Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.hadoop.mapred; import java.security.SignatureException; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.io.BufferedReader; import java.io.FileReader; import java.io.File; import java.net.URLDecoder; import java.util.HashMap; import org.apache.hadoop.conf.Configuration; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.commons.codec.binary.Base64; /** * This class implements symmetric key HMAC/SHA1 signature * based authorization of users and admins. */ public class PriorityAuthorization { public static final int USER = 0; public static final int ADMIN = 1; public static final int NO_ACCESS = 2; private HashMap<String, UserACL> acl = new HashMap<String, UserACL>(); private long lastSuccessfulReload = 0; public static final long START_TIME = System.currentTimeMillis(); private String aclFile; private static final Log LOG = LogFactory.getLog(PriorityAuthorization.class); private static final boolean debug = LOG.isDebugEnabled(); private static final String HMAC_SHA1_ALGORITHM = "HmacSHA1"; /** * Initializes authorization configuration * @param conf MapReduce configuration handle */ public void init(Configuration conf) { aclFile = conf.get("mapred.priority-scheduler.acl-file", "/etc/hadoop.acl"); } /** * Adapted from AWS Query Authentication cookbook: * Computes RFC 2104-compliant HMAC signature. * * @param data * The data to be signed. * @param key * The signing key. * @return * The base64-encoded RFC 2104-compliant HMAC signature. * @throws * java.security.SignatureException when signature generation fails */ public static String hmac(String data, String key) throws java.security.SignatureException { String result; try { // get an hmac_sha1 key from the raw key bytes SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), HMAC_SHA1_ALGORITHM); // get an hmac_sha1 Mac instance and initialize with the signing key Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM); mac.init(signingKey); // compute the hmac on input data bytes byte[] rawHmac = mac.doFinal(data.getBytes()); // base64-encode the hmac result = new String(Base64.encodeBase64(rawHmac)); } catch (Exception e) { throw new SignatureException("Failed to generate HMAC : " + e, e); } return result; } class UserACL { String user; String role; String key; // for replay detection long lastTimestamp = START_TIME; UserACL(String user, String role, String key) { this.user = user; this.role = role; this.key = key; } } private void reloadACL() { BufferedReader in = null; try { in = new BufferedReader(new FileReader(aclFile)); String line = in.readLine(); while (line != null) { String[] nameValue = line.split(" "); if (nameValue.length != 3) { continue; } acl.put(nameValue[0], new UserACL(nameValue[0], nameValue[1], nameValue[2])); if (debug) { LOG.debug("Loading " + line); } line = in.readLine(); } } catch (Exception e) { LOG.error(e); } try { in.close(); } catch (Exception e) { LOG.error(e); } } private void loadACL() { long time = System.currentTimeMillis(); try { File file = new File(aclFile); long lastModified = file.lastModified(); if (lastModified > lastSuccessfulReload) { reloadACL(); lastSuccessfulReload = time; } } catch (Exception e) { LOG.error("Failed to reload acl file", e); } } private boolean isReplay(String timestamp, String signature, UserACL userACL) { long signatureTime = Long.parseLong(timestamp); if (debug) { LOG.debug("signaturetime: " + Long.toString(signatureTime)); LOG.debug("lasttime: " + Long.toString(userACL.lastTimestamp)); } if (signatureTime <= userACL.lastTimestamp) { return true; } userACL.lastTimestamp = signatureTime; return false; } /** * Returns authorized role for user. * Checks whether signature obtained by user was made by key stored in local acl. * Also checks for replay attacks. * @param data data that was signed by user * @param signature user-provided signature * @param user-provided nonce/timestamp of signature * @return the authorized role of the user: * ADMIN, USER or NO_ACCESS */ public int authorize(String data, String signature, String user, String timestamp) { try { signature = URLDecoder.decode(signature, "UTF-8"); } catch (Exception e) { LOG.error("Authorization exception:", e); return NO_ACCESS; } if (debug) { LOG.debug(data + " sig: " + signature + " user: " + user + " time: " + timestamp); } try { loadACL(); UserACL userACL = acl.get(user); if (userACL == null) { return NO_ACCESS; } String signatureTest = hmac(data, userACL.key); if (debug) { LOG.debug("SignatureTest " + signatureTest); LOG.debug("Signature " + signature); } if (signatureTest.equals(signature) && !isReplay(timestamp, signature, userACL)) { return (userACL.role.equals("admin")) ? ADMIN : USER; } } catch (Exception e) { LOG.error("Athorization exception:", e); } return NO_ACCESS; } }