storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java - storm - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package backtype.storm.security.auth.authorizer;

 import java.util.Arrays;
 import java.util.Map;
 import java.util.Set;
 import java.util.HashSet;
 import java.util.Collection;
 import java.io.IOException;

 import backtype.storm.Config;
 import backtype.storm.security.auth.IAuthorizer;
 import backtype.storm.security.auth.ReqContext;
 import backtype.storm.security.auth.AuthUtils;
 import backtype.storm.security.auth.IPrincipalToLocal;
 import backtype.storm.security.auth.IGroupMappingServiceProvider;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 /**
  * An authorization implementation that simply checks if a user is allowed to perform specific
  * operations.
  */
 public class SimpleACLAuthorizer implements IAuthorizer {
     private static final Logger LOG = LoggerFactory.getLogger(SimpleACLAuthorizer.class);

     protected Set<String> _userCommands = new HashSet<String>(Arrays.asList("submitTopology", "fileUpload", "getNimbusConf", "getClusterInfo"));
     protected Set<String> _supervisorCommands = new HashSet<String>(Arrays.asList("fileDownload"));
     protected Set<String> _topoCommands = new HashSet<String>(Arrays.asList("killTopology","rebalance","activate","deactivate","getTopologyConf","getTopology","getUserTopology","getTopologyInfo","uploadNewCredentials"));

     protected Set<String> _admins;
     protected Set<String> _supervisors;
     protected Set<String> _nimbusUsers;
     protected Set<String> _nimbusGroups;
     protected IPrincipalToLocal _ptol;
     protected IGroupMappingServiceProvider _groupMappingProvider;
     /**
      * Invoked once immediately after construction
      * @param conf Storm configuration
      */
     @Override
     public void prepare(Map conf) {
         _admins = new HashSet<String>();
         _supervisors = new HashSet<String>();
         _nimbusUsers = new HashSet<String>();
         _nimbusGroups = new HashSet<String>();

         if (conf.containsKey(Config.NIMBUS_ADMINS)) {
             _admins.addAll((Collection<String>)conf.get(Config.NIMBUS_ADMINS));
         }
         if (conf.containsKey(Config.NIMBUS_SUPERVISOR_USERS)) {
             _supervisors.addAll((Collection<String>)conf.get(Config.NIMBUS_SUPERVISOR_USERS));
         }
         if (conf.containsKey(Config.NIMBUS_USERS)) {
             _nimbusUsers.addAll((Collection<String>)conf.get(Config.NIMBUS_USERS));
         }

         if (conf.containsKey(Config.NIMBUS_GROUPS)) {
             _nimbusGroups.addAll((Collection<String>)conf.get(Config.NIMBUS_GROUPS));
         }

         _ptol = AuthUtils.GetPrincipalToLocalPlugin(conf);
         _groupMappingProvider = AuthUtils.GetGroupMappingServiceProviderPlugin(conf);
     }

     /**
      * permit() method is invoked for each incoming Thrift request
      * @param context request context includes info about
      * @param operation operation name
      * @param topology_conf configuration of targeted topology
      * @return true if the request is authorized, false if reject
      */
     @Override
     public boolean permit(ReqContext context, String operation, Map topology_conf) {
         LOG.info("[req " + context.requestID() + "] Access "
                 + " from: " + (context.remoteAddress() == null ? "null" : context.remoteAddress().toString())
                 + (context.principal() == null ? "" : (" principal:" + context.principal()))
                 + " op:" + operation
                 + (topology_conf == null ? "" : (" topoology:" + topology_conf.get(Config.TOPOLOGY_NAME))));

         String principal = context.principal().getName();
         String user = _ptol.toLocal(context.principal());
         Set<String> userGroups = new HashSet<String>();

         if (_groupMappingProvider != null) {
             try {
                 userGroups = _groupMappingProvider.getGroups(user);
             } catch(IOException e) {
                 LOG.warn("Error while trying to fetch user groups",e);
             }
         }

         if (_admins.contains(principal) || _admins.contains(user)) {
             return true;
         }

         if (_supervisors.contains(principal) || _supervisors.contains(user)) {
             return _supervisorCommands.contains(operation);
         }

         if (_userCommands.contains(operation)) {
             return _nimbusUsers.size() == 0 || _nimbusUsers.contains(user) || checkUserGroupAllowed(userGroups, _nimbusGroups);
         }

         if (_topoCommands.contains(operation)) {
             Set topoUsers = new HashSet<String>();
             if (topology_conf.containsKey(Config.TOPOLOGY_USERS)) {
                 topoUsers.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_USERS));
             }

             if (topoUsers.contains(principal) || topoUsers.contains(user)) {
                 return true;
             }

             Set<String> topoGroups = new HashSet<String>();
             if (topology_conf.containsKey(Config.TOPOLOGY_GROUPS) && topology_conf.get(Config.TOPOLOGY_GROUPS) != null) {
                 topoGroups.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_GROUPS));
             }

             if (checkUserGroupAllowed(userGroups, topoGroups)) return true;
         }
         return false;
     }

     private Boolean checkUserGroupAllowed(Set<String> userGroups, Set<String> configuredGroups) {
         if(userGroups.size() > 0 && configuredGroups.size() > 0) {
             for (String tgroup : configuredGroups) {
                 if(userGroups.contains(tgroup))
                     return true;
             }
         }
         return false;
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package backtype.storm.security.auth.authorizer;

	import java.util.Arrays;
	import java.util.Map;
	import java.util.Set;
	import java.util.HashSet;
	import java.util.Collection;
	import java.io.IOException;

	import backtype.storm.Config;
	import backtype.storm.security.auth.IAuthorizer;
	import backtype.storm.security.auth.ReqContext;
	import backtype.storm.security.auth.AuthUtils;
	import backtype.storm.security.auth.IPrincipalToLocal;
	import backtype.storm.security.auth.IGroupMappingServiceProvider;

	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	/**
	* An authorization implementation that simply checks if a user is allowed to perform specific
	* operations.
	*/
	public class SimpleACLAuthorizer implements IAuthorizer {
	private static final Logger LOG = LoggerFactory.getLogger(SimpleACLAuthorizer.class);

	protected Set<String> _userCommands = new HashSet<String>(Arrays.asList("submitTopology", "fileUpload", "getNimbusConf", "getClusterInfo"));
	protected Set<String> _supervisorCommands = new HashSet<String>(Arrays.asList("fileDownload"));
	protected Set<String> _topoCommands = new HashSet<String>(Arrays.asList("killTopology","rebalance","activate","deactivate","getTopologyConf","getTopology","getUserTopology","getTopologyInfo","uploadNewCredentials"));

	protected Set<String> _admins;
	protected Set<String> _supervisors;
	protected Set<String> _nimbusUsers;
	protected Set<String> _nimbusGroups;
	protected IPrincipalToLocal _ptol;
	protected IGroupMappingServiceProvider _groupMappingProvider;
	/**
	* Invoked once immediately after construction
	* @param conf Storm configuration
	*/
	@Override
	public void prepare(Map conf) {
	_admins = new HashSet<String>();
	_supervisors = new HashSet<String>();
	_nimbusUsers = new HashSet<String>();
	_nimbusGroups = new HashSet<String>();

	if (conf.containsKey(Config.NIMBUS_ADMINS)) {
	_admins.addAll((Collection<String>)conf.get(Config.NIMBUS_ADMINS));
	}
	if (conf.containsKey(Config.NIMBUS_SUPERVISOR_USERS)) {
	_supervisors.addAll((Collection<String>)conf.get(Config.NIMBUS_SUPERVISOR_USERS));
	}
	if (conf.containsKey(Config.NIMBUS_USERS)) {
	_nimbusUsers.addAll((Collection<String>)conf.get(Config.NIMBUS_USERS));
	}

	if (conf.containsKey(Config.NIMBUS_GROUPS)) {
	_nimbusGroups.addAll((Collection<String>)conf.get(Config.NIMBUS_GROUPS));
	}

	_ptol = AuthUtils.GetPrincipalToLocalPlugin(conf);
	_groupMappingProvider = AuthUtils.GetGroupMappingServiceProviderPlugin(conf);
	}

	/**
	* permit() method is invoked for each incoming Thrift request
	* @param context request context includes info about
	* @param operation operation name
	* @param topology_conf configuration of targeted topology
	* @return true if the request is authorized, false if reject
	*/
	@Override
	public boolean permit(ReqContext context, String operation, Map topology_conf) {
	LOG.info("[req " + context.requestID() + "] Access "
	+ " from: " + (context.remoteAddress() == null ? "null" : context.remoteAddress().toString())
	+ (context.principal() == null ? "" : (" principal:" + context.principal()))
	+ " op:" + operation
	+ (topology_conf == null ? "" : (" topoology:" + topology_conf.get(Config.TOPOLOGY_NAME))));

	String principal = context.principal().getName();
	String user = _ptol.toLocal(context.principal());
	Set<String> userGroups = new HashSet<String>();

	if (_groupMappingProvider != null) {
	try {
	userGroups = _groupMappingProvider.getGroups(user);
	} catch(IOException e) {
	LOG.warn("Error while trying to fetch user groups",e);
	}
	}

	if (_admins.contains(principal) \|\| _admins.contains(user)) {
	return true;
	}

	if (_supervisors.contains(principal) \|\| _supervisors.contains(user)) {
	return _supervisorCommands.contains(operation);
	}

	if (_userCommands.contains(operation)) {
	return _nimbusUsers.size() == 0 \|\| _nimbusUsers.contains(user) \|\| checkUserGroupAllowed(userGroups, _nimbusGroups);
	}

	if (_topoCommands.contains(operation)) {
	Set topoUsers = new HashSet<String>();
	if (topology_conf.containsKey(Config.TOPOLOGY_USERS)) {
	topoUsers.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_USERS));
	}

	if (topoUsers.contains(principal) \|\| topoUsers.contains(user)) {
	return true;
	}

	Set<String> topoGroups = new HashSet<String>();
	if (topology_conf.containsKey(Config.TOPOLOGY_GROUPS) && topology_conf.get(Config.TOPOLOGY_GROUPS) != null) {
	topoGroups.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_GROUPS));
	}

	if (checkUserGroupAllowed(userGroups, topoGroups)) return true;
	}
	return false;
	}

	private Boolean checkUserGroupAllowed(Set<String> userGroups, Set<String> configuredGroups) {
	if(userGroups.size() > 0 && configuredGroups.size() > 0) {
	for (String tgroup : configuredGroups) {
	if(userGroups.contains(tgroup))
	return true;
	}
	}
	return false;
	}
	}