You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by tu...@apache.org on 2012/04/30 23:04:47 UTC
svn commit: r1332393 - in /hadoop/common/branches/branch-1: ./
src/core/org/apache/hadoop/security/authorize/
src/docs/src/documentation/content/xdocs/
src/test/org/apache/hadoop/security/authorize/
Author: tucu
Date: Mon Apr 30 21:04:47 2012
New Revision: 1332393
URL: http://svn.apache.org/viewvc?rev=1332393&view=rev
Log:
HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. (todd via tucu)
Added:
hadoop/common/branches/branch-1/src/test/org/apache/hadoop/security/authorize/TestProxyUsers.java
Modified:
hadoop/common/branches/branch-1/CHANGES.txt
hadoop/common/branches/branch-1/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java
hadoop/common/branches/branch-1/src/docs/src/documentation/content/xdocs/Secure_Impersonation.xml
Modified: hadoop/common/branches/branch-1/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/CHANGES.txt?rev=1332393&r1=1332392&r2=1332393&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/CHANGES.txt (original)
+++ hadoop/common/branches/branch-1/CHANGES.txt Mon Apr 30 21:04:47 2012
@@ -101,6 +101,9 @@ Release 1.1.0 - unreleased
HDFS-3094. add -nonInteractive and -force option to namenode -format
command. (Arpit Gupta via todd)
+ HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations
+ (todd via tucu)
+
BUG FIXES
MAPREDUCE-4087. [Gridmix] GenerateDistCacheData job of Gridmix can
Modified: hadoop/common/branches/branch-1/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java?rev=1332393&r1=1332392&r2=1332393&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java (original)
+++ hadoop/common/branches/branch-1/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java Mon Apr 30 21:04:47 2012
@@ -122,7 +122,9 @@ public class ProxyUsers {
Collection<String> allowedUserGroups = proxyGroups.get(
getProxySuperuserGroupConfKey(superUser.getShortUserName()));
- if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) {
+ if (isWildcardList(allowedUserGroups)) {
+ groupAuthorized = true;
+ } else if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) {
for (String group : user.getGroupNames()) {
if (allowedUserGroups.contains(group)) {
groupAuthorized = true;
@@ -138,8 +140,10 @@ public class ProxyUsers {
Collection<String> ipList = proxyHosts.get(
getProxySuperuserIpConfKey(superUser.getShortUserName()));
-
- if (ipList != null && !ipList.isEmpty()) {
+
+ if (isWildcardList(ipList)) {
+ ipAuthorized = true;
+ } else if (ipList != null && !ipList.isEmpty()) {
for (String allowedHost : ipList) {
InetAddress hostAddr;
try {
@@ -158,4 +162,15 @@ public class ProxyUsers {
+ superUser.getUserName() + " from IP " + remoteAddress);
}
}
+
+ /**
+ * Return true if the configuration specifies the special configuration value
+ * "*", indicating that any group or host list is allowed to use this configuration.
+ */
+ private static boolean isWildcardList(Collection<String> list) {
+ return (list != null) &&
+ (list.size() == 1) &&
+ (list.contains("*"));
+ }
+
}
Modified: hadoop/common/branches/branch-1/src/docs/src/documentation/content/xdocs/Secure_Impersonation.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/docs/src/documentation/content/xdocs/Secure_Impersonation.xml?rev=1332393&r1=1332392&r2=1332393&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/docs/src/documentation/content/xdocs/Secure_Impersonation.xml (original)
+++ hadoop/common/branches/branch-1/src/docs/src/documentation/content/xdocs/Secure_Impersonation.xml Mon Apr 30 21:04:47 2012
@@ -88,6 +88,9 @@
<p>
If these configurations are not present, impersonation will not be allowed and connection will fail.
</p>
+ <p>
+ If more lax security is preferred, the wildcard value <code>*</code> may be used to allow impersonation from any host or of any user.
+ </p>
</section>
Added: hadoop/common/branches/branch-1/src/test/org/apache/hadoop/security/authorize/TestProxyUsers.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/test/org/apache/hadoop/security/authorize/TestProxyUsers.java?rev=1332393&view=auto
==============================================================================
--- hadoop/common/branches/branch-1/src/test/org/apache/hadoop/security/authorize/TestProxyUsers.java (added)
+++ hadoop/common/branches/branch-1/src/test/org/apache/hadoop/security/authorize/TestProxyUsers.java Mon Apr 30 21:04:47 2012
@@ -0,0 +1,148 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.authorize;
+
+import java.util.Arrays;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.StringUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import junit.framework.TestCase;
+
+public class TestProxyUsers extends TestCase {
+ private static final String REAL_USER_NAME = "proxier";
+ private static final String PROXY_USER_NAME = "proxied_user";
+ private static final String[] GROUP_NAMES =
+ new String[] { "foo_group" };
+ private static final String[] OTHER_GROUP_NAMES =
+ new String[] { "bar_group" };
+ private static final String PROXY_IP = "1.2.3.4";
+
+ public void testProxyUsers() throws Exception {
+ Configuration conf = new Configuration();
+ conf.set(
+ ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
+ conf.set(
+ ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ PROXY_IP);
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+
+ // First try proxying a group that's allowed
+ UserGroupInformation realUserUgi = UserGroupInformation
+ .createRemoteUser(REAL_USER_NAME);
+ UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From good IP
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+
+ // Now try proxying a group that's not allowed
+ realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
+ proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
+
+ // From good IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+ }
+
+ public void testWildcardGroup() {
+ Configuration conf = new Configuration();
+ conf.set(
+ ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ "*");
+ conf.set(
+ ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ PROXY_IP);
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+ // First try proxying a group that's allowed
+ UserGroupInformation realUserUgi = UserGroupInformation
+ .createRemoteUser(REAL_USER_NAME);
+ UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From good IP
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+
+ // Now try proxying a different group (just to make sure we aren't getting spill over
+ // from the other test case!)
+ realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
+ proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
+
+ // From good IP
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+ }
+
+ public void testWildcardIP() {
+ Configuration conf = new Configuration();
+ conf.set(
+ ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
+ conf.set(
+ ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ "*");
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+ // First try proxying a group that's allowed
+ UserGroupInformation realUserUgi = UserGroupInformation
+ .createRemoteUser(REAL_USER_NAME);
+ UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From either IP should be fine
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ assertAuthorized(proxyUserUgi, "1.2.3.5");
+
+ // Now set up an unallowed group
+ realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
+ proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
+
+ // Neither IP should be OK
+ assertNotAuthorized(proxyUserUgi, "1.2.3.4");
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+ }
+
+ private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) {
+ try {
+ ProxyUsers.authorize(proxyUgi, host, null);
+ fail("Allowed authorization of " + proxyUgi + " from " + host);
+ } catch (AuthorizationException e) {
+ // Expected
+ }
+ }
+
+ private void assertAuthorized(UserGroupInformation proxyUgi, String host) {
+ try {
+ ProxyUsers.authorize(proxyUgi, host, null);
+ } catch (AuthorizationException e) {
+ fail("Did not allowed authorization of " + proxyUgi + " from " + host);
+ }
+ }
+}