|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES All Classes | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.apache.oozie.service.AuthorizationService
public class AuthorizationService
The authorization service provides all authorization checks.
Field Summary | |
---|---|
static String |
ADMIN_USERS_FILE
File that contains list of admin users for Oozie. |
static String |
CONF_ADMIN_GROUPS
Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used. |
static String |
CONF_AUTHORIZATION_ENABLED
Configuration parameter to enable or disable Oozie admin role. |
static String |
CONF_DEFAULT_GROUP_AS_ACL
Configuration parameter to enable old behavior default group as ACL. |
static String |
CONF_PREFIX
|
static String |
CONF_SECURITY_ENABLED
Configuration parameter to enable or disable Oozie admin role. |
protected static String |
INSTR_FAILED_AUTH_COUNTER
|
protected static String |
INSTRUMENTATION_GROUP
|
Fields inherited from interface org.apache.oozie.service.Service |
---|
DEFAULT_LOCK_TIMEOUT, lockTimeout, USE_XCOMMAND |
Constructor Summary | |
---|---|
AuthorizationService()
|
Method Summary | |
---|---|
void |
authorizeForAdmin(String user,
boolean write)
Check if the user has admin privileges. |
void |
authorizeForApp(String user,
String group,
String appPath,
org.apache.hadoop.conf.Configuration jobConf)
Check if the user+group is authorized to use the specified application. |
void |
authorizeForApp(String user,
String group,
String appPath,
String fileName,
org.apache.hadoop.conf.Configuration conf)
Check if the user+group is authorized to use the specified application. |
void |
authorizeForGroup(String user,
String group)
Check if the user belongs to the group or not. |
void |
authorizeForJob(String user,
String jobId,
boolean write)
Check if the user+group is authorized to operate on the specified job. |
void |
destroy()
Destroy the service. |
String |
getDefaultGroup(String user)
Return the default group to which the user belongs. |
Class<? extends Service> |
getInterface()
Return the public interface of the service. |
void |
init(Services services)
Initialize the service. |
protected boolean |
isAdmin(String user)
Check if the user has admin privileges. |
boolean |
isAuthorizationEnabled()
Return if security is enabled or not. |
boolean |
isSecurityEnabled()
Deprecated. |
protected boolean |
isUserInGroup(String user,
String group)
Check if the user belongs to the group or not. |
boolean |
useDefaultGroupAsAcl()
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String CONF_PREFIX
public static final String CONF_SECURITY_ENABLED
public static final String CONF_AUTHORIZATION_ENABLED
public static final String CONF_DEFAULT_GROUP_AS_ACL
public static final String CONF_ADMIN_GROUPS
public static final String ADMIN_USERS_FILE
protected static final String INSTRUMENTATION_GROUP
protected static final String INSTR_FAILED_AUTH_COUNTER
Constructor Detail |
---|
public AuthorizationService()
Method Detail |
---|
public void init(Services services) throws ServiceException
Reads the security related configuration. parameters - security enabled and list of super users.
init
in interface Service
services
- services instance.
ServiceException
- thrown if the service could not be initialized.@Deprecated public boolean isSecurityEnabled()
public boolean useDefaultGroupAsAcl()
public boolean isAuthorizationEnabled()
public void destroy()
This implementation does a NOP.
destroy
in interface Service
public Class<? extends Service> getInterface()
getInterface
in interface Service
AuthorizationService
.protected boolean isUserInGroup(String user, String group) throws AuthorizationException
user
- user name.group
- group name.
AuthorizationException
- thrown if the authorization query can not be performed.public void authorizeForGroup(String user, String group) throws AuthorizationException
Subclasses should override the isUserInGroup(java.lang.String, java.lang.String)
method.
user
- user name.group
- group name.
AuthorizationException
- thrown if the user is not authorized for the group or if the authorization query
can not be performed.public String getDefaultGroup(String user) throws AuthorizationException
This implementation always returns 'users'.
user
- user name.
AuthorizationException
- thrown if the default group con not be retrieved.protected boolean isAdmin(String user)
If admin is disabled it returns always true
.
If
admin is enabled it returns true
if the user is in the adminusers.txt
file.
user
- user name.
public void authorizeForAdmin(String user, boolean write) throws AuthorizationException
Subclasses should override the isUserInGroup(java.lang.String, java.lang.String)
method.
user
- user name.write
- indicates if the check is for read or write admin tasks (in this implementation this is ignored)
AuthorizationException
- thrown if user does not have admin priviledges.public void authorizeForApp(String user, String group, String appPath, org.apache.hadoop.conf.Configuration jobConf) throws AuthorizationException
The check is done by checking the file system permissions on the workflow application.
user
- user name.group
- group name.appPath
- application path.
AuthorizationException
- thrown if the user is not authorized for the app.public void authorizeForApp(String user, String group, String appPath, String fileName, org.apache.hadoop.conf.Configuration conf) throws AuthorizationException
The check is done by checking the file system permissions on the workflow application.
user
- user name.group
- group name.appPath
- application path.fileName
- workflow or coordinator.xmlconf
-
AuthorizationException
- thrown if the user is not authorized for the app.public void authorizeForJob(String user, String jobId, boolean write) throws AuthorizationException
Checks if the user is a super-user or the one who started the job.
Read operations are allowed to all users.
user
- user name.jobId
- job id.write
- indicates if the check is for read or write job tasks.
AuthorizationException
- thrown if the user is not authorized for the job.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES All Classes | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |