HADOOP-10649. Allow overriding the default ACL for service authorization (Contributed by Benoy Antony)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1606179 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
f911f5495b
commit
bbbbd270c7
@ -483,6 +483,9 @@ Release 2.5.0 - UNRELEASED
|
||||
HADOOP-10565. Support IP ranges (CIDR) in proxyuser.hosts. (Benoy Antony
|
||||
via Arpit Agarwal)
|
||||
|
||||
HADOOP-10649. Allow overriding the default ACL for service authorization
|
||||
(Benoy Antony via Arpit Agarwal)
|
||||
|
||||
OPTIMIZATIONS
|
||||
|
||||
BUG FIXES
|
||||
|
@ -131,6 +131,9 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
|
||||
* Service Authorization
|
||||
*/
|
||||
public static final String
|
||||
HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL =
|
||||
"security.service.authorization.default.acl";
|
||||
public static final String
|
||||
HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY =
|
||||
"security.refresh.policy.protocol.acl";
|
||||
public static final String
|
||||
|
@ -132,6 +132,10 @@ public void refreshWithLoadedConfiguration(Configuration conf,
|
||||
final Map<Class<?>, AccessControlList> newAcls =
|
||||
new IdentityHashMap<Class<?>, AccessControlList>();
|
||||
|
||||
String defaultAcl = conf.get(
|
||||
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
|
||||
AccessControlList.WILDCARD_ACL_VALUE);
|
||||
|
||||
// Parse the config file
|
||||
Service[] services = provider.getServices();
|
||||
if (services != null) {
|
||||
@ -139,7 +143,7 @@ public void refreshWithLoadedConfiguration(Configuration conf,
|
||||
AccessControlList acl =
|
||||
new AccessControlList(
|
||||
conf.get(service.getServiceKey(),
|
||||
AccessControlList.WILDCARD_ACL_VALUE)
|
||||
defaultAcl)
|
||||
);
|
||||
newAcls.put(service.getProtocol(), acl);
|
||||
}
|
||||
|
@ -100,12 +100,16 @@ security.ha.service.protocol.acl | ACL for HAService protocol used by HAAdm
|
||||
Example: <<<user1,user2 group1,group2>>>.
|
||||
|
||||
Add a blank at the beginning of the line if only a list of groups is to
|
||||
be provided, equivalently a comman-separated list of users followed by
|
||||
be provided, equivalently a comma-separated list of users followed by
|
||||
a space or nothing implies only a set of given users.
|
||||
|
||||
A special value of <<<*>>> implies that all users are allowed to access the
|
||||
service.
|
||||
|
||||
If access control list is not defined for a service, the value of
|
||||
<<<security.service.authorization.default.acl>>> is applied. If
|
||||
<<<security.service.authorization.default.acl>>> is not defined, <<<*>>> is applied.
|
||||
|
||||
** Refreshing Service Level Authorization Configuration
|
||||
|
||||
The service-level authorization configuration for the NameNode and
|
||||
|
@ -0,0 +1,67 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.security.authorize;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||
import org.apache.hadoop.ipc.TestRPC.TestProtocol;
|
||||
import org.junit.Test;
|
||||
|
||||
public class TestServiceAuthorization {
|
||||
|
||||
private static final String ACL_CONFIG = "test.protocol.acl";
|
||||
private static final String ACL_CONFIG1 = "test.protocol1.acl";
|
||||
|
||||
public interface TestProtocol1 extends TestProtocol {};
|
||||
|
||||
private static class TestPolicyProvider extends PolicyProvider {
|
||||
|
||||
@Override
|
||||
public Service[] getServices() {
|
||||
return new Service[] { new Service(ACL_CONFIG, TestProtocol.class),
|
||||
new Service(ACL_CONFIG1, TestProtocol1.class),
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDefaultAcl() {
|
||||
ServiceAuthorizationManager serviceAuthorizationManager =
|
||||
new ServiceAuthorizationManager();
|
||||
Configuration conf = new Configuration ();
|
||||
//test without setting a default acl
|
||||
conf.set(ACL_CONFIG, "user1 group1");
|
||||
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
|
||||
AccessControlList acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
|
||||
assertEquals("user1 group1", acl.getAclString());
|
||||
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
|
||||
assertEquals(AccessControlList.WILDCARD_ACL_VALUE, acl.getAclString());
|
||||
|
||||
//test with a default acl
|
||||
conf.set(
|
||||
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL,
|
||||
"user2 group2");
|
||||
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
|
||||
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol.class);
|
||||
assertEquals("user1 group1", acl.getAclString());
|
||||
acl = serviceAuthorizationManager.getProtocolsAcls(TestProtocol1.class);
|
||||
assertEquals("user2 group2", acl.getAclString());
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user