hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.hadoop.security.authorize;

 import com.google.common.base.Preconditions;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.ReflectionUtils;

 import com.google.common.annotations.VisibleForTesting;

 @InterfaceStability.Unstable
 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive"})
 public class ProxyUsers {

   public static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser";

   private static volatile ImpersonationProvider sip ;

   /**
    * Returns an instance of ImpersonationProvider.
    * Looks up the configuration to see if there is custom class specified.
    * @param conf
    * @return ImpersonationProvider
    */
   private static ImpersonationProvider getInstance(Configuration conf) {
     Class<? extends ImpersonationProvider> clazz =
         conf.getClass(
             CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
             DefaultImpersonationProvider.class, ImpersonationProvider.class);
     return ReflectionUtils.newInstance(clazz, conf);
   }

   /**
    * refresh Impersonation rules
    */
   public static void refreshSuperUserGroupsConfiguration() {
     //load server side configuration;
     refreshSuperUserGroupsConfiguration(new Configuration());
   }

   /**
    * Refreshes configuration using the specified Proxy user prefix for
    * properties.
    *
    * @param conf configuration
    * @param proxyUserPrefix proxy user configuration prefix
    */
   public static void refreshSuperUserGroupsConfiguration(Configuration conf,
       String proxyUserPrefix) {
     Preconditions.checkArgument(proxyUserPrefix != null &&
         !proxyUserPrefix.isEmpty(), "prefix cannot be NULL or empty");
     // sip is volatile. Any assignment to it as well as the object's state
     // will be visible to all the other threads.
     ImpersonationProvider ip = getInstance(conf);
     ip.init(proxyUserPrefix);
     sip = ip;
     ProxyServers.refresh(conf);
   }

   /**
    * Refreshes configuration using the default Proxy user prefix for properties.
    * @param conf configuration
    */
   public static void refreshSuperUserGroupsConfiguration(Configuration conf) {
     refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER);
   }

   /**
    * Authorize the superuser which is doing doAs
    *
    * @param user ugi of the effective or proxy user which contains a real user
    * @param remoteAddress the ip address of client
    * @throws AuthorizationException
    */
   public static void authorize(UserGroupInformation user,
       String remoteAddress) throws AuthorizationException {
     if (sip==null) {
       // In a race situation, It is possible for multiple threads to satisfy this condition.
       // The last assignment will prevail.
       refreshSuperUserGroupsConfiguration();
     }
     sip.authorize(user, remoteAddress);
   }

   /**
    * This function is kept to provide backward compatibility.
    * @param user
    * @param remoteAddress
    * @param conf
    * @throws AuthorizationException
    * @deprecated use {@link #authorize(UserGroupInformation, String) instead.
    */
   @Deprecated
   public static void authorize(UserGroupInformation user,
       String remoteAddress, Configuration conf) throws AuthorizationException {
     authorize(user,remoteAddress);
   }

   @VisibleForTesting
   public static DefaultImpersonationProvider getDefaultImpersonationProvider() {
     return ((DefaultImpersonationProvider)sip);
   }

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.security.authorize;

	import com.google.common.base.Preconditions;
	import org.apache.hadoop.classification.InterfaceAudience;
	import org.apache.hadoop.classification.InterfaceStability;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.util.ReflectionUtils;

	import com.google.common.annotations.VisibleForTesting;

	@InterfaceStability.Unstable
	@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive"})
	public class ProxyUsers {

	public static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser";

	private static volatile ImpersonationProvider sip ;

	/**
	* Returns an instance of ImpersonationProvider.
	* Looks up the configuration to see if there is custom class specified.
	* @param conf
	* @return ImpersonationProvider
	*/
	private static ImpersonationProvider getInstance(Configuration conf) {
	Class<? extends ImpersonationProvider> clazz =
	conf.getClass(
	CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
	DefaultImpersonationProvider.class, ImpersonationProvider.class);
	return ReflectionUtils.newInstance(clazz, conf);
	}

	/**
	* refresh Impersonation rules
	*/
	public static void refreshSuperUserGroupsConfiguration() {
	//load server side configuration;
	refreshSuperUserGroupsConfiguration(new Configuration());
	}

	/**
	* Refreshes configuration using the specified Proxy user prefix for
	* properties.
	*
	* @param conf configuration
	* @param proxyUserPrefix proxy user configuration prefix
	*/
	public static void refreshSuperUserGroupsConfiguration(Configuration conf,
	String proxyUserPrefix) {
	Preconditions.checkArgument(proxyUserPrefix != null &&
	!proxyUserPrefix.isEmpty(), "prefix cannot be NULL or empty");
	// sip is volatile. Any assignment to it as well as the object's state
	// will be visible to all the other threads.
	ImpersonationProvider ip = getInstance(conf);
	ip.init(proxyUserPrefix);
	sip = ip;
	ProxyServers.refresh(conf);
	}

	/**
	* Refreshes configuration using the default Proxy user prefix for properties.
	* @param conf configuration
	*/
	public static void refreshSuperUserGroupsConfiguration(Configuration conf) {
	refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER);
	}

	/**
	* Authorize the superuser which is doing doAs
	*
	* @param user ugi of the effective or proxy user which contains a real user
	* @param remoteAddress the ip address of client
	* @throws AuthorizationException
	*/
	public static void authorize(UserGroupInformation user,
	String remoteAddress) throws AuthorizationException {
	if (sip==null) {
	// In a race situation, It is possible for multiple threads to satisfy this condition.
	// The last assignment will prevail.
	refreshSuperUserGroupsConfiguration();
	}
	sip.authorize(user, remoteAddress);
	}

	/**
	* This function is kept to provide backward compatibility.
	* @param user
	* @param remoteAddress
	* @param conf
	* @throws AuthorizationException
	* @deprecated use {@link #authorize(UserGroupInformation, String) instead.
	*/
	@Deprecated
	public static void authorize(UserGroupInformation user,
	String remoteAddress, Configuration conf) throws AuthorizationException {
	authorize(user,remoteAddress);
	}

	@VisibleForTesting
	public static DefaultImpersonationProvider getDefaultImpersonationProvider() {
	return ((DefaultImpersonationProvider)sip);
	}

	}