hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java - hadoop - Git at Google

 /**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

 package org.apache.hadoop.yarn.security;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;

 import com.google.common.annotations.VisibleForTesting;
 import java.util.List;

 /**
  * An implementation of the interface will provide authorization related
  * information and enforce permission check. It is excepted that any of the
  * methods defined in this interface should be non-blocking call and should not
  * involve expensive computation as these method could be invoked in RPC.
  */
 @Private
 @Unstable
 public abstract class YarnAuthorizationProvider {

   private static final Log LOG = LogFactory.getLog(YarnAuthorizationProvider.class);

   private static YarnAuthorizationProvider authorizer = null;

   public static YarnAuthorizationProvider getInstance(Configuration conf) {
     synchronized (YarnAuthorizationProvider.class) {
       if (authorizer == null) {
         Class<?> authorizerClass =
             conf.getClass(YarnConfiguration.YARN_AUTHORIZATION_PROVIDER,
               ConfiguredYarnAuthorizer.class);
         authorizer =
             (YarnAuthorizationProvider) ReflectionUtils.newInstance(
               authorizerClass, conf);
         authorizer.init(conf);
         LOG.info(authorizerClass.getName() + " is instantiated.");
       }
     }
     return authorizer;
   }

   /**
    * Destroy the {@link YarnAuthorizationProvider} instance.
    * This method is called only in Tests.
    */
   @VisibleForTesting
   public static void destroy() {
     synchronized (YarnAuthorizationProvider.class) {
       if (authorizer != null) {
         LOG.debug(authorizer.getClass().getName() + " is destroyed.");
         authorizer = null;
       }
     }
   }

   /**
    * Initialize the provider. Invoked on daemon startup. DefaultYarnAuthorizer is
    * initialized based on configurations.
    */
   public abstract void init(Configuration conf);

   /**
    * Check if user has the permission to access the target object.
    *
    * @param accessRequest
    *          the request object which contains all the access context info.
    * @return true if user can access the object, otherwise false.
    */

   public abstract boolean checkPermission(AccessRequest accessRequest);

   /**
    * Set permissions for the target object.
    *
    * @param permissions
    *        A list of permissions on the target object.
    * @param ugi User who sets the permissions.
    */
   public abstract void setPermission(List<Permission> permissions,
       UserGroupInformation ugi);

   /**
    * Set a list of users/groups who have admin access
    *
    * @param acls  users/groups who have admin access
    * @param ugi User who sets the admin acls.
    */
   public abstract void setAdmins(AccessControlList acls, UserGroupInformation ugi);

   /**
    * Check if the user is an admin.
    *
    * @param ugi the user to be determined if it is an admin
    * @return true if the given user is an admin
    */
   public abstract boolean isAdmin(UserGroupInformation ugi);
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.yarn.security;

	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.apache.hadoop.classification.InterfaceAudience.Private;
	import org.apache.hadoop.classification.InterfaceStability.Unstable;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.security.authorize.AccessControlList;
	import org.apache.hadoop.util.ReflectionUtils;
	import org.apache.hadoop.yarn.conf.YarnConfiguration;

	import com.google.common.annotations.VisibleForTesting;
	import java.util.List;

	/**
	* An implementation of the interface will provide authorization related
	* information and enforce permission check. It is excepted that any of the
	* methods defined in this interface should be non-blocking call and should not
	* involve expensive computation as these method could be invoked in RPC.
	*/
	@Private
	@Unstable
	public abstract class YarnAuthorizationProvider {

	private static final Log LOG = LogFactory.getLog(YarnAuthorizationProvider.class);

	private static YarnAuthorizationProvider authorizer = null;

	public static YarnAuthorizationProvider getInstance(Configuration conf) {
	synchronized (YarnAuthorizationProvider.class) {
	if (authorizer == null) {
	Class<?> authorizerClass =
	conf.getClass(YarnConfiguration.YARN_AUTHORIZATION_PROVIDER,
	ConfiguredYarnAuthorizer.class);
	authorizer =
	(YarnAuthorizationProvider) ReflectionUtils.newInstance(
	authorizerClass, conf);
	authorizer.init(conf);
	LOG.info(authorizerClass.getName() + " is instantiated.");
	}
	}
	return authorizer;
	}

	/**
	* Destroy the {@link YarnAuthorizationProvider} instance.
	* This method is called only in Tests.
	*/
	@VisibleForTesting
	public static void destroy() {
	synchronized (YarnAuthorizationProvider.class) {
	if (authorizer != null) {
	LOG.debug(authorizer.getClass().getName() + " is destroyed.");
	authorizer = null;
	}
	}
	}

	/**
	* Initialize the provider. Invoked on daemon startup. DefaultYarnAuthorizer is
	* initialized based on configurations.
	*/
	public abstract void init(Configuration conf);

	/**
	* Check if user has the permission to access the target object.
	*
	* @param accessRequest
	* the request object which contains all the access context info.
	* @return true if user can access the object, otherwise false.
	*/

	public abstract boolean checkPermission(AccessRequest accessRequest);

	/**
	* Set permissions for the target object.
	*
	* @param permissions
	* A list of permissions on the target object.
	* @param ugi User who sets the permissions.
	*/
	public abstract void setPermission(List<Permission> permissions,
	UserGroupInformation ugi);

	/**
	* Set a list of users/groups who have admin access
	*
	* @param acls users/groups who have admin access
	* @param ugi User who sets the admin acls.
	*/
	public abstract void setAdmins(AccessControlList acls, UserGroupInformation ugi);

	/**
	* Check if the user is an admin.
	*
	* @param ugi the user to be determined if it is an admin
	* @return true if the given user is an admin
	*/
	public abstract boolean isAdmin(UserGroupInformation ugi);
	}