/// <exception cref="System.IO.IOException"/>
private void DoAccessCheck(string keyName, KeyAuthorizationKeyProvider.KeyOpType
opType)
{
KeyProvider.Metadata metadata = provider.GetMetadata(keyName);
if (metadata != null)
{
string aclName = metadata.GetAttributes()[KeyAclName];
CheckAccess((aclName == null) ? keyName : aclName, GetUser(), opType);
}
}
private bool CheckKeyAccess(string keyName, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType
opType)
{
IDictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> keyAcl = keyAcls
[keyName];
if (keyAcl == null)
{
// If No key acl defined for this key, check to see if
// there are key defaults configured for this operation
keyAcl = defaultKeyAcls;
}
return(CheckKeyAccess(keyAcl, ugi, opType));
}
private bool CheckKeyAccess(IDictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList
> keyAcl, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType opType
)
{
AccessControlList acl = keyAcl[opType];
if (acl == null)
{
// If no acl is specified for this operation,
// deny access
return(false);
}
else
{
return(acl.IsUserAllowed(ugi));
}
}
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
private void CheckAccess(string aclName, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType
opType)
{
Preconditions.CheckNotNull(aclName, "Key ACL name cannot be null");
Preconditions.CheckNotNull(ugi, "UserGroupInformation cannot be null");
if (acls.IsACLPresent(aclName, opType) && (acls.HasAccessToKey(aclName, ugi, opType
) || acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.All
)))
{
return;
}
else
{
throw new AuthorizationException(string.Format("User [%s] is not" + " authorized to perform [%s] on key with ACL name [%s]!!"
, ugi.GetShortUserName(), opType, aclName));
}
}
public virtual bool IsACLPresent(string keyName, KeyAuthorizationKeyProvider.KeyOpType
opType)
{
return(keyAcls.Contains(keyName) || defaultKeyAcls.Contains(opType) || whitelistKeyAcls
.Contains(opType));
}
public virtual bool HasAccessToKey(string keyName, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType
opType)
{
return(CheckKeyAccess(keyName, ugi, opType) || CheckKeyAccess(whitelistKeyAcls, ugi
, opType));
}
private void SetKeyACLs(Configuration conf)
{
IDictionary <string, Dictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList
> > tempKeyAcls = new Dictionary <string, Dictionary <KeyAuthorizationKeyProvider.KeyOpType
, AccessControlList> >();
IDictionary <string, string> allKeyACLS = conf.GetValByRegex(KMSConfiguration.KeyAclPrefixRegex
);
foreach (KeyValuePair <string, string> keyAcl in allKeyACLS)
{
string k = keyAcl.Key;
// this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>"
int keyNameStarts = KMSConfiguration.KeyAclPrefix.Length;
int keyNameEnds = k.LastIndexOf(".");
if (keyNameStarts >= keyNameEnds)
{
Log.Warn("Invalid key name '{}'", k);
}
else
{
string aclStr = keyAcl.Value;
string keyName = Runtime.Substring(k, keyNameStarts, keyNameEnds);
string keyOp = Runtime.Substring(k, keyNameEnds + 1);
KeyAuthorizationKeyProvider.KeyOpType aclType = null;
try
{
aclType = KeyAuthorizationKeyProvider.KeyOpType.ValueOf(keyOp);
}
catch (ArgumentException)
{
Log.Warn("Invalid key Operation '{}'", keyOp);
}
if (aclType != null)
{
// On the assumption this will be single threaded.. else we need to
// ConcurrentHashMap
Dictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> aclMap = tempKeyAcls
[keyName];
if (aclMap == null)
{
aclMap = new Dictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList>
();
tempKeyAcls[keyName] = aclMap;
}
aclMap[aclType] = new AccessControlList(aclStr);
Log.Info("KEY_NAME '{}' KEY_OP '{}' ACL '{}'", keyName, aclType, aclStr);
}
}
}
keyAcls = tempKeyAcls;
foreach (KeyAuthorizationKeyProvider.KeyOpType keyOp_1 in KeyAuthorizationKeyProvider.KeyOpType
.Values())
{
if (!defaultKeyAcls.Contains(keyOp_1))
{
string confKey = KMSConfiguration.DefaultKeyAclPrefix + keyOp_1;
string aclStr = conf.Get(confKey);
if (aclStr != null)
{
if (keyOp_1 == KeyAuthorizationKeyProvider.KeyOpType.All)
{
// Ignore All operation for default key acl
Log.Warn("Should not configure default key ACL for KEY_OP '{}'", keyOp_1);
}
else
{
if (aclStr.Equals("*"))
{
Log.Info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp_1);
}
defaultKeyAcls[keyOp_1] = new AccessControlList(aclStr);
}
}
}
if (!whitelistKeyAcls.Contains(keyOp_1))
{
string confKey = KMSConfiguration.WhitelistKeyAclPrefix + keyOp_1;
string aclStr = conf.Get(confKey);
if (aclStr != null)
{
if (keyOp_1 == KeyAuthorizationKeyProvider.KeyOpType.All)
{
// Ignore All operation for whitelist key acl
Log.Warn("Should not configure whitelist key ACL for KEY_OP '{}'", keyOp_1);
}
else
{
if (aclStr.Equals("*"))
{
Log.Info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp_1);
}
whitelistKeyAcls[keyOp_1] = new AccessControlList(aclStr);
}
}
}
}
}
