public class AuthorizationService extends Object implements Service
Modifier and Type | Field and Description |
---|---|
static String |
ADMIN_USERS_FILE
File that contains list of admin users for Oozie.
|
static String |
CONF_ADMIN_GROUPS
Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used.
|
static String |
CONF_AUTHORIZATION_ENABLED
Configuration parameter to enable or disable Oozie admin role.
|
static String |
CONF_DEFAULT_GROUP_AS_ACL
Configuration parameter to enable old behavior default group as ACL.
|
static String |
CONF_PREFIX |
static String |
CONF_SECURITY_ENABLED
Configuration parameter to enable or disable Oozie admin role.
|
static String |
CONF_SYSTEM_INFO_AUTHORIZED_USERS |
protected static String |
INSTR_FAILED_AUTH_COUNTER |
protected static String |
INSTRUMENTATION_GROUP |
DEFAULT_LOCK_TIMEOUT, lockTimeout
Constructor and Description |
---|
AuthorizationService() |
Modifier and Type | Method and Description |
---|---|
void |
authorizeForAdmin(String user,
boolean write)
Check if the user has admin privileges.
|
void |
authorizeForApp(String user,
String group,
String appPath,
org.apache.hadoop.conf.Configuration jobConf)
Check if the user+group is authorized to use the specified application.
|
void |
authorizeForApp(String user,
String group,
String appPath,
String fileName,
org.apache.hadoop.conf.Configuration conf)
Check if the user+group is authorized to use the specified application.
|
void |
authorizeForGroup(String user,
String group)
Check if the user belongs to the group or not.
|
void |
authorizeForJob(String user,
String jobId,
boolean write)
Check if the user+group is authorized to operate on the specified job.
|
void |
authorizeForJobs(String user,
Map<String,List<String>> filter,
String jobType,
int start,
int len,
boolean write)
Check if the user+group is authorized to operate on the specified jobs.
|
void |
authorizeForSystemInfo(String user,
String proxyUser)
Check if the user is authorized to access system information.
|
void |
destroy()
Destroy the service.
|
String |
getDefaultGroup(String user)
Return the default group to which the user belongs.
|
Class<? extends Service> |
getInterface()
Return the public interface of the service.
|
void |
init(Services services)
Initialize the service.
|
protected boolean |
isAdmin(String user)
Check if the user has admin privileges.
|
boolean |
isAuthorizationEnabled()
Return if security is enabled or not.
|
boolean |
isAuthorizedSystemInfo() |
boolean |
isSecurityEnabled()
Deprecated.
|
protected boolean |
isUserInGroup(String user,
String group)
Check if the user belongs to the group or not.
|
boolean |
useDefaultGroupAsAcl() |
public static final String CONF_PREFIX
public static final String CONF_SECURITY_ENABLED
public static final String CONF_AUTHORIZATION_ENABLED
public static final String CONF_DEFAULT_GROUP_AS_ACL
public static final String CONF_ADMIN_GROUPS
public static final String CONF_SYSTEM_INFO_AUTHORIZED_USERS
public static final String ADMIN_USERS_FILE
protected static final String INSTRUMENTATION_GROUP
protected static final String INSTR_FAILED_AUTH_COUNTER
public AuthorizationService()
public void init(Services services) throws ServiceException
Reads the security related configuration. parameters - security enabled and list of super users.
init
in interface Service
services
- services instance.ServiceException
- thrown if the service could not be initialized.@Deprecated public boolean isSecurityEnabled()
public boolean useDefaultGroupAsAcl()
public boolean isAuthorizationEnabled()
public void destroy()
This implementation does a NOP.
public Class<? extends Service> getInterface()
getInterface
in interface Service
AuthorizationService
.protected boolean isUserInGroup(String user, String group) throws AuthorizationException
user
- user name.group
- group name.AuthorizationException
- thrown if the authorization query can not be performed.public void authorizeForGroup(String user, String group) throws AuthorizationException
Subclasses should override the isUserInGroup(java.lang.String, java.lang.String)
method.
user
- user name.group
- group name.AuthorizationException
- thrown if the user is not authorized for the group or if the authorization query
can not be performed.public String getDefaultGroup(String user) throws AuthorizationException
This implementation always returns 'users'.
user
- user name.AuthorizationException
- thrown if the default group con not be retrieved.protected boolean isAdmin(String user)
If admin is disabled it returns always true
.
If
admin is enabled it returns true
if the user is in the adminusers.txt
file.
user
- user name.public void authorizeForSystemInfo(String user, String proxyUser) throws AuthorizationException
user
- user name.proxyUser
- proxy user name.AuthorizationException
- thrown if user does not have admin priviledges.public void authorizeForAdmin(String user, boolean write) throws AuthorizationException
Subclasses should override the isUserInGroup(java.lang.String, java.lang.String)
method.
user
- user name.write
- indicates if the check is for read or write admin tasks (in this implementation this is ignored)AuthorizationException
- thrown if user does not have admin privileges.public void authorizeForApp(String user, String group, String appPath, org.apache.hadoop.conf.Configuration jobConf) throws AuthorizationException
The check is done by checking the file system permissions on the workflow application.
user
- user name.group
- group name.appPath
- application path.AuthorizationException
- thrown if the user is not authorized for the app.public void authorizeForApp(String user, String group, String appPath, String fileName, org.apache.hadoop.conf.Configuration conf) throws AuthorizationException
The check is done by checking the file system permissions on the workflow application.
user
- user name.group
- group name.appPath
- application path.fileName
- workflow or coordinator.xmlconf
- AuthorizationException
- thrown if the user is not authorized for the app.public void authorizeForJob(String user, String jobId, boolean write) throws AuthorizationException
Checks if the user is a super-user or the one who started the job.
Read operations are allowed to all users.
user
- user name.jobId
- job id.write
- indicates if the check is for read or write job tasks.AuthorizationException
- thrown if the user is not authorized for the job.public void authorizeForJobs(String user, Map<String,List<String>> filter, String jobType, int start, int len, boolean write) throws AuthorizationException
Checks if the user is a super-user or the one who started the jobs.
Read operations are allowed to all users.
user
- user name.filter
- filter used to select jobsstart
- starting index of the jobs in DBlen
- maximum amount of jobs to selectwrite
- indicates if the check is for read or write job tasks.AuthorizationException
- thrown if the user is not authorized for the job.public boolean isAuthorizedSystemInfo()
Copyright © 2018 Apache Software Foundation. All rights reserved.