org.apache.hadoop.security.authorize.ProxyUsers.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.hadoop.security.authorize.ProxyUsers.java

Source

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.hadoop.security.authorize;

import com.google.common.base.Preconditions;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.ReflectionUtils;

import com.google.common.annotations.VisibleForTesting;

@InterfaceStability.Unstable
@InterfaceAudience.LimitedPrivate({ "HDFS", "MapReduce", "HBase", "Hive" })
public class ProxyUsers {

    public static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser";

    private static volatile ImpersonationProvider sip;

    /**
     * Returns an instance of ImpersonationProvider.
     * Looks up the configuration to see if there is custom class specified.
     * @param conf
     * @return ImpersonationProvider
     */
    private static ImpersonationProvider getInstance(Configuration conf) {
        Class<? extends ImpersonationProvider> clazz = conf.getClass(
                CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
                DefaultImpersonationProvider.class, ImpersonationProvider.class);
        return ReflectionUtils.newInstance(clazz, conf);
    }

    /**
     * refresh Impersonation rules
     */
    public static void refreshSuperUserGroupsConfiguration() {
        //load server side configuration;
        refreshSuperUserGroupsConfiguration(new Configuration());
    }

    /**
     * Refreshes configuration using the specified Proxy user prefix for
     * properties.
     *
     * @param conf configuration
     * @param proxyUserPrefix proxy user configuration prefix
     */
    public static void refreshSuperUserGroupsConfiguration(Configuration conf, String proxyUserPrefix) {
        Preconditions.checkArgument(proxyUserPrefix != null && !proxyUserPrefix.isEmpty(),
                "prefix cannot be NULL or empty");
        // sip is volatile. Any assignment to it as well as the object's state
        // will be visible to all the other threads. 
        ImpersonationProvider ip = getInstance(conf);
        ip.init(proxyUserPrefix);
        sip = ip;
        ProxyServers.refresh(conf);
    }

    /**
     * Refreshes configuration using the default Proxy user prefix for properties.
     * @param conf configuration
     */
    public static void refreshSuperUserGroupsConfiguration(Configuration conf) {
        refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER);
    }

    /**
     * Authorize the superuser which is doing doAs
     * 
     * @param user ugi of the effective or proxy user which contains a real user
     * @param remoteAddress the ip address of client
     * @throws AuthorizationException
     */
    public static void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException {
        if (sip == null) {
            // In a race situation, It is possible for multiple threads to satisfy this condition.
            // The last assignment will prevail.
            refreshSuperUserGroupsConfiguration();
        }
        sip.authorize(user, remoteAddress);
    }

    /**
     * This function is kept to provide backward compatibility.
     * @param user
     * @param remoteAddress
     * @param conf
     * @throws AuthorizationException
     * @deprecated use {@link #authorize(UserGroupInformation, String) instead. 
     */
    @Deprecated
    public static void authorize(UserGroupInformation user, String remoteAddress, Configuration conf)
            throws AuthorizationException {
        authorize(user, remoteAddress);
    }

    @VisibleForTesting
    public static DefaultImpersonationProvider getDefaultImpersonationProvider() {
        return ((DefaultImpersonationProvider) sip);
    }

}