HADOOP-15255. Upper/Lower case conversion support for group names in LdapGroupsMapping. Contributed by Nanda kumar.
This commit is contained in:
parent
68ce193efc
commit
033f9c68ea
@ -0,0 +1,91 @@
|
|||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.security;
|
||||||
|
|
||||||
|
import com.google.common.annotations.VisibleForTesting;
|
||||||
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
|
import org.apache.hadoop.classification.InterfaceStability;
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.util.StringUtils;
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This class uses {@link LdapGroupsMapping} for group lookup and applies the
|
||||||
|
* rule configured on the group names.
|
||||||
|
*/
|
||||||
|
@InterfaceAudience.LimitedPrivate({"HDFS"})
|
||||||
|
@InterfaceStability.Evolving
|
||||||
|
public class RuleBasedLdapGroupsMapping extends LdapGroupsMapping {
|
||||||
|
|
||||||
|
public static final String CONVERSION_RULE_KEY = LDAP_CONFIG_PREFIX +
|
||||||
|
".conversion.rule";
|
||||||
|
|
||||||
|
private static final String CONVERSION_RULE_DEFAULT = "none";
|
||||||
|
private static final Logger LOG =
|
||||||
|
LoggerFactory.getLogger(RuleBasedLdapGroupsMapping.class);
|
||||||
|
|
||||||
|
private Rule rule;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Supported rules applicable for group name modification.
|
||||||
|
*/
|
||||||
|
private enum Rule {
|
||||||
|
TO_UPPER, TO_LOWER, NONE
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public synchronized void setConf(Configuration conf) {
|
||||||
|
super.setConf(conf);
|
||||||
|
String value = conf.get(CONVERSION_RULE_KEY, CONVERSION_RULE_DEFAULT);
|
||||||
|
try {
|
||||||
|
rule = Rule.valueOf(value.toUpperCase());
|
||||||
|
} catch (IllegalArgumentException iae) {
|
||||||
|
LOG.warn("Invalid {} configured: '{}'. Using default value: '{}'",
|
||||||
|
CONVERSION_RULE_KEY, value, CONVERSION_RULE_DEFAULT);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns list of groups for a user.
|
||||||
|
* This calls {@link LdapGroupsMapping}'s getGroups and applies the
|
||||||
|
* configured rules on group names before returning.
|
||||||
|
*
|
||||||
|
* @param user get groups for this user
|
||||||
|
* @return list of groups for a given user
|
||||||
|
*/
|
||||||
|
@Override
|
||||||
|
public synchronized List<String> getGroups(String user) {
|
||||||
|
List<String> groups = super.getGroups(user);
|
||||||
|
switch (rule) {
|
||||||
|
case TO_UPPER:
|
||||||
|
return groups.stream().map(StringUtils::toUpperCase).collect(
|
||||||
|
Collectors.toList());
|
||||||
|
case TO_LOWER:
|
||||||
|
return groups.stream().map(StringUtils::toLowerCase).collect(
|
||||||
|
Collectors.toList());
|
||||||
|
case NONE:
|
||||||
|
default:
|
||||||
|
return groups;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -275,6 +275,19 @@
|
|||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>hadoop.security.group.mapping.ldap.conversion.rule</name>
|
||||||
|
<value>none</value>
|
||||||
|
<description>
|
||||||
|
The rule is applied on the group names received from LDAP when
|
||||||
|
RuleBasedLdapGroupsMapping is configured.
|
||||||
|
Supported rules are "to_upper", "to_lower" and "none".
|
||||||
|
to_upper: This will convert all the group names to uppercase.
|
||||||
|
to_lower: This will convert all the group names to lowercase.
|
||||||
|
none: This will retain the source formatting, this is default value.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>hadoop.security.credential.clear-text-fallback</name>
|
<name>hadoop.security.credential.clear-text-fallback</name>
|
||||||
<value>true</value>
|
<value>true</value>
|
||||||
|
@ -34,6 +34,7 @@
|
|||||||
import org.apache.hadoop.security.CompositeGroupsMapping;
|
import org.apache.hadoop.security.CompositeGroupsMapping;
|
||||||
import org.apache.hadoop.security.HttpCrossOriginFilterInitializer;
|
import org.apache.hadoop.security.HttpCrossOriginFilterInitializer;
|
||||||
import org.apache.hadoop.security.LdapGroupsMapping;
|
import org.apache.hadoop.security.LdapGroupsMapping;
|
||||||
|
import org.apache.hadoop.security.RuleBasedLdapGroupsMapping;
|
||||||
import org.apache.hadoop.security.http.CrossOriginFilter;
|
import org.apache.hadoop.security.http.CrossOriginFilter;
|
||||||
import org.apache.hadoop.security.ssl.SSLFactory;
|
import org.apache.hadoop.security.ssl.SSLFactory;
|
||||||
|
|
||||||
@ -74,7 +75,8 @@ public void initializeMemberVariables() {
|
|||||||
ZKFailoverController.class,
|
ZKFailoverController.class,
|
||||||
SSLFactory.class,
|
SSLFactory.class,
|
||||||
CompositeGroupsMapping.class,
|
CompositeGroupsMapping.class,
|
||||||
CodecUtil.class
|
CodecUtil.class,
|
||||||
|
RuleBasedLdapGroupsMapping.class
|
||||||
};
|
};
|
||||||
|
|
||||||
// Initialize used variables
|
// Initialize used variables
|
||||||
|
@ -0,0 +1,99 @@
|
|||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.security;
|
||||||
|
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.junit.Assert;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.mockito.Mockito;
|
||||||
|
|
||||||
|
import javax.naming.NamingException;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import static org.apache.hadoop.security.RuleBasedLdapGroupsMapping
|
||||||
|
.CONVERSION_RULE_KEY;
|
||||||
|
import static org.mockito.Matchers.anyInt;
|
||||||
|
import static org.mockito.Matchers.eq;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test cases to verify the rules supported by RuleBasedLdapGroupsMapping.
|
||||||
|
*/
|
||||||
|
public class TestRuleBasedLdapGroupsMapping {
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetGroupsToUpper() throws NamingException {
|
||||||
|
RuleBasedLdapGroupsMapping groupsMapping = Mockito.spy(
|
||||||
|
new RuleBasedLdapGroupsMapping());
|
||||||
|
List<String> groups = new ArrayList<>();
|
||||||
|
groups.add("group1");
|
||||||
|
groups.add("group2");
|
||||||
|
Mockito.doReturn(groups).when((LdapGroupsMapping) groupsMapping)
|
||||||
|
.doGetGroups(eq("admin"), anyInt());
|
||||||
|
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.set(LdapGroupsMapping.LDAP_URL_KEY, "ldap://test");
|
||||||
|
conf.set(CONVERSION_RULE_KEY, "to_upper");
|
||||||
|
groupsMapping.setConf(conf);
|
||||||
|
|
||||||
|
List<String> groupsUpper = new ArrayList<>();
|
||||||
|
groupsUpper.add("GROUP1");
|
||||||
|
groupsUpper.add("GROUP2");
|
||||||
|
Assert.assertEquals(groupsUpper, groupsMapping.getGroups("admin"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetGroupsToLower() throws NamingException {
|
||||||
|
RuleBasedLdapGroupsMapping groupsMapping = Mockito.spy(
|
||||||
|
new RuleBasedLdapGroupsMapping());
|
||||||
|
List<String> groups = new ArrayList<>();
|
||||||
|
groups.add("GROUP1");
|
||||||
|
groups.add("GROUP2");
|
||||||
|
Mockito.doReturn(groups).when((LdapGroupsMapping) groupsMapping)
|
||||||
|
.doGetGroups(eq("admin"), anyInt());
|
||||||
|
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.set(LdapGroupsMapping.LDAP_URL_KEY, "ldap://test");
|
||||||
|
conf.set(CONVERSION_RULE_KEY, "to_lower");
|
||||||
|
groupsMapping.setConf(conf);
|
||||||
|
|
||||||
|
List<String> groupsLower = new ArrayList<>();
|
||||||
|
groupsLower.add("group1");
|
||||||
|
groupsLower.add("group2");
|
||||||
|
Assert.assertEquals(groupsLower, groupsMapping.getGroups("admin"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetGroupsInvalidRule() throws NamingException {
|
||||||
|
RuleBasedLdapGroupsMapping groupsMapping = Mockito.spy(
|
||||||
|
new RuleBasedLdapGroupsMapping());
|
||||||
|
List<String> groups = new ArrayList<>();
|
||||||
|
groups.add("group1");
|
||||||
|
groups.add("GROUP2");
|
||||||
|
Mockito.doReturn(groups).when((LdapGroupsMapping) groupsMapping)
|
||||||
|
.doGetGroups(eq("admin"), anyInt());
|
||||||
|
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.set(LdapGroupsMapping.LDAP_URL_KEY, "ldap://test");
|
||||||
|
conf.set(CONVERSION_RULE_KEY, "none");
|
||||||
|
groupsMapping.setConf(conf);
|
||||||
|
|
||||||
|
Assert.assertEquals(groups, groupsMapping.getGroups("admin"));
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user