Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.hadoop.security.authorize; import java.security.Permission; import java.security.PermissionCollection; import java.security.Policy; import java.security.Principal; import java.security.ProtectionDomain; import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configurable; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.Group; import org.apache.hadoop.security.User; import org.apache.hadoop.security.SecurityUtil.AccessControlList; /** * A {@link Configuration} based security {@link Policy} for Hadoop. * * {@link ConfiguredPolicy} works in conjunction with a {@link PolicyProvider} * for providing service-level authorization for Hadoop. */ public class ConfiguredPolicy extends Policy implements Configurable { public static final String HADOOP_POLICY_FILE = "hadoop-policy.xml"; private static final Log LOG = LogFactory.getLog(ConfiguredPolicy.class); private Configuration conf; private PolicyProvider policyProvider; private volatile Map<Principal, Set<Permission>> permissions; private volatile Set<Permission> allowedPermissions; public ConfiguredPolicy(Configuration conf, PolicyProvider policyProvider) { this.conf = conf; this.policyProvider = policyProvider; refresh(); } @Override public Configuration getConf() { return conf; } @Override public void setConf(Configuration conf) { this.conf = conf; refresh(); } @Override public boolean implies(ProtectionDomain domain, Permission permission) { // Only make checks for domains having principals if (domain.getPrincipals().length == 0) { return true; } return super.implies(domain, permission); } @Override public PermissionCollection getPermissions(ProtectionDomain domain) { PermissionCollection permissionCollection = super.getPermissions(domain); for (Principal principal : domain.getPrincipals()) { Set<Permission> principalPermissions = permissions.get(principal); if (principalPermissions != null) { for (Permission permission : principalPermissions) { permissionCollection.add(permission); } } for (Permission permission : allowedPermissions) { permissionCollection.add(permission); } } return permissionCollection; } @Override public void refresh() { // Get the system property 'hadoop.policy.file' String policyFile = System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE); // Make a copy of the original config, and load the policy file Configuration policyConf = new Configuration(conf); policyConf.addResource(policyFile); Map<Principal, Set<Permission>> newPermissions = new HashMap<Principal, Set<Permission>>(); Set<Permission> newAllowPermissions = new HashSet<Permission>(); // Parse the config file Service[] services = policyProvider.getServices(); if (services != null) { for (Service service : services) { AccessControlList acl = new AccessControlList( policyConf.get(service.getServiceKey(), AccessControlList.WILDCARD_ACL_VALUE)); if (acl.allAllowed()) { newAllowPermissions.add(service.getPermission()); if (LOG.isDebugEnabled()) { LOG.debug("Policy - " + service.getPermission() + " * "); } } else { for (String user : acl.getUsers()) { addPermission(newPermissions, new User(user), service.getPermission()); } for (String group : acl.getGroups()) { addPermission(newPermissions, new Group(group), service.getPermission()); } } } } // Flip to the newly parsed permissions allowedPermissions = newAllowPermissions; permissions = newPermissions; } private void addPermission(Map<Principal, Set<Permission>> permissions, Principal principal, Permission permission) { Set<Permission> principalPermissions = permissions.get(principal); if (principalPermissions == null) { principalPermissions = new HashSet<Permission>(); permissions.put(principal, principalPermissions); } principalPermissions.add(permission); if (LOG.isDebugEnabled()) { LOG.debug("Policy - Adding " + permission + " to " + principal); } } }