HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. Contributed by Todd Lipcon
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1056006 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
c9fb201099
commit
c04751b1b4
@ -39,6 +39,9 @@ Trunk (unreleased changes)
|
||||
HADOOP-7078. Improve javadocs for RawComparator interface.
|
||||
(Harsh J Chouraria via todd)
|
||||
|
||||
HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations.
|
||||
(todd)
|
||||
|
||||
OPTIMIZATIONS
|
||||
|
||||
BUG FIXES
|
||||
|
@ -89,6 +89,9 @@
|
||||
<p>
|
||||
If these configurations are not present, impersonation will not be allowed and connection will fail.
|
||||
</p>
|
||||
<p>
|
||||
If more lax security is preferred, the wildcard value <code>*</code> may be used to allow impersonation from any host or of any user.
|
||||
</p>
|
||||
</section>
|
||||
|
||||
|
||||
|
@ -126,7 +126,9 @@ public static synchronized void authorize(UserGroupInformation user,
|
||||
Collection<String> allowedUserGroups = proxyGroups.get(
|
||||
getProxySuperuserGroupConfKey(superUser.getShortUserName()));
|
||||
|
||||
if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) {
|
||||
if (isWildcardList(allowedUserGroups)) {
|
||||
groupAuthorized = true;
|
||||
} else if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) {
|
||||
for (String group : user.getGroupNames()) {
|
||||
if (allowedUserGroups.contains(group)) {
|
||||
groupAuthorized = true;
|
||||
@ -142,8 +144,10 @@ public static synchronized void authorize(UserGroupInformation user,
|
||||
|
||||
Collection<String> ipList = proxyHosts.get(
|
||||
getProxySuperuserIpConfKey(superUser.getShortUserName()));
|
||||
|
||||
if (ipList != null && !ipList.isEmpty()) {
|
||||
|
||||
if (isWildcardList(ipList)) {
|
||||
ipAuthorized = true;
|
||||
} else if (ipList != null && !ipList.isEmpty()) {
|
||||
for (String allowedHost : ipList) {
|
||||
InetAddress hostAddr;
|
||||
try {
|
||||
@ -162,4 +166,15 @@ public static synchronized void authorize(UserGroupInformation user,
|
||||
+ superUser.getUserName() + " from IP " + remoteAddress);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return true if the configuration specifies the special configuration value
|
||||
* "*", indicating that any group or host list is allowed to use this configuration.
|
||||
*/
|
||||
private static boolean isWildcardList(Collection<String> list) {
|
||||
return (list != null) &&
|
||||
(list.size() == 1) &&
|
||||
(list.contains("*"));
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -0,0 +1,152 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.security.authorize;
|
||||
|
||||
import java.util.Arrays;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.util.StringUtils;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
|
||||
import org.junit.Test;
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
public class TestProxyUsers {
|
||||
private static final String REAL_USER_NAME = "proxier";
|
||||
private static final String PROXY_USER_NAME = "proxied_user";
|
||||
private static final String[] GROUP_NAMES =
|
||||
new String[] { "foo_group" };
|
||||
private static final String[] OTHER_GROUP_NAMES =
|
||||
new String[] { "bar_group" };
|
||||
private static final String PROXY_IP = "1.2.3.4";
|
||||
|
||||
@Test
|
||||
public void testProxyUsers() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set(
|
||||
ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
|
||||
StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
|
||||
conf.set(
|
||||
ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
|
||||
PROXY_IP);
|
||||
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
|
||||
|
||||
|
||||
// First try proxying a group that's allowed
|
||||
UserGroupInformation realUserUgi = UserGroupInformation
|
||||
.createRemoteUser(REAL_USER_NAME);
|
||||
UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
|
||||
PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
|
||||
|
||||
// From good IP
|
||||
assertAuthorized(proxyUserUgi, "1.2.3.4");
|
||||
// From bad IP
|
||||
assertNotAuthorized(proxyUserUgi, "1.2.3.5");
|
||||
|
||||
// Now try proxying a group that's not allowed
|
||||
realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
|
||||
proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
|
||||
PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
|
||||
|
||||
// From good IP
|
||||
assertNotAuthorized(proxyUserUgi, "1.2.3.4");
|
||||
// From bad IP
|
||||
assertNotAuthorized(proxyUserUgi, "1.2.3.5");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testWildcardGroup() {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set(
|
||||
ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
|
||||
"*");
|
||||
conf.set(
|
||||
ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
|
||||
PROXY_IP);
|
||||
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
|
||||
|
||||
// First try proxying a group that's allowed
|
||||
UserGroupInformation realUserUgi = UserGroupInformation
|
||||
.createRemoteUser(REAL_USER_NAME);
|
||||
UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
|
||||
PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
|
||||
|
||||
// From good IP
|
||||
assertAuthorized(proxyUserUgi, "1.2.3.4");
|
||||
// From bad IP
|
||||
assertNotAuthorized(proxyUserUgi, "1.2.3.5");
|
||||
|
||||
// Now try proxying a different group (just to make sure we aren't getting spill over
|
||||
// from the other test case!)
|
||||
realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
|
||||
proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
|
||||
PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
|
||||
|
||||
// From good IP
|
||||
assertAuthorized(proxyUserUgi, "1.2.3.4");
|
||||
// From bad IP
|
||||
assertNotAuthorized(proxyUserUgi, "1.2.3.5");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testWildcardIP() {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set(
|
||||
ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
|
||||
StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
|
||||
conf.set(
|
||||
ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
|
||||
"*");
|
||||
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
|
||||
|
||||
// First try proxying a group that's allowed
|
||||
UserGroupInformation realUserUgi = UserGroupInformation
|
||||
.createRemoteUser(REAL_USER_NAME);
|
||||
UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
|
||||
PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
|
||||
|
||||
// From either IP should be fine
|
||||
assertAuthorized(proxyUserUgi, "1.2.3.4");
|
||||
assertAuthorized(proxyUserUgi, "1.2.3.5");
|
||||
|
||||
// Now set up an unallowed group
|
||||
realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
|
||||
proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
|
||||
PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
|
||||
|
||||
// Neither IP should be OK
|
||||
assertNotAuthorized(proxyUserUgi, "1.2.3.4");
|
||||
assertNotAuthorized(proxyUserUgi, "1.2.3.5");
|
||||
}
|
||||
|
||||
private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) {
|
||||
try {
|
||||
ProxyUsers.authorize(proxyUgi, host, null);
|
||||
fail("Allowed authorization of " + proxyUgi + " from " + host);
|
||||
} catch (AuthorizationException e) {
|
||||
// Expected
|
||||
}
|
||||
}
|
||||
|
||||
private void assertAuthorized(UserGroupInformation proxyUgi, String host) {
|
||||
try {
|
||||
ProxyUsers.authorize(proxyUgi, host, null);
|
||||
} catch (AuthorizationException e) {
|
||||
fail("Did not allowed authorization of " + proxyUgi + " from " + host);
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user