Google Git
Sign in
apache / storm / 925422a5b5ad1c3329a2c2b44db460ae94f70806 / . / storm-client / src / jvm / org / apache / storm / security / auth / authorizer / DRPCSimpleACLAuthorizer.java
blob: 00d50c4404857b01e1073d1da4e63e7023cdf392 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version
* 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package org.apache.storm.security.auth.authorizer;
import java.lang.reflect.Field;
import java.security.Principal;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.apache.storm.Config;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.IPrincipalToLocal;
import org.apache.storm.security.auth.ReqContext;
import org.apache.storm.shade.com.google.common.annotations.VisibleForTesting;
import org.apache.storm.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
public class DRPCSimpleACLAuthorizer extends DRPCAuthorizerBase {
public static final Logger LOG =
LoggerFactory.getLogger(DRPCSimpleACLAuthorizer.class);
public static final String CLIENT_USERS_KEY = "client.users";
public static final String INVOCATION_USER_KEY = "invocation.user";
public static final String FUNCTION_KEY = "function.name";
protected String aclFileName = "";
protected IPrincipalToLocal ptol;
protected boolean permitWhenMissingFunctionEntry = false;
private volatile Map<String, AclFunctionEntry> acl = null;
private volatile long lastUpdate = 0;
protected Map<String, AclFunctionEntry> readAclFromConfig() {
//Thread safety is mostly around acl. If acl needs to be updated it is changed atomically
//More then one thread may be trying to update it at a time, but that is OK, because the
//change is atomic
long now = System.currentTimeMillis();
if ((now - 5000) > lastUpdate || acl == null) {
Map<String, AclFunctionEntry> acl = new HashMap<>();
Map<String, Object> conf = Utils.findAndReadConfigFile(aclFileName);
if (conf.containsKey(Config.DRPC_AUTHORIZER_ACL)) {
Map<String, Map<String, ?>> confAcl =
(Map<String, Map<String, ?>>)
conf.get(Config.DRPC_AUTHORIZER_ACL);
for (Map.Entry<String, Map<String, ?>> entry : confAcl.entrySet()) {
Map<String, ?> val = entry.getValue();
Collection<String> clientUsers = val.containsKey(CLIENT_USERS_KEY)
? (Collection<String>) val.get(CLIENT_USERS_KEY)
: null;
String invocationUser = val.containsKey(INVOCATION_USER_KEY)
? (String) val.get(INVOCATION_USER_KEY)
: null;
acl.put(entry.getKey(),
new AclFunctionEntry(clientUsers, invocationUser));
}
} else if (!permitWhenMissingFunctionEntry) {
LOG.warn("Requiring explicit ACL entries, but none given. Therefore, all operations will be denied.");
}
this.acl = acl;
lastUpdate = System.currentTimeMillis();
}
return acl;
}
@Override
public void prepare(Map<String, Object> conf) {
Boolean isStrict =
(Boolean) conf.get(Config.DRPC_AUTHORIZER_ACL_STRICT);
permitWhenMissingFunctionEntry =
(isStrict != null && !isStrict);
aclFileName = (String) conf.get(Config.DRPC_AUTHORIZER_ACL_FILENAME);
ptol = ClientAuthUtils.getPrincipalToLocalPlugin(conf);
}
private String getUserFromContext(ReqContext context) {
if (context != null) {
Principal princ = context.principal();
if (princ != null) {
return princ.getName();
}
}
return null;
}
private String getLocalUserFromContext(ReqContext context) {
if (context != null) {
return ptol.toLocal(context.principal());
}
return null;
}
protected boolean permitClientOrInvocationRequest(ReqContext context, Map<String, Object> params,
String fieldName) {
Map<String, AclFunctionEntry> acl = readAclFromConfig();
String function = (String) params.get(FUNCTION_KEY);
if (function != null && !function.isEmpty()) {
AclFunctionEntry entry = acl.get(function);
if (entry == null && permitWhenMissingFunctionEntry) {
return true;
}
if (entry != null) {
Object value;
try {
Field field = AclFunctionEntry.class.getDeclaredField(fieldName);
value = field.get(entry);
} catch (Exception ex) {
LOG.warn("Caught Exception while accessing ACL", ex);
return false;
}
String principal = getUserFromContext(context);
String user = getLocalUserFromContext(context);
if (value == null) {
LOG.warn("Configuration for function '" + function + "' is "
+ "invalid: it should have both an invocation user and a list of client users defined.");
} else if (value instanceof Set && (((Set<String>) value).contains(principal)
|| ((Set<String>) value).contains(user))) {
return true;
} else if (value instanceof String && (value.equals(principal)
|| value.equals(user))) {
return true;
}
}
}
return false;
}
@Override
protected boolean permitClientRequest(ReqContext context, String operation,
Map<String, Object> params) {
return permitClientOrInvocationRequest(context, params, "clientUsers");
}
@Override
protected boolean permitInvocationRequest(ReqContext context, String operation,
Map<String, Object> params) {
return permitClientOrInvocationRequest(context, params, "invocationUser");
}
@VisibleForTesting
public static class AclFunctionEntry {
public final Set<String> clientUsers;
public final String invocationUser;
public AclFunctionEntry(Collection<String> clientUsers,
String invocationUser) {
this.clientUsers = (clientUsers != null)
? new HashSet<>(clientUsers)
: new HashSet<String>();
this.invocationUser = invocationUser;
}
}
}