Return-Path: X-Original-To: apmail-hadoop-common-commits-archive@www.apache.org Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2ADA1C2E5 for ; Fri, 8 Jun 2012 00:44:18 +0000 (UTC) Received: (qmail 17221 invoked by uid 500); 8 Jun 2012 00:44:17 -0000 Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org Received: (qmail 17168 invoked by uid 500); 8 Jun 2012 00:44:17 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 17157 invoked by uid 99); 8 Jun 2012 00:44:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jun 2012 00:44:17 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jun 2012 00:44:14 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 0207B23889D5; Fri, 8 Jun 2012 00:43:53 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1347845 - in /hadoop/common/branches/branch-0.22/common: ./ src/docs/src/documentation/content/xdocs/ src/java/org/apache/hadoop/security/authorize/ src/test/core/org/apache/hadoop/security/authorize/ Date: Fri, 08 Jun 2012 00:43:52 -0000 To: common-commits@hadoop.apache.org From: shv@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120608004353.0207B23889D5@eris.apache.org> Author: shv Date: Fri Jun 8 00:43:52 2012 New Revision: 1347845 URL: http://svn.apache.org/viewvc?rev=1347845&view=rev Log: HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. Contributed by Todd Lipcon and Mayank Bansal. Added: hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java (with props) Modified: hadoop/common/branches/branch-0.22/common/CHANGES.txt hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/Superusers.xml hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java Modified: hadoop/common/branches/branch-0.22/common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/CHANGES.txt?rev=1347845&r1=1347844&r2=1347845&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/common/CHANGES.txt (original) +++ hadoop/common/branches/branch-0.22/common/CHANGES.txt Fri Jun 8 00:43:52 2012 @@ -8,6 +8,9 @@ Release 0.22.1 - Unreleased IMPROVEMENTS + HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. + (Todd Lipcon and Mayank Bansal via shv) + OPTIMIZATIONS BUG FIXES Modified: hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/Superusers.xml URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/Superusers.xml?rev=1347845&r1=1347844&r2=1347845&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/Superusers.xml (original) +++ hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/Superusers.xml Fri Jun 8 00:43:52 2012 @@ -89,6 +89,9 @@

If these configurations are not present, impersonation will not be allowed and connection will fail.

+

+ If more lax security is preferred, the wildcard value * may be used to allow impersonation from any host or of any user. +

Modified: hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java?rev=1347845&r1=1347844&r2=1347845&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java (original) +++ hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java Fri Jun 8 00:43:52 2012 @@ -126,7 +126,9 @@ public class ProxyUsers { Collection allowedUserGroups = proxyGroups.get( getProxySuperuserGroupConfKey(superUser.getShortUserName())); - if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) { + if (isWildcardList(allowedUserGroups)) { + groupAuthorized = true; + } else if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) { for (String group : user.getGroupNames()) { if (allowedUserGroups.contains(group)) { groupAuthorized = true; @@ -142,8 +144,10 @@ public class ProxyUsers { Collection ipList = proxyHosts.get( getProxySuperuserIpConfKey(superUser.getShortUserName())); - - if (ipList != null && !ipList.isEmpty()) { + + if (isWildcardList(ipList)) { + ipAuthorized = true; + } else if (ipList != null && !ipList.isEmpty()) { for (String allowedHost : ipList) { InetAddress hostAddr; try { @@ -162,4 +166,15 @@ public class ProxyUsers { + superUser.getUserName() + " from IP " + remoteAddress); } } + + /** + * Return true if the configuration specifies the special configuration value + * "*", indicating that any group or host list is allowed to use this configuration. + */ + private static boolean isWildcardList(Collection list) { + return (list != null) && + (list.size() == 1) && + (list.contains("*")); + } + } Added: hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java?rev=1347845&view=auto ============================================================================== --- hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java (added) +++ hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java Fri Jun 8 00:43:52 2012 @@ -0,0 +1,152 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.security.authorize; + +import java.util.Arrays; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.util.StringUtils; +import org.apache.hadoop.security.UserGroupInformation; + +import org.junit.Test; +import static org.junit.Assert.*; + +public class TestProxyUsers { + private static final String REAL_USER_NAME = "proxier"; + private static final String PROXY_USER_NAME = "proxied_user"; + private static final String[] GROUP_NAMES = + new String[] { "foo_group" }; + private static final String[] OTHER_GROUP_NAMES = + new String[] { "bar_group" }; + private static final String PROXY_IP = "1.2.3.4"; + + @Test + public void testProxyUsers() throws Exception { + Configuration conf = new Configuration(); + conf.set( + ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME), + StringUtils.join(",", Arrays.asList(GROUP_NAMES))); + conf.set( + ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME), + PROXY_IP); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + + + // First try proxying a group that's allowed + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // From good IP + assertAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + + // Now try proxying a group that's not allowed + realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); + proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); + + // From good IP + assertNotAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + } + + @Test + public void testWildcardGroup() { + Configuration conf = new Configuration(); + conf.set( + ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME), + "*"); + conf.set( + ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME), + PROXY_IP); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + + // First try proxying a group that's allowed + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // From good IP + assertAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + + // Now try proxying a different group (just to make sure we aren't getting spill over + // from the other test case!) + realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); + proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); + + // From good IP + assertAuthorized(proxyUserUgi, "1.2.3.4"); + // From bad IP + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + } + + @Test + public void testWildcardIP() { + Configuration conf = new Configuration(); + conf.set( + ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME), + StringUtils.join(",", Arrays.asList(GROUP_NAMES))); + conf.set( + ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME), + "*"); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + + // First try proxying a group that's allowed + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // From either IP should be fine + assertAuthorized(proxyUserUgi, "1.2.3.4"); + assertAuthorized(proxyUserUgi, "1.2.3.5"); + + // Now set up an unallowed group + realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); + proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); + + // Neither IP should be OK + assertNotAuthorized(proxyUserUgi, "1.2.3.4"); + assertNotAuthorized(proxyUserUgi, "1.2.3.5"); + } + + private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) { + try { + ProxyUsers.authorize(proxyUgi, host, null); + fail("Allowed authorization of " + proxyUgi + " from " + host); + } catch (AuthorizationException e) { + // Expected + } + } + + private void assertAuthorized(UserGroupInformation proxyUgi, String host) { + try { + ProxyUsers.authorize(proxyUgi, host, null); + } catch (AuthorizationException e) { + fail("Did not allowed authorization of " + proxyUgi + " from " + host); + } + } +} Propchange: hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java ------------------------------------------------------------------------------ svn:mime-type = text/plain