| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package backtype.storm.security.auth.authorizer; |
| |
| import java.util.Arrays; |
| import java.util.Map; |
| import java.util.Set; |
| import java.util.HashSet; |
| import java.util.Collection; |
| import java.io.IOException; |
| |
| import backtype.storm.Config; |
| import backtype.storm.security.auth.IAuthorizer; |
| import backtype.storm.security.auth.ReqContext; |
| import backtype.storm.security.auth.AuthUtils; |
| import backtype.storm.security.auth.IPrincipalToLocal; |
| import backtype.storm.security.auth.IGroupMappingServiceProvider; |
| |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| /** |
| * An authorization implementation that simply checks if a user is allowed to perform specific |
| * operations. |
| */ |
| public class SimpleACLAuthorizer implements IAuthorizer { |
| private static final Logger LOG = LoggerFactory.getLogger(SimpleACLAuthorizer.class); |
| |
| protected Set<String> _userCommands = new HashSet<String>(Arrays.asList("submitTopology", "fileUpload", "getNimbusConf", "getClusterInfo")); |
| protected Set<String> _supervisorCommands = new HashSet<String>(Arrays.asList("fileDownload")); |
| protected Set<String> _topoCommands = new HashSet<String>(Arrays.asList("killTopology","rebalance","activate","deactivate","getTopologyConf","getTopology","getUserTopology","getTopologyInfo","uploadNewCredentials")); |
| |
| protected Set<String> _admins; |
| protected Set<String> _supervisors; |
| protected Set<String> _nimbusUsers; |
| protected Set<String> _nimbusGroups; |
| protected IPrincipalToLocal _ptol; |
| protected IGroupMappingServiceProvider _groupMappingProvider; |
| /** |
| * Invoked once immediately after construction |
| * @param conf Storm configuration |
| */ |
| @Override |
| public void prepare(Map conf) { |
| _admins = new HashSet<String>(); |
| _supervisors = new HashSet<String>(); |
| _nimbusUsers = new HashSet<String>(); |
| _nimbusGroups = new HashSet<String>(); |
| |
| if (conf.containsKey(Config.NIMBUS_ADMINS)) { |
| _admins.addAll((Collection<String>)conf.get(Config.NIMBUS_ADMINS)); |
| } |
| if (conf.containsKey(Config.NIMBUS_SUPERVISOR_USERS)) { |
| _supervisors.addAll((Collection<String>)conf.get(Config.NIMBUS_SUPERVISOR_USERS)); |
| } |
| if (conf.containsKey(Config.NIMBUS_USERS)) { |
| _nimbusUsers.addAll((Collection<String>)conf.get(Config.NIMBUS_USERS)); |
| } |
| |
| if (conf.containsKey(Config.NIMBUS_GROUPS)) { |
| _nimbusGroups.addAll((Collection<String>)conf.get(Config.NIMBUS_GROUPS)); |
| } |
| |
| _ptol = AuthUtils.GetPrincipalToLocalPlugin(conf); |
| _groupMappingProvider = AuthUtils.GetGroupMappingServiceProviderPlugin(conf); |
| } |
| |
| /** |
| * permit() method is invoked for each incoming Thrift request |
| * @param context request context includes info about |
| * @param operation operation name |
| * @param topology_conf configuration of targeted topology |
| * @return true if the request is authorized, false if reject |
| */ |
| @Override |
| public boolean permit(ReqContext context, String operation, Map topology_conf) { |
| LOG.info("[req " + context.requestID() + "] Access " |
| + " from: " + (context.remoteAddress() == null ? "null" : context.remoteAddress().toString()) |
| + (context.principal() == null ? "" : (" principal:" + context.principal())) |
| + " op:" + operation |
| + (topology_conf == null ? "" : (" topoology:" + topology_conf.get(Config.TOPOLOGY_NAME)))); |
| |
| String principal = context.principal().getName(); |
| String user = _ptol.toLocal(context.principal()); |
| Set<String> userGroups = new HashSet<String>(); |
| |
| if (_groupMappingProvider != null) { |
| try { |
| userGroups = _groupMappingProvider.getGroups(user); |
| } catch(IOException e) { |
| LOG.warn("Error while trying to fetch user groups",e); |
| } |
| } |
| |
| if (_admins.contains(principal) || _admins.contains(user)) { |
| return true; |
| } |
| |
| if (_supervisors.contains(principal) || _supervisors.contains(user)) { |
| return _supervisorCommands.contains(operation); |
| } |
| |
| if (_userCommands.contains(operation)) { |
| return _nimbusUsers.size() == 0 || _nimbusUsers.contains(user) || checkUserGroupAllowed(userGroups, _nimbusGroups); |
| } |
| |
| if (_topoCommands.contains(operation)) { |
| Set topoUsers = new HashSet<String>(); |
| if (topology_conf.containsKey(Config.TOPOLOGY_USERS)) { |
| topoUsers.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_USERS)); |
| } |
| |
| if (topoUsers.contains(principal) || topoUsers.contains(user)) { |
| return true; |
| } |
| |
| Set<String> topoGroups = new HashSet<String>(); |
| if (topology_conf.containsKey(Config.TOPOLOGY_GROUPS) && topology_conf.get(Config.TOPOLOGY_GROUPS) != null) { |
| topoGroups.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_GROUPS)); |
| } |
| |
| if (checkUserGroupAllowed(userGroups, topoGroups)) return true; |
| } |
| return false; |
| } |
| |
| private Boolean checkUserGroupAllowed(Set<String> userGroups, Set<String> configuredGroups) { |
| if(userGroups.size() > 0 && configuredGroups.size() > 0) { |
| for (String tgroup : configuredGroups) { |
| if(userGroups.contains(tgroup)) |
| return true; |
| } |
| } |
| return false; |
| } |
| } |