setConf(Configuration conf) {
     this.conf = conf;
     refresh();
   }

   @Override
   public boolean implies(ProtectionDomain domain, Permission permission) {
     // Only make checks for domains having principals
     if(domain.getPrincipals().length == 0) {
       return true;
     }

     return super.implies(domain, permission);
   }

   @Override
   public PermissionCollection getPermissions(ProtectionDomain domain) {
     PermissionCollection permissionCollection = super.getPermissions(domain);
     for (Principal principal : domain.getPrincipals()) {
       Set<Permission> principalPermissions = permissions.get(principal);
       if (principalPermissions != null) {
         for (Permission permission : principalPermissions) {
           permissionCollection.add(permission);
         }
       }

       for (Permission permission : allowedPermissions) {
         permissionCollection.add(permission);
       }
     }
     return permissionCollection;
   }

   @Override
   public void refresh() {
     // Get the system property 'hadoop.policy.file'
     String policyFile =
       System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE);

     // Make a copy of the original config, and load the policy file
     Configuration policyConf = new Configuration(conf);
     policyConf.addResource(policyFile);

     Map<Principal, Set<Permission>> newPermissions =
       new HashMap<Principal, Set<Permission>>();
     Set<Permission> newAllowPermissions = new HashSet<Permission>();

     // Parse the config file
     Service[] services = policyProvider.getServices();
     if (services != null) {
       for (Service service : services) {
         AccessControlList acl =
           new AccessControlList(
               policyConf.get(service.getServiceKey(),
                              AccessControlList.WILDCARD_ACL_VALUE)
               );

         if (acl.allAllowed()) {
           newAllowPermissions.add(service.getPermission());
           if (LOG.isDebugEnabled()) {
             LOG.debug("Policy - " + service.getPermission() + " * ");
           }
         } else {
           for (String user : acl.getUsers()) {
             addPermission(newPermissions, new User(user), service.getPermission());
           }

           for (String group : acl.getGroups()) {
             addPermission(newPermissions, new Group(group), service.getPermission());
           }
         }
       }
     }

     // Flip to the newly parsed permissions
     allowedPermissions = newAllowPermissions;
     permissions = newPermissions;
   }

   private void addPermission(Map<Principal, Set<Permission>> permissions,
                              Principal principal, Permission permission) {
     Set<Permission> principalPermissions = permissions.get(principal);
     if (principalPermissions == null) {
       principalPermissions = new HashSet<Permission>();
       permissions.put(principal, principalPermissions);
     }
     principalPermissions.add(permission);
     if (LOG.isDebugEnabled()) {
       LOG.debug("Policy - Adding  " + permission + " to " + principal);
     }
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.security.authorize;

	import java.security.Permission;
	import java.security.PermissionCollection;
	import java.security.Policy;
	import java.security.Principal;
	import java.security.ProtectionDomain;
	import java.util.HashMap;
	import java.util.HashSet;
	import java.util.Map;
	import java.util.Set;

	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.apache.hadoop.conf.Configurable;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.security.Group;
	import org.apache.hadoop.security.User;
	import org.apache.hadoop.security.SecurityUtil.AccessControlList;

	/**
	* A {@link Configuration} based security {@link Policy} for Hadoop.
	*
	* {@link ConfiguredPolicy} works in conjunction with a {@link PolicyProvider}
	* for providing service-level authorization for Hadoop.
	*/
	public class ConfiguredPolicy extends Policy implements Configurable {
	public static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
	private static final Log LOG = LogFactory.getLog(ConfiguredPolicy.class);

	private Configuration conf;
	private PolicyProvider policyProvider;
	private volatile Map<Principal, Set<Permission>> permissions;
	private volatile Set<Permission> allowedPermissions;

	public ConfiguredPolicy(Configuration conf, PolicyProvider policyProvider) {
	this.conf = conf;
	this.policyProvider = policyProvider;
	refresh();
	}

	@Override
	public Configuration getConf() {
	return conf;
	}

	@Override
	public void setConf(Configuration conf) {
	this.conf = conf;
	refresh();
	}

	@Override
	public boolean implies(ProtectionDomain domain, Permission permission) {
	// Only make checks for domains having principals
	if(domain.getPrincipals().length == 0) {
	return true;
	}

	return super.implies(domain, permission);
	}

	@Override
	public PermissionCollection getPermissions(ProtectionDomain domain) {
	PermissionCollection permissionCollection = super.getPermissions(domain);
	for (Principal principal : domain.getPrincipals()) {
	Set<Permission> principalPermissions = permissions.get(principal);
	if (principalPermissions != null) {
	for (Permission permission : principalPermissions) {
	permissionCollection.add(permission);
	}
	}

	for (Permission permission : allowedPermissions) {
	permissionCollection.add(permission);
	}
	}
	return permissionCollection;
	}

	@Override
	public void refresh() {
	// Get the system property 'hadoop.policy.file'
	String policyFile =
	System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE);

	// Make a copy of the original config, and load the policy file
	Configuration policyConf = new Configuration(conf);
	policyConf.addResource(policyFile);

	Map<Principal, Set<Permission>> newPermissions =
	new HashMap<Principal, Set<Permission>>();
	Set<Permission> newAllowPermissions = new HashSet<Permission>();

	// Parse the config file
	Service[] services = policyProvider.getServices();
	if (services != null) {
	for (Service service : services) {
	AccessControlList acl =
	new AccessControlList(
	policyConf.get(service.getServiceKey(),
	AccessControlList.WILDCARD_ACL_VALUE)
	);

	if (acl.allAllowed()) {
	newAllowPermissions.add(service.getPermission());
	if (LOG.isDebugEnabled()) {
	LOG.debug("Policy - " + service.getPermission() + " * ");
	}
	} else {
	for (String user : acl.getUsers()) {
	addPermission(newPermissions, new User(user), service.getPermission());
	}

	for (String group : acl.getGroups()) {
	addPermission(newPermissions, new Group(group), service.getPermission());
	}
	}
	}
	}

	// Flip to the newly parsed permissions
	allowedPermissions = newAllowPermissions;
	permissions = newPermissions;
	}

	private void addPermission(Map<Principal, Set<Permission>> permissions,
	Principal principal, Permission permission) {
	Set<Permission> principalPermissions = permissions.get(principal);
	if (principalPermissions == null) {
	principalPermissions = new HashSet<Permission>();
	permissions.put(principal, principalPermissions);
	}
	principalPermissions.add(permission);
	if (LOG.isDebugEnabled()) {
	LOG.debug("Policy - Adding " + permission + " to " + principal);
	}
	}
	}