/// <exception cref="System.IO.IOException"/> private void DoAccessCheck(string keyName, KeyAuthorizationKeyProvider.KeyOpType opType) { KeyProvider.Metadata metadata = provider.GetMetadata(keyName); if (metadata != null) { string aclName = metadata.GetAttributes()[KeyAclName]; CheckAccess((aclName == null) ? keyName : aclName, GetUser(), opType); } }
private bool CheckKeyAccess(string keyName, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType opType) { IDictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> keyAcl = keyAcls [keyName]; if (keyAcl == null) { // If No key acl defined for this key, check to see if // there are key defaults configured for this operation keyAcl = defaultKeyAcls; } return(CheckKeyAccess(keyAcl, ugi, opType)); }
private bool CheckKeyAccess(IDictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList > keyAcl, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType opType ) { AccessControlList acl = keyAcl[opType]; if (acl == null) { // If no acl is specified for this operation, // deny access return(false); } else { return(acl.IsUserAllowed(ugi)); } }
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/> private void CheckAccess(string aclName, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType opType) { Preconditions.CheckNotNull(aclName, "Key ACL name cannot be null"); Preconditions.CheckNotNull(ugi, "UserGroupInformation cannot be null"); if (acls.IsACLPresent(aclName, opType) && (acls.HasAccessToKey(aclName, ugi, opType ) || acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.All ))) { return; } else { throw new AuthorizationException(string.Format("User [%s] is not" + " authorized to perform [%s] on key with ACL name [%s]!!" , ugi.GetShortUserName(), opType, aclName)); } }
public virtual bool IsACLPresent(string keyName, KeyAuthorizationKeyProvider.KeyOpType opType) { return(keyAcls.Contains(keyName) || defaultKeyAcls.Contains(opType) || whitelistKeyAcls .Contains(opType)); }
public virtual bool HasAccessToKey(string keyName, UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType opType) { return(CheckKeyAccess(keyName, ugi, opType) || CheckKeyAccess(whitelistKeyAcls, ugi , opType)); }
private void SetKeyACLs(Configuration conf) { IDictionary <string, Dictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList > > tempKeyAcls = new Dictionary <string, Dictionary <KeyAuthorizationKeyProvider.KeyOpType , AccessControlList> >(); IDictionary <string, string> allKeyACLS = conf.GetValByRegex(KMSConfiguration.KeyAclPrefixRegex ); foreach (KeyValuePair <string, string> keyAcl in allKeyACLS) { string k = keyAcl.Key; // this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>" int keyNameStarts = KMSConfiguration.KeyAclPrefix.Length; int keyNameEnds = k.LastIndexOf("."); if (keyNameStarts >= keyNameEnds) { Log.Warn("Invalid key name '{}'", k); } else { string aclStr = keyAcl.Value; string keyName = Runtime.Substring(k, keyNameStarts, keyNameEnds); string keyOp = Runtime.Substring(k, keyNameEnds + 1); KeyAuthorizationKeyProvider.KeyOpType aclType = null; try { aclType = KeyAuthorizationKeyProvider.KeyOpType.ValueOf(keyOp); } catch (ArgumentException) { Log.Warn("Invalid key Operation '{}'", keyOp); } if (aclType != null) { // On the assumption this will be single threaded.. else we need to // ConcurrentHashMap Dictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> aclMap = tempKeyAcls [keyName]; if (aclMap == null) { aclMap = new Dictionary <KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> (); tempKeyAcls[keyName] = aclMap; } aclMap[aclType] = new AccessControlList(aclStr); Log.Info("KEY_NAME '{}' KEY_OP '{}' ACL '{}'", keyName, aclType, aclStr); } } } keyAcls = tempKeyAcls; foreach (KeyAuthorizationKeyProvider.KeyOpType keyOp_1 in KeyAuthorizationKeyProvider.KeyOpType .Values()) { if (!defaultKeyAcls.Contains(keyOp_1)) { string confKey = KMSConfiguration.DefaultKeyAclPrefix + keyOp_1; string aclStr = conf.Get(confKey); if (aclStr != null) { if (keyOp_1 == KeyAuthorizationKeyProvider.KeyOpType.All) { // Ignore All operation for default key acl Log.Warn("Should not configure default key ACL for KEY_OP '{}'", keyOp_1); } else { if (aclStr.Equals("*")) { Log.Info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp_1); } defaultKeyAcls[keyOp_1] = new AccessControlList(aclStr); } } } if (!whitelistKeyAcls.Contains(keyOp_1)) { string confKey = KMSConfiguration.WhitelistKeyAclPrefix + keyOp_1; string aclStr = conf.Get(confKey); if (aclStr != null) { if (keyOp_1 == KeyAuthorizationKeyProvider.KeyOpType.All) { // Ignore All operation for whitelist key acl Log.Warn("Should not configure whitelist key ACL for KEY_OP '{}'", keyOp_1); } else { if (aclStr.Equals("*")) { Log.Info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp_1); } whitelistKeyAcls[keyOp_1] = new AccessControlList(aclStr); } } } } }