You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by to...@apache.org on 2011/01/06 19:45:15 UTC
svn commit: r1056006 - in /hadoop/common/trunk: CHANGES.txt
src/docs/src/documentation/content/xdocs/Superusers.xml
src/java/org/apache/hadoop/security/authorize/ProxyUsers.java
src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java
Author: todd
Date: Thu Jan 6 18:45:15 2011
New Revision: 1056006
URL: http://svn.apache.org/viewvc?rev=1056006&view=rev
Log:
HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. Contributed by Todd Lipcon
Added:
hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java
Modified:
hadoop/common/trunk/CHANGES.txt
hadoop/common/trunk/src/docs/src/documentation/content/xdocs/Superusers.xml
hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java
Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=1056006&r1=1056005&r2=1056006&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Thu Jan 6 18:45:15 2011
@@ -39,6 +39,9 @@ Trunk (unreleased changes)
HADOOP-7078. Improve javadocs for RawComparator interface.
(Harsh J Chouraria via todd)
+ HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations.
+ (todd)
+
OPTIMIZATIONS
BUG FIXES
Modified: hadoop/common/trunk/src/docs/src/documentation/content/xdocs/Superusers.xml
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/docs/src/documentation/content/xdocs/Superusers.xml?rev=1056006&r1=1056005&r2=1056006&view=diff
==============================================================================
--- hadoop/common/trunk/src/docs/src/documentation/content/xdocs/Superusers.xml (original)
+++ hadoop/common/trunk/src/docs/src/documentation/content/xdocs/Superusers.xml Thu Jan 6 18:45:15 2011
@@ -89,6 +89,9 @@
<p>
If these configurations are not present, impersonation will not be allowed and connection will fail.
</p>
+ <p>
+ If more lax security is preferred, the wildcard value <code>*</code> may be used to allow impersonation from any host or of any user.
+ </p>
</section>
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java?rev=1056006&r1=1056005&r2=1056006&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java Thu Jan 6 18:45:15 2011
@@ -126,7 +126,9 @@ public class ProxyUsers {
Collection<String> allowedUserGroups = proxyGroups.get(
getProxySuperuserGroupConfKey(superUser.getShortUserName()));
- if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) {
+ if (isWildcardList(allowedUserGroups)) {
+ groupAuthorized = true;
+ } else if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) {
for (String group : user.getGroupNames()) {
if (allowedUserGroups.contains(group)) {
groupAuthorized = true;
@@ -142,8 +144,10 @@ public class ProxyUsers {
Collection<String> ipList = proxyHosts.get(
getProxySuperuserIpConfKey(superUser.getShortUserName()));
-
- if (ipList != null && !ipList.isEmpty()) {
+
+ if (isWildcardList(ipList)) {
+ ipAuthorized = true;
+ } else if (ipList != null && !ipList.isEmpty()) {
for (String allowedHost : ipList) {
InetAddress hostAddr;
try {
@@ -162,4 +166,15 @@ public class ProxyUsers {
+ superUser.getUserName() + " from IP " + remoteAddress);
}
}
+
+ /**
+ * Return true if the configuration specifies the special configuration value
+ * "*", indicating that any group or host list is allowed to use this configuration.
+ */
+ private static boolean isWildcardList(Collection<String> list) {
+ return (list != null) &&
+ (list.size() == 1) &&
+ (list.contains("*"));
+ }
+
}
Added: hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java?rev=1056006&view=auto
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java (added)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java Thu Jan 6 18:45:15 2011
@@ -0,0 +1,152 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.authorize;
+
+import java.util.Arrays;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.StringUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+public class TestProxyUsers {
+ private static final String REAL_USER_NAME = "proxier";
+ private static final String PROXY_USER_NAME = "proxied_user";
+ private static final String[] GROUP_NAMES =
+ new String[] { "foo_group" };
+ private static final String[] OTHER_GROUP_NAMES =
+ new String[] { "bar_group" };
+ private static final String PROXY_IP = "1.2.3.4";
+
+ @Test
+ public void testProxyUsers() throws Exception {
+ Configuration conf = new Configuration();
+ conf.set(
+ ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
+ conf.set(
+ ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ PROXY_IP);
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+
+ // First try proxying a group that's allowed
+ UserGroupInformation realUserUgi = UserGroupInformation
+ .createRemoteUser(REAL_USER_NAME);
+ UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From good IP
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+
+ // Now try proxying a group that's not allowed
+ realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
+ proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
+
+ // From good IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+ }
+
+ @Test
+ public void testWildcardGroup() {
+ Configuration conf = new Configuration();
+ conf.set(
+ ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ "*");
+ conf.set(
+ ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ PROXY_IP);
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+ // First try proxying a group that's allowed
+ UserGroupInformation realUserUgi = UserGroupInformation
+ .createRemoteUser(REAL_USER_NAME);
+ UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From good IP
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+
+ // Now try proxying a different group (just to make sure we aren't getting spill over
+ // from the other test case!)
+ realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
+ proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
+
+ // From good IP
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+ }
+
+ @Test
+ public void testWildcardIP() {
+ Configuration conf = new Configuration();
+ conf.set(
+ ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
+ conf.set(
+ ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ "*");
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+ // First try proxying a group that's allowed
+ UserGroupInformation realUserUgi = UserGroupInformation
+ .createRemoteUser(REAL_USER_NAME);
+ UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From either IP should be fine
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ assertAuthorized(proxyUserUgi, "1.2.3.5");
+
+ // Now set up an unallowed group
+ realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
+ proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
+
+ // Neither IP should be OK
+ assertNotAuthorized(proxyUserUgi, "1.2.3.4");
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+ }
+
+ private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) {
+ try {
+ ProxyUsers.authorize(proxyUgi, host, null);
+ fail("Allowed authorization of " + proxyUgi + " from " + host);
+ } catch (AuthorizationException e) {
+ // Expected
+ }
+ }
+
+ private void assertAuthorized(UserGroupInformation proxyUgi, String host) {
+ try {
+ ProxyUsers.authorize(proxyUgi, host, null);
+ } catch (AuthorizationException e) {
+ fail("Did not allowed authorization of " + proxyUgi + " from " + host);
+ }
+ }
+}