org.apache.hadoop.security.authorize.ConfiguredPolicy.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.hadoop.security.authorize.ConfiguredPolicy.java

Source

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.security.authorize;

import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.Group;
import org.apache.hadoop.security.User;
import org.apache.hadoop.security.SecurityUtil.AccessControlList;

/**
 * A {@link Configuration} based security {@link Policy} for Hadoop.
 * 
 * {@link ConfiguredPolicy} works in conjunction with a {@link PolicyProvider}
 * for providing service-level authorization for Hadoop.
 */
public class ConfiguredPolicy extends Policy implements Configurable {
    public static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
    private static final Log LOG = LogFactory.getLog(ConfiguredPolicy.class);

    private Configuration conf;
    private PolicyProvider policyProvider;
    private volatile Map<Principal, Set<Permission>> permissions;
    private volatile Set<Permission> allowedPermissions;

    public ConfiguredPolicy(Configuration conf, PolicyProvider policyProvider) {
        this.conf = conf;
        this.policyProvider = policyProvider;
        refresh();
    }

    @Override
    public Configuration getConf() {
        return conf;
    }

    @Override
    public void setConf(Configuration conf) {
        this.conf = conf;
        refresh();
    }

    @Override
    public boolean implies(ProtectionDomain domain, Permission permission) {
        // Only make checks for domains having principals
        if (domain.getPrincipals().length == 0) {
            return true;
        }

        return super.implies(domain, permission);
    }

    @Override
    public PermissionCollection getPermissions(ProtectionDomain domain) {
        PermissionCollection permissionCollection = super.getPermissions(domain);
        for (Principal principal : domain.getPrincipals()) {
            Set<Permission> principalPermissions = permissions.get(principal);
            if (principalPermissions != null) {
                for (Permission permission : principalPermissions) {
                    permissionCollection.add(permission);
                }
            }

            for (Permission permission : allowedPermissions) {
                permissionCollection.add(permission);
            }
        }
        return permissionCollection;
    }

    @Override
    public void refresh() {
        // Get the system property 'hadoop.policy.file'
        String policyFile = System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE);

        // Make a copy of the original config, and load the policy file
        Configuration policyConf = new Configuration(conf);
        policyConf.addResource(policyFile);

        Map<Principal, Set<Permission>> newPermissions = new HashMap<Principal, Set<Permission>>();
        Set<Permission> newAllowPermissions = new HashSet<Permission>();

        // Parse the config file
        Service[] services = policyProvider.getServices();
        if (services != null) {
            for (Service service : services) {
                AccessControlList acl = new AccessControlList(
                        policyConf.get(service.getServiceKey(), AccessControlList.WILDCARD_ACL_VALUE));

                if (acl.allAllowed()) {
                    newAllowPermissions.add(service.getPermission());
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Policy - " + service.getPermission() + " * ");
                    }
                } else {
                    for (String user : acl.getUsers()) {
                        addPermission(newPermissions, new User(user), service.getPermission());
                    }

                    for (String group : acl.getGroups()) {
                        addPermission(newPermissions, new Group(group), service.getPermission());
                    }
                }
            }
        }

        // Flip to the newly parsed permissions
        allowedPermissions = newAllowPermissions;
        permissions = newPermissions;
    }

    private void addPermission(Map<Principal, Set<Permission>> permissions, Principal principal,
            Permission permission) {
        Set<Permission> principalPermissions = permissions.get(principal);
        if (principalPermissions == null) {
            principalPermissions = new HashSet<Permission>();
            permissions.put(principal, principalPermissions);
        }
        principalPermissions.add(permission);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Policy - Adding  " + permission + " to " + principal);
        }
    }
}