hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.java - ozone - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with this
  * work for additional information regarding copyright ownership.  The ASF
  * licenses this file to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  * License for the specific language governing permissions and limitations under
  * the License.
  */
 package org.apache.hadoop.ozone.security.acl;

 import org.apache.hadoop.hdds.annotation.InterfaceAudience;
 import org.apache.hadoop.hdds.annotation.InterfaceStability;
 import org.apache.hadoop.ozone.OzoneConsts;
 import org.apache.hadoop.ozone.om.BucketManager;
 import org.apache.hadoop.ozone.om.KeyManager;
 import org.apache.hadoop.ozone.om.PrefixManager;
 import org.apache.hadoop.ozone.om.VolumeManager;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.util.Collection;
 import java.util.Collections;
 import java.util.Objects;

 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD;
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST;

 /**
  * Public API for Ozone ACLs. Security providers providing support for Ozone
  * ACLs should implement this.
  */
 @InterfaceAudience.LimitedPrivate({"HDFS", "Yarn", "Ranger", "Hive", "HBase"})
 @InterfaceStability.Evolving
 public class OzoneNativeAuthorizer implements IAccessAuthorizer {

   private static final Logger LOG =
       LoggerFactory.getLogger(OzoneNativeAuthorizer.class);
   private VolumeManager volumeManager;
   private BucketManager bucketManager;
   private KeyManager keyManager;
   private PrefixManager prefixManager;
   private Collection<String> ozAdmins;

   public OzoneNativeAuthorizer() {
   }

   public OzoneNativeAuthorizer(VolumeManager volumeManager,
       BucketManager bucketManager, KeyManager keyManager,
       PrefixManager prefixManager, Collection<String> ozoneAdmins) {
     this.volumeManager = volumeManager;
     this.bucketManager = bucketManager;
     this.keyManager = keyManager;
     this.prefixManager = prefixManager;
     this.ozAdmins = ozoneAdmins;
   }

   /**
    * Check access for given ozoneObject.
    *
    * @param ozObject object for which access needs to be checked.
    * @param context Context object encapsulating all user related information.
    * @return true if user has access else false.
    */
   public boolean checkAccess(IOzoneObj ozObject, RequestContext context)
       throws OMException {
     Objects.requireNonNull(ozObject);
     Objects.requireNonNull(context);
     OzoneObjInfo objInfo;
     RequestContext parentContext;
     boolean isACLTypeCreate = (context.getAclRights() == ACLType.CREATE);
     boolean isACLTypeDelete = (context.getAclRights() == ACLType.DELETE);

     if (ozObject instanceof OzoneObjInfo) {
       objInfo = (OzoneObjInfo) ozObject;
     } else {
       throw new OMException("Unexpected input received. OM native acls are " +
           "configured to work with OzoneObjInfo type only.", INVALID_REQUEST);
     }

     // by pass all checks for admin
     boolean isAdmin = isAdmin(context.getClientUgi());
     if (isAdmin) {
       return true;
     }

     boolean isListAllVolume = ((context.getAclRights() == ACLType.LIST) &&
         objInfo.getVolumeName().equals(OzoneConsts.OZONE_ROOT));

     // For CREATE and DELETE acl requests, the parents need to be checked
     // for WRITE acl. If Key create request is received, then we need to
     // check if user has WRITE acl set on Bucket and Volume. In all other cases
     // the parents also need to be checked for the same acl type.
     if (isACLTypeCreate || isACLTypeDelete) {
       parentContext = RequestContext.newBuilder()
         .setClientUgi(context.getClientUgi())
         .setIp(context.getIp())
         .setAclType(context.getAclType())
         .setAclRights(ACLType.WRITE)
         .build();
     } else {
       parentContext = context;
     }

     switch (objInfo.getResourceType()) {
     case VOLUME:
       LOG.trace("Checking access for volume: {}", objInfo);
       if (isACLTypeCreate || isListAllVolume) {
         // only admin is allowed to create volume and list all volumes
         return false;
       }
       return volumeManager.checkAccess(objInfo, context);
     case BUCKET:
       LOG.trace("Checking access for bucket: {}", objInfo);
       // Skip bucket access check for CREATE acl since
       // bucket will not exist at the time of creation
       boolean bucketAccess = isACLTypeCreate
           || bucketManager.checkAccess(objInfo, context);
       return (bucketAccess
           && volumeManager.checkAccess(objInfo, parentContext));
     case KEY:
       LOG.trace("Checking access for Key: {}", objInfo);
       // Skip key access check for CREATE acl since
       // key will not exist at the time of creation
       boolean keyAccess = isACLTypeCreate
           || keyManager.checkAccess(objInfo, context);
       return (keyAccess
           && prefixManager.checkAccess(objInfo, parentContext)
           && bucketManager.checkAccess(objInfo, parentContext)
           && volumeManager.checkAccess(objInfo, parentContext));
     case PREFIX:
       LOG.trace("Checking access for Prefix: {}", objInfo);
       // Skip prefix access check for CREATE acl since
       // prefix will not exist at the time of creation
       boolean prefixAccess = isACLTypeCreate
           || prefixManager.checkAccess(objInfo, context);
       return (prefixAccess
           && bucketManager.checkAccess(objInfo, parentContext)
           && volumeManager.checkAccess(objInfo, parentContext));
     default:
       throw new OMException("Unexpected object type:" +
           objInfo.getResourceType(), INVALID_REQUEST);
     }
   }

   public void setVolumeManager(VolumeManager volumeManager) {
     this.volumeManager = volumeManager;
   }

   public void setBucketManager(BucketManager bucketManager) {
     this.bucketManager = bucketManager;
   }

   public void setKeyManager(KeyManager keyManager) {
     this.keyManager = keyManager;
   }

   public void setPrefixManager(PrefixManager prefixManager) {
     this.prefixManager = prefixManager;
   }

   public void setOzoneAdmins(Collection<String> ozoneAdmins) {
     this.ozAdmins = ozoneAdmins;
   }

   public Collection<String> getOzoneAdmins() {
     return Collections.unmodifiableCollection(this.ozAdmins);
   }

   private boolean isAdmin(UserGroupInformation callerUgi) {
     if (ozAdmins == null) {
       return false;
     }

     if (ozAdmins.contains(callerUgi.getShortUserName()) ||
         ozAdmins.contains(callerUgi.getUserName()) ||
         ozAdmins.contains(OZONE_ADMINISTRATORS_WILDCARD)) {
       return true;
     }

     return false;
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with this
	* work for additional information regarding copyright ownership. The ASF
	* licenses this file to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	* License for the specific language governing permissions and limitations under
	* the License.
	*/
	package org.apache.hadoop.ozone.security.acl;

	import org.apache.hadoop.hdds.annotation.InterfaceAudience;
	import org.apache.hadoop.hdds.annotation.InterfaceStability;
	import org.apache.hadoop.ozone.OzoneConsts;
	import org.apache.hadoop.ozone.om.BucketManager;
	import org.apache.hadoop.ozone.om.KeyManager;
	import org.apache.hadoop.ozone.om.PrefixManager;
	import org.apache.hadoop.ozone.om.VolumeManager;
	import org.apache.hadoop.ozone.om.exceptions.OMException;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.util.Collection;
	import java.util.Collections;
	import java.util.Objects;

	import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS_WILDCARD;
	import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST;

	/**
	* Public API for Ozone ACLs. Security providers providing support for Ozone
	* ACLs should implement this.
	*/
	@InterfaceAudience.LimitedPrivate({"HDFS", "Yarn", "Ranger", "Hive", "HBase"})
	@InterfaceStability.Evolving
	public class OzoneNativeAuthorizer implements IAccessAuthorizer {

	private static final Logger LOG =
	LoggerFactory.getLogger(OzoneNativeAuthorizer.class);
	private VolumeManager volumeManager;
	private BucketManager bucketManager;
	private KeyManager keyManager;
	private PrefixManager prefixManager;
	private Collection<String> ozAdmins;

	public OzoneNativeAuthorizer() {
	}

	public OzoneNativeAuthorizer(VolumeManager volumeManager,
	BucketManager bucketManager, KeyManager keyManager,
	PrefixManager prefixManager, Collection<String> ozoneAdmins) {
	this.volumeManager = volumeManager;
	this.bucketManager = bucketManager;
	this.keyManager = keyManager;
	this.prefixManager = prefixManager;
	this.ozAdmins = ozoneAdmins;
	}

	/**
	* Check access for given ozoneObject.
	*
	* @param ozObject object for which access needs to be checked.
	* @param context Context object encapsulating all user related information.
	* @return true if user has access else false.
	*/
	public boolean checkAccess(IOzoneObj ozObject, RequestContext context)
	throws OMException {
	Objects.requireNonNull(ozObject);
	Objects.requireNonNull(context);
	OzoneObjInfo objInfo;
	RequestContext parentContext;
	boolean isACLTypeCreate = (context.getAclRights() == ACLType.CREATE);
	boolean isACLTypeDelete = (context.getAclRights() == ACLType.DELETE);

	if (ozObject instanceof OzoneObjInfo) {
	objInfo = (OzoneObjInfo) ozObject;
	} else {
	throw new OMException("Unexpected input received. OM native acls are " +
	"configured to work with OzoneObjInfo type only.", INVALID_REQUEST);
	}

	// by pass all checks for admin
	boolean isAdmin = isAdmin(context.getClientUgi());
	if (isAdmin) {
	return true;
	}

	boolean isListAllVolume = ((context.getAclRights() == ACLType.LIST) &&
	objInfo.getVolumeName().equals(OzoneConsts.OZONE_ROOT));

	// For CREATE and DELETE acl requests, the parents need to be checked
	// for WRITE acl. If Key create request is received, then we need to
	// check if user has WRITE acl set on Bucket and Volume. In all other cases
	// the parents also need to be checked for the same acl type.
	if (isACLTypeCreate \|\| isACLTypeDelete) {
	parentContext = RequestContext.newBuilder()
	.setClientUgi(context.getClientUgi())
	.setIp(context.getIp())
	.setAclType(context.getAclType())
	.setAclRights(ACLType.WRITE)
	.build();
	} else {
	parentContext = context;
	}

	switch (objInfo.getResourceType()) {
	case VOLUME:
	LOG.trace("Checking access for volume: {}", objInfo);
	if (isACLTypeCreate \|\| isListAllVolume) {
	// only admin is allowed to create volume and list all volumes
	return false;
	}
	return volumeManager.checkAccess(objInfo, context);
	case BUCKET:
	LOG.trace("Checking access for bucket: {}", objInfo);
	// Skip bucket access check for CREATE acl since
	// bucket will not exist at the time of creation
	boolean bucketAccess = isACLTypeCreate
	\|\| bucketManager.checkAccess(objInfo, context);
	return (bucketAccess
	&& volumeManager.checkAccess(objInfo, parentContext));
	case KEY:
	LOG.trace("Checking access for Key: {}", objInfo);
	// Skip key access check for CREATE acl since
	// key will not exist at the time of creation
	boolean keyAccess = isACLTypeCreate
	\|\| keyManager.checkAccess(objInfo, context);
	return (keyAccess
	&& prefixManager.checkAccess(objInfo, parentContext)
	&& bucketManager.checkAccess(objInfo, parentContext)
	&& volumeManager.checkAccess(objInfo, parentContext));
	case PREFIX:
	LOG.trace("Checking access for Prefix: {}", objInfo);
	// Skip prefix access check for CREATE acl since
	// prefix will not exist at the time of creation
	boolean prefixAccess = isACLTypeCreate
	\|\| prefixManager.checkAccess(objInfo, context);
	return (prefixAccess
	&& bucketManager.checkAccess(objInfo, parentContext)
	&& volumeManager.checkAccess(objInfo, parentContext));
	default:
	throw new OMException("Unexpected object type:" +
	objInfo.getResourceType(), INVALID_REQUEST);
	}
	}

	public void setVolumeManager(VolumeManager volumeManager) {
	this.volumeManager = volumeManager;
	}

	public void setBucketManager(BucketManager bucketManager) {
	this.bucketManager = bucketManager;
	}

	public void setKeyManager(KeyManager keyManager) {
	this.keyManager = keyManager;
	}

	public void setPrefixManager(PrefixManager prefixManager) {
	this.prefixManager = prefixManager;
	}

	public void setOzoneAdmins(Collection<String> ozoneAdmins) {
	this.ozAdmins = ozoneAdmins;
	}

	public Collection<String> getOzoneAdmins() {
	return Collections.unmodifiableCollection(this.ozAdmins);
	}

	private boolean isAdmin(UserGroupInformation callerUgi) {
	if (ozAdmins == null) {
	return false;
	}

	if (ozAdmins.contains(callerUgi.getShortUserName()) \|\|
	ozAdmins.contains(callerUgi.getUserName()) \|\|
	ozAdmins.contains(OZONE_ADMINISTRATORS_WILDCARD)) {
	return true;
	}

	return false;
	}
	}