jstorm-core/src/main/java/backtype/storm/security/auth/authorizer/DRPCSimpleACLAuthorizer.java - storm - Git at Google

 package backtype.storm.security.auth.authorizer;

 import java.lang.reflect.Field;
 import java.security.Principal;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;

 import backtype.storm.Config;
 import backtype.storm.security.auth.ReqContext;
 import backtype.storm.security.auth.authorizer.DRPCAuthorizerBase;
 import backtype.storm.security.auth.AuthUtils;
 import backtype.storm.security.auth.IPrincipalToLocal;
 import backtype.storm.utils.Utils;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 public class DRPCSimpleACLAuthorizer extends DRPCAuthorizerBase {
     public static Logger LOG = LoggerFactory.getLogger(DRPCSimpleACLAuthorizer.class);

     public static final String CLIENT_USERS_KEY = "client.users";
     public static final String INVOCATION_USER_KEY = "invocation.user";
     public static final String FUNCTION_KEY = "function.name";

     protected String _aclFileName = "";
     protected IPrincipalToLocal _ptol;
     protected boolean _permitWhenMissingFunctionEntry = false;

     protected class AclFunctionEntry {
         final public Set<String> clientUsers;
         final public String invocationUser;

         public AclFunctionEntry(Collection<String> clientUsers, String invocationUser) {
             this.clientUsers = (clientUsers != null) ? new HashSet<String>(clientUsers) : new HashSet<String>();
             this.invocationUser = invocationUser;
         }
     }

     private volatile Map<String, AclFunctionEntry> _acl = null;
     private volatile long _lastUpdate = 0;

     protected Map<String, AclFunctionEntry> readAclFromConfig() {
         // Thread safety is mostly around _acl. If _acl needs to be updated it is changed atomically
         // More then one thread may be trying to update it at a time, but that is OK, because the
         // change is atomic
         long now = System.currentTimeMillis();
         if ((now - 5000) > _lastUpdate || _acl == null) {
             Map<String, AclFunctionEntry> acl = new HashMap<String, AclFunctionEntry>();
             Map conf = Utils.findAndReadConfigFile(_aclFileName);
             if (conf.containsKey(Config.DRPC_AUTHORIZER_ACL)) {
                 Map<String, Map<String, ?>> confAcl = (Map<String, Map<String, ?>>) conf.get(Config.DRPC_AUTHORIZER_ACL);

                 for (String function : confAcl.keySet()) {
                     Map<String, ?> val = confAcl.get(function);
                     Collection<String> clientUsers = val.containsKey(CLIENT_USERS_KEY) ? (Collection<String>) val.get(CLIENT_USERS_KEY) : null;
                     String invocationUser = val.containsKey(INVOCATION_USER_KEY) ? (String) val.get(INVOCATION_USER_KEY) : null;
                     acl.put(function, new AclFunctionEntry(clientUsers, invocationUser));
                 }
             } else if (!_permitWhenMissingFunctionEntry) {
                 LOG.warn("Requiring explicit ACL entries, but none given. " + "Therefore, all operiations will be denied.");
             }
             _acl = acl;
             _lastUpdate = System.currentTimeMillis();
         }
         return _acl;
     }

     @Override
     public void prepare(Map conf) {
         Boolean isStrict = (Boolean) conf.get(Config.DRPC_AUTHORIZER_ACL_STRICT);
         _permitWhenMissingFunctionEntry = (isStrict != null && !isStrict) ? true : false;
         _aclFileName = (String) conf.get(Config.DRPC_AUTHORIZER_ACL_FILENAME);
         _ptol = AuthUtils.GetPrincipalToLocalPlugin(conf);
     }

     private String getUserFromContext(ReqContext context) {
         if (context != null) {
             Principal princ = context.principal();
             if (princ != null) {
                 return princ.getName();
             }
         }
         return null;
     }

     private String getLocalUserFromContext(ReqContext context) {
         if (context != null) {
             return _ptol.toLocal(context.principal());
         }
         return null;
     }

     protected boolean permitClientOrInvocationRequest(ReqContext context, Map params, String fieldName) {
         Map<String, AclFunctionEntry> acl = readAclFromConfig();
         String function = (String) params.get(FUNCTION_KEY);
         if (function != null && !function.isEmpty()) {
             AclFunctionEntry entry = acl.get(function);
             if (entry == null && _permitWhenMissingFunctionEntry) {
                 return true;
             }
             if (entry != null) {
                 Object value;
                 try {
                     Field field = AclFunctionEntry.class.getDeclaredField(fieldName);
                     value = field.get(entry);
                 } catch (Exception ex) {
                     LOG.warn("Caught Exception while accessing ACL", ex);
                     return false;
                 }
                 String principal = getUserFromContext(context);
                 String user = getLocalUserFromContext(context);
                 if (value == null) {
                     LOG.warn("Configuration for function '" + function + "' is " + "invalid: it should have both an invocation user "
                             + "and a list of client users defined.");
                 } else if (value instanceof Set && (((Set<String>) value).contains(principal) || ((Set<String>) value).contains(user))) {
                     return true;
                 } else if (value instanceof String && (value.equals(principal) || value.equals(user))) {
                     return true;
                 }
             }
         }
         return false;
     }

     @Override
     protected boolean permitClientRequest(ReqContext context, String operation, Map params) {
         return permitClientOrInvocationRequest(context, params, "clientUsers");
     }

     @Override
     protected boolean permitInvocationRequest(ReqContext context, String operation, Map params) {
         return permitClientOrInvocationRequest(context, params, "invocationUser");
     }
 }
	package backtype.storm.security.auth.authorizer;

	import java.lang.reflect.Field;
	import java.security.Principal;
	import java.util.Collection;
	import java.util.HashMap;
	import java.util.HashSet;
	import java.util.Map;
	import java.util.Set;

	import backtype.storm.Config;
	import backtype.storm.security.auth.ReqContext;
	import backtype.storm.security.auth.authorizer.DRPCAuthorizerBase;
	import backtype.storm.security.auth.AuthUtils;
	import backtype.storm.security.auth.IPrincipalToLocal;
	import backtype.storm.utils.Utils;

	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	public class DRPCSimpleACLAuthorizer extends DRPCAuthorizerBase {
	public static Logger LOG = LoggerFactory.getLogger(DRPCSimpleACLAuthorizer.class);

	public static final String CLIENT_USERS_KEY = "client.users";
	public static final String INVOCATION_USER_KEY = "invocation.user";
	public static final String FUNCTION_KEY = "function.name";

	protected String _aclFileName = "";
	protected IPrincipalToLocal _ptol;
	protected boolean _permitWhenMissingFunctionEntry = false;

	protected class AclFunctionEntry {
	final public Set<String> clientUsers;
	final public String invocationUser;

	public AclFunctionEntry(Collection<String> clientUsers, String invocationUser) {
	this.clientUsers = (clientUsers != null) ? new HashSet<String>(clientUsers) : new HashSet<String>();
	this.invocationUser = invocationUser;
	}
	}

	private volatile Map<String, AclFunctionEntry> _acl = null;
	private volatile long _lastUpdate = 0;

	protected Map<String, AclFunctionEntry> readAclFromConfig() {
	// Thread safety is mostly around _acl. If _acl needs to be updated it is changed atomically
	// More then one thread may be trying to update it at a time, but that is OK, because the
	// change is atomic
	long now = System.currentTimeMillis();
	if ((now - 5000) > _lastUpdate \|\| _acl == null) {
	Map<String, AclFunctionEntry> acl = new HashMap<String, AclFunctionEntry>();
	Map conf = Utils.findAndReadConfigFile(_aclFileName);
	if (conf.containsKey(Config.DRPC_AUTHORIZER_ACL)) {
	Map<String, Map<String, ?>> confAcl = (Map<String, Map<String, ?>>) conf.get(Config.DRPC_AUTHORIZER_ACL);

	for (String function : confAcl.keySet()) {
	Map<String, ?> val = confAcl.get(function);
	Collection<String> clientUsers = val.containsKey(CLIENT_USERS_KEY) ? (Collection<String>) val.get(CLIENT_USERS_KEY) : null;
	String invocationUser = val.containsKey(INVOCATION_USER_KEY) ? (String) val.get(INVOCATION_USER_KEY) : null;
	acl.put(function, new AclFunctionEntry(clientUsers, invocationUser));
	}
	} else if (!_permitWhenMissingFunctionEntry) {
	LOG.warn("Requiring explicit ACL entries, but none given. " + "Therefore, all operiations will be denied.");
	}
	_acl = acl;
	_lastUpdate = System.currentTimeMillis();
	}
	return _acl;
	}

	@Override
	public void prepare(Map conf) {
	Boolean isStrict = (Boolean) conf.get(Config.DRPC_AUTHORIZER_ACL_STRICT);
	_permitWhenMissingFunctionEntry = (isStrict != null && !isStrict) ? true : false;
	_aclFileName = (String) conf.get(Config.DRPC_AUTHORIZER_ACL_FILENAME);
	_ptol = AuthUtils.GetPrincipalToLocalPlugin(conf);
	}

	private String getUserFromContext(ReqContext context) {
	if (context != null) {
	Principal princ = context.principal();
	if (princ != null) {
	return princ.getName();
	}
	}
	return null;
	}

	private String getLocalUserFromContext(ReqContext context) {
	if (context != null) {
	return _ptol.toLocal(context.principal());
	}
	return null;
	}

	protected boolean permitClientOrInvocationRequest(ReqContext context, Map params, String fieldName) {
	Map<String, AclFunctionEntry> acl = readAclFromConfig();
	String function = (String) params.get(FUNCTION_KEY);
	if (function != null && !function.isEmpty()) {
	AclFunctionEntry entry = acl.get(function);
	if (entry == null && _permitWhenMissingFunctionEntry) {
	return true;
	}
	if (entry != null) {
	Object value;
	try {
	Field field = AclFunctionEntry.class.getDeclaredField(fieldName);
	value = field.get(entry);
	} catch (Exception ex) {
	LOG.warn("Caught Exception while accessing ACL", ex);
	return false;
	}
	String principal = getUserFromContext(context);
	String user = getLocalUserFromContext(context);
	if (value == null) {
	LOG.warn("Configuration for function '" + function + "' is " + "invalid: it should have both an invocation user "
	+ "and a list of client users defined.");
	} else if (value instanceof Set && (((Set<String>) value).contains(principal) \|\| ((Set<String>) value).contains(user))) {
	return true;
	} else if (value instanceof String && (value.equals(principal) \|\| value.equals(user))) {
	return true;
	}
	}
	}
	return false;
	}

	@Override
	protected boolean permitClientRequest(ReqContext context, String operation, Map params) {
	return permitClientOrInvocationRequest(context, params, "clientUsers");
	}

	@Override
	protected boolean permitInvocationRequest(ReqContext context, String operation, Map params) {
	return permitClientOrInvocationRequest(context, params, "invocationUser");
	}
	}