org.apache.oozie.service
Class AuthorizationService

java.lang.Object
  extended by org.apache.oozie.service.AuthorizationService
All Implemented Interfaces:
Service

public class AuthorizationService
extends Object
implements Service

The authorization service provides all authorization checks.


Field Summary
static String ADMIN_USERS_FILE
          File that contains list of admin users for Oozie.
static String CONF_ADMIN_GROUPS
          Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used.
static String CONF_AUTHORIZATION_ENABLED
          Configuration parameter to enable or disable Oozie admin role.
static String CONF_DEFAULT_GROUP_AS_ACL
          Configuration parameter to enable old behavior default group as ACL.
static String CONF_PREFIX
           
static String CONF_SECURITY_ENABLED
          Configuration parameter to enable or disable Oozie admin role.
protected static String INSTR_FAILED_AUTH_COUNTER
           
protected static String INSTRUMENTATION_GROUP
           
 
Fields inherited from interface org.apache.oozie.service.Service
DEFAULT_LOCK_TIMEOUT, lockTimeout, USE_XCOMMAND
 
Constructor Summary
AuthorizationService()
           
 
Method Summary
 void authorizeForAdmin(String user, boolean write)
          Check if the user has admin privileges.
 void authorizeForApp(String user, String group, String appPath, org.apache.hadoop.conf.Configuration jobConf)
          Check if the user+group is authorized to use the specified application.
 void authorizeForApp(String user, String group, String appPath, String fileName, org.apache.hadoop.conf.Configuration conf)
          Check if the user+group is authorized to use the specified application.
 void authorizeForGroup(String user, String group)
          Check if the user belongs to the group or not.
 void authorizeForJob(String user, String jobId, boolean write)
          Check if the user+group is authorized to operate on the specified job.
 void destroy()
          Destroy the service.
 String getDefaultGroup(String user)
          Return the default group to which the user belongs.
 Class<? extends Service> getInterface()
          Return the public interface of the service.
 void init(Services services)
          Initialize the service.
protected  boolean isAdmin(String user)
          Check if the user has admin privileges.
 boolean isAuthorizationEnabled()
          Return if security is enabled or not.
 boolean isSecurityEnabled()
          Deprecated. 
protected  boolean isUserInGroup(String user, String group)
          Check if the user belongs to the group or not.
 boolean useDefaultGroupAsAcl()
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

CONF_PREFIX

public static final String CONF_PREFIX
See Also:
Constant Field Values

CONF_SECURITY_ENABLED

public static final String CONF_SECURITY_ENABLED
Configuration parameter to enable or disable Oozie admin role.

See Also:
Constant Field Values

CONF_AUTHORIZATION_ENABLED

public static final String CONF_AUTHORIZATION_ENABLED
Configuration parameter to enable or disable Oozie admin role.

See Also:
Constant Field Values

CONF_DEFAULT_GROUP_AS_ACL

public static final String CONF_DEFAULT_GROUP_AS_ACL
Configuration parameter to enable old behavior default group as ACL.

See Also:
Constant Field Values

CONF_ADMIN_GROUPS

public static final String CONF_ADMIN_GROUPS
Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used.

See Also:
Constant Field Values

ADMIN_USERS_FILE

public static final String ADMIN_USERS_FILE
File that contains list of admin users for Oozie.

See Also:
Constant Field Values

INSTRUMENTATION_GROUP

protected static final String INSTRUMENTATION_GROUP
See Also:
Constant Field Values

INSTR_FAILED_AUTH_COUNTER

protected static final String INSTR_FAILED_AUTH_COUNTER
See Also:
Constant Field Values
Constructor Detail

AuthorizationService

public AuthorizationService()
Method Detail

init

public void init(Services services)
          throws ServiceException
Initialize the service.

Reads the security related configuration. parameters - security enabled and list of super users.

Specified by:
init in interface Service
Parameters:
services - services instance.
Throws:
ServiceException - thrown if the service could not be initialized.

isSecurityEnabled

@Deprecated
public boolean isSecurityEnabled()
Deprecated. 

Return if security is enabled or not.

Returns:
if security is enabled or not.

useDefaultGroupAsAcl

public boolean useDefaultGroupAsAcl()

isAuthorizationEnabled

public boolean isAuthorizationEnabled()
Return if security is enabled or not.

Returns:
if security is enabled or not.

destroy

public void destroy()
Destroy the service.

This implementation does a NOP.

Specified by:
destroy in interface Service

getInterface

public Class<? extends Service> getInterface()
Return the public interface of the service.

Specified by:
getInterface in interface Service
Returns:
AuthorizationService.

isUserInGroup

protected boolean isUserInGroup(String user,
                                String group)
                         throws AuthorizationException
Check if the user belongs to the group or not.

Parameters:
user - user name.
group - group name.
Returns:
if the user belongs to the group or not.
Throws:
AuthorizationException - thrown if the authorization query can not be performed.

authorizeForGroup

public void authorizeForGroup(String user,
                              String group)
                       throws AuthorizationException
Check if the user belongs to the group or not.

Subclasses should override the isUserInGroup(java.lang.String, java.lang.String) method.

Parameters:
user - user name.
group - group name.
Throws:
AuthorizationException - thrown if the user is not authorized for the group or if the authorization query can not be performed.

getDefaultGroup

public String getDefaultGroup(String user)
                       throws AuthorizationException
Return the default group to which the user belongs.

This implementation always returns 'users'.

Parameters:
user - user name.
Returns:
default group of user.
Throws:
AuthorizationException - thrown if the default group con not be retrieved.

isAdmin

protected boolean isAdmin(String user)
Check if the user has admin privileges.

If admin is disabled it returns always true.

If admin is enabled it returns true if the user is in the adminusers.txt file.

Parameters:
user - user name.
Returns:
if the user has admin privileges or not.

authorizeForAdmin

public void authorizeForAdmin(String user,
                              boolean write)
                       throws AuthorizationException
Check if the user has admin privileges.

Subclasses should override the isUserInGroup(java.lang.String, java.lang.String) method.

Parameters:
user - user name.
write - indicates if the check is for read or write admin tasks (in this implementation this is ignored)
Throws:
AuthorizationException - thrown if user does not have admin priviledges.

authorizeForApp

public void authorizeForApp(String user,
                            String group,
                            String appPath,
                            org.apache.hadoop.conf.Configuration jobConf)
                     throws AuthorizationException
Check if the user+group is authorized to use the specified application.

The check is done by checking the file system permissions on the workflow application.

Parameters:
user - user name.
group - group name.
appPath - application path.
Throws:
AuthorizationException - thrown if the user is not authorized for the app.

authorizeForApp

public void authorizeForApp(String user,
                            String group,
                            String appPath,
                            String fileName,
                            org.apache.hadoop.conf.Configuration conf)
                     throws AuthorizationException
Check if the user+group is authorized to use the specified application.

The check is done by checking the file system permissions on the workflow application.

Parameters:
user - user name.
group - group name.
appPath - application path.
fileName - workflow or coordinator.xml
conf -
Throws:
AuthorizationException - thrown if the user is not authorized for the app.

authorizeForJob

public void authorizeForJob(String user,
                            String jobId,
                            boolean write)
                     throws AuthorizationException
Check if the user+group is authorized to operate on the specified job.

Checks if the user is a super-user or the one who started the job.

Read operations are allowed to all users.

Parameters:
user - user name.
jobId - job id.
write - indicates if the check is for read or write job tasks.
Throws:
AuthorizationException - thrown if the user is not authorized for the job.


Copyright © 2013 Apache Software Foundation. All Rights Reserved.