org.apache.oozie.service

Class AuthorizationService

java.lang.Object

org.apache.oozie.service.AuthorizationService

All Implemented Interfaces:

Service

public class AuthorizationService
extends Object
implements Service

The authorization service provides all authorization checks.

Field Summary

Fields

Modifier and Type	Field and Description
static String	ADMIN_USERS_FILE File that contains list of admin users for Oozie.
static String	CONF_ADMIN_GROUPS Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used.
static String	CONF_AUTHORIZATION_ENABLED Configuration parameter to enable or disable Oozie admin role.
static String	CONF_DEFAULT_GROUP_AS_ACL Configuration parameter to enable old behavior default group as ACL.
static String	CONF_PREFIX
static String	CONF_SECURITY_ENABLED Configuration parameter to enable or disable Oozie admin role.
protected static String	INSTR_FAILED_AUTH_COUNTER
protected static String	INSTRUMENTATION_GROUP

Fields inherited from interface org.apache.oozie.service.Service

DEFAULT_LOCK_TIMEOUT, lockTimeout

Constructor Summary

Constructors

Constructor and Description
AuthorizationService()

Method Summary

Methods

Modifier and Type	Method and Description
void	authorizeForAdmin(String user, boolean write) Check if the user has admin privileges.
void	authorizeForApp(String user, String group, String appPath, org.apache.hadoop.conf.Configuration jobConf) Check if the user+group is authorized to use the specified application.
void	authorizeForApp(String user, String group, String appPath, String fileName, org.apache.hadoop.conf.Configuration conf) Check if the user+group is authorized to use the specified application.
void	authorizeForGroup(String user, String group) Check if the user belongs to the group or not.
void	authorizeForJob(String user, String jobId, boolean write) Check if the user+group is authorized to operate on the specified job.
void	authorizeForJobs(String user, Map<String,List<String>> filter, String jobType, int start, int len, boolean write) Check if the user+group is authorized to operate on the specified jobs.
void	destroy() Destroy the service.
String	getDefaultGroup(String user) Return the default group to which the user belongs.
Class<? extends Service>	getInterface() Return the public interface of the service.
void	init(Services services) Initialize the service.
protected boolean	isAdmin(String user) Check if the user has admin privileges.
boolean	isAuthorizationEnabled() Return if security is enabled or not.
boolean	isSecurityEnabled() Deprecated.
protected boolean	isUserInGroup(String user, String group) Check if the user belongs to the group or not.
boolean	useDefaultGroupAsAcl()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CONF_PREFIX

public static final String CONF_PREFIX

See Also:

Constant Field Values

CONF_SECURITY_ENABLED

public static final String CONF_SECURITY_ENABLED

Configuration parameter to enable or disable Oozie admin role.

See Also:

Constant Field Values

CONF_AUTHORIZATION_ENABLED

public static final String CONF_AUTHORIZATION_ENABLED

Configuration parameter to enable or disable Oozie admin role.

See Also:

Constant Field Values

CONF_DEFAULT_GROUP_AS_ACL

public static final String CONF_DEFAULT_GROUP_AS_ACL

Configuration parameter to enable old behavior default group as ACL.

See Also:

Constant Field Values

CONF_ADMIN_GROUPS

public static final String CONF_ADMIN_GROUPS

Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used.

See Also:

Constant Field Values

ADMIN_USERS_FILE

public static final String ADMIN_USERS_FILE

File that contains list of admin users for Oozie.

See Also:

Constant Field Values

INSTRUMENTATION_GROUP

protected static final String INSTRUMENTATION_GROUP

See Also:

Constant Field Values

INSTR_FAILED_AUTH_COUNTER

protected static final String INSTR_FAILED_AUTH_COUNTER

See Also:

Constant Field Values

Constructor Detail

AuthorizationService

public AuthorizationService()

Method Detail

init

public void init(Services services)
          throws ServiceException

Initialize the service.

Reads the security related configuration. parameters - security enabled and list of super users.

Specified by:

init in interface Service

Parameters:

services - services instance.

Throws:

ServiceException - thrown if the service could not be initialized.

isSecurityEnabled

@Deprecated
public boolean isSecurityEnabled()

Deprecated.

Return if security is enabled or not.

Returns:

if security is enabled or not.

useDefaultGroupAsAcl

public boolean useDefaultGroupAsAcl()

isAuthorizationEnabled

public boolean isAuthorizationEnabled()

Return if security is enabled or not.

Returns:

if security is enabled or not.

destroy

public void destroy()

Destroy the service.

This implementation does a NOP.

Specified by:

destroy in interface Service

getInterface

public Class<? extends Service> getInterface()

Return the public interface of the service.

Specified by:

getInterface in interface Service

Returns:

AuthorizationService.

isUserInGroup

protected boolean isUserInGroup(String user,
                    String group)
                         throws AuthorizationException

Check if the user belongs to the group or not.

Parameters:

user - user name.

group - group name.

Returns:

if the user belongs to the group or not.

Throws:

AuthorizationException - thrown if the authorization query can not be performed.

authorizeForGroup

public void authorizeForGroup(String user,
                     String group)
                       throws AuthorizationException

Check if the user belongs to the group or not.

Subclasses should override the isUserInGroup(java.lang.String, java.lang.String) method.

Parameters:

user - user name.

group - group name.

Throws:

AuthorizationException - thrown if the user is not authorized for the group or if the authorization query can not be performed.

getDefaultGroup

public String getDefaultGroup(String user)
                       throws AuthorizationException

Return the default group to which the user belongs.

This implementation always returns 'users'.

Parameters:

user - user name.

Returns:

default group of user.

Throws:

AuthorizationException - thrown if the default group con not be retrieved.

isAdmin

protected boolean isAdmin(String user)

Check if the user has admin privileges.

If admin is disabled it returns always true.

If admin is enabled it returns true if the user is in the adminusers.txt file.

Parameters:

user - user name.

Returns:

if the user has admin privileges or not.

authorizeForAdmin

public void authorizeForAdmin(String user,
                     boolean write)
                       throws AuthorizationException

Check if the user has admin privileges.

Subclasses should override the isUserInGroup(java.lang.String, java.lang.String) method.

Parameters:

user - user name.

write - indicates if the check is for read or write admin tasks (in this implementation this is ignored)

Throws:

AuthorizationException - thrown if user does not have admin priviledges.

authorizeForApp

public void authorizeForApp(String user,
                   String group,
                   String appPath,
                   org.apache.hadoop.conf.Configuration jobConf)
                     throws AuthorizationException

Check if the user+group is authorized to use the specified application.

The check is done by checking the file system permissions on the workflow application.

Parameters:

user - user name.

group - group name.

appPath - application path.

Throws:

AuthorizationException - thrown if the user is not authorized for the app.

authorizeForApp

public void authorizeForApp(String user,
                   String group,
                   String appPath,
                   String fileName,
                   org.apache.hadoop.conf.Configuration conf)
                     throws AuthorizationException

Check if the user+group is authorized to use the specified application.

The check is done by checking the file system permissions on the workflow application.

Parameters:

user - user name.

group - group name.

appPath - application path.

fileName - workflow or coordinator.xml

conf -

Throws:

AuthorizationException - thrown if the user is not authorized for the app.

authorizeForJob

public void authorizeForJob(String user,
                   String jobId,
                   boolean write)
                     throws AuthorizationException

Check if the user+group is authorized to operate on the specified job.

Checks if the user is a super-user or the one who started the job.

Read operations are allowed to all users.

Parameters:

user - user name.

jobId - job id.

write - indicates if the check is for read or write job tasks.

Throws:

AuthorizationException - thrown if the user is not authorized for the job.

authorizeForJobs

public void authorizeForJobs(String user,
                    Map<String,List<String>> filter,
                    String jobType,
                    int start,
                    int len,
                    boolean write)
                      throws AuthorizationException

Check if the user+group is authorized to operate on the specified jobs.

Checks if the user is a super-user or the one who started the jobs.

Read operations are allowed to all users.

Parameters:

user - user name.

filter - filter used to select jobs

start - starting index of the jobs in DB

len - maximum amount of jbos to select

write - indicates if the check is for read or write job tasks.

Throws:

AuthorizationException - thrown if the user is not authorized for the job.