You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@livy.apache.org by GitBox <gi...@apache.org> on 2019/01/22 21:28:48 UTC

[GitHub] vanzin commented on a change in pull request #141: [LIVY-551] Add "doAs" impersonation support

vanzin commented on a change in pull request #141: [LIVY-551] Add "doAs" impersonation support
URL: https://github.com/apache/incubator-livy/pull/141#discussion_r249962561
 
 

 ##########
 File path: server/src/main/scala/org/apache/livy/server/AccessManager.scala
 ##########
 @@ -97,47 +99,71 @@ private[livy] class AccessManager(conf: LivyConf) extends Logging {
    */
   def isAccessControlOn: Boolean = aclsOn
 
+  def getRequestUser(request: HttpServletRequest): String = {
+    request.getRemoteUser
+  }
+
+  def getImpersonatedUser(request: HttpServletRequest): Option[String] = {
+    val impersonatedUser = Option(request.getParameter("doAs"))
+    impersonatedUser.filter(checkImpersonation(request, _))
+  }
+
+  def getEffectiveUser(request: HttpServletRequest): String = {
+    val requestUser = getRequestUser(request)
+    val impersonatedUser = getImpersonatedUser(request)
+    impersonatedUser.getOrElse(requestUser)
+  }
+
   /**
    * Checks that the requesting user can impersonate the target user.
    * If the user does not have permission to impersonate, then throws an `AccessControlException`.
-   *
-   * @return The user that should be impersonated. That can be the target user if defined, the
-   *         request's user - which may not be defined - otherwise, or `None` if impersonation is
-   *         disabled.
    */
-  def checkImpersonation(
-      target: Option[String],
-      requestUser: String,
-      livyConf: LivyConf): Option[String] = {
-    if (livyConf.getBoolean(LivyConf.IMPERSONATION_ENABLED)) {
-      if (!target.forall(hasSuperAccess(_, requestUser))) {
-        throw new AccessControlException(
-          s"User '$requestUser' not allowed to impersonate '$target'.")
+  def checkImpersonation(request: HttpServletRequest, impersonatedUser: String): Boolean = {
+    if (conf.getBoolean(LivyConf.IMPERSONATION_ENABLED)) {
+      if (hasSuperAccess(request, impersonatedUser) || checkProxyUser(request, impersonatedUser)) {
+        return true
       }
-      target.orElse(Option(requestUser))
-    } else {
-      None
+      val requestUser = getRequestUser(request)
+      throw new AccessControlException(
+        s"User '$requestUser' not allowed to impersonate '$impersonatedUser'.")
     }
+    false
+  }
+
+  def checkProxyUser(request: HttpServletRequest, impersonatedUser: String): Boolean = {
+    val proxyUser = getRequestUser(request)
+    val remoteHost = request.getRemoteHost
+    val allowedHosts = conf.hadoopConf.get("hadoop.proxyuser." + proxyUser + ".hosts")
 
 Review comment:
   It doesn't feel right to look at Hadoop's configuration when deciding whether impersonation is allowed in Livy. They'll probably end up being different.
   
   e.g. Hadoop's configuration could allow `livy` to impersonate anybody and that's it. But Livy could allow `admin` to impersonate other people when performing Livy operations.
   
   IIRC the current Livy behavior is "superusers can impersonate". What are you trying to achieve here?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services