hadoop TimelineReaderWhitelistAuthorizationFilter 源码

  • 2022-10-20
  • 浏览 (223)

haddop TimelineReaderWhitelistAuthorizationFilter 代码

文件路径:/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/security/TimelineReaderWhitelistAuthorizationFilter.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.hadoop.yarn.server.timelineservice.reader.security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hadoop.yarn.server.timelineservice.reader.TimelineReaderWebServicesUtils;

/**
 * Filter to check if a particular user is allowed to read ATSv2 data.
 */

public class TimelineReaderWhitelistAuthorizationFilter implements Filter {

  public static final String EMPTY_STRING = "";

  private static final Logger LOG =
      LoggerFactory.getLogger(TimelineReaderWhitelistAuthorizationFilter.class);

  private boolean isWhitelistReadAuthEnabled = false;

  private AccessControlList allowedUsersAclList;
  private AccessControlList adminAclList;

  @Override
  public void destroy() {
    // NOTHING
  }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;

    if (isWhitelistReadAuthEnabled) {
      UserGroupInformation callerUGI = TimelineReaderWebServicesUtils
          .getUser(httpRequest);
      if (callerUGI == null) {
        String msg = "Unable to obtain user name, user not authenticated";
        throw new AuthorizationException(msg);
      }
      if (!(adminAclList.isUserAllowed(callerUGI)
          || allowedUsersAclList.isUserAllowed(callerUGI))) {
        String userName = callerUGI.getShortUserName();
        String msg = "User " + userName
            + " is not allowed to read TimelineService V2 data.";
        httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, msg);
        return;
      }
    }
    if (chain != null) {
      chain.doFilter(request, response);
    }
  }

  @Override
  public void init(FilterConfig conf) throws ServletException {
    String isWhitelistReadAuthEnabledStr = conf
        .getInitParameter(YarnConfiguration.TIMELINE_SERVICE_READ_AUTH_ENABLED);
    if (isWhitelistReadAuthEnabledStr == null) {
      isWhitelistReadAuthEnabled =
          YarnConfiguration.DEFAULT_TIMELINE_SERVICE_READ_AUTH_ENABLED;
    } else {
      isWhitelistReadAuthEnabled =
          Boolean.valueOf(isWhitelistReadAuthEnabledStr);
    }

    if (isWhitelistReadAuthEnabled) {
      String listAllowedUsers = conf.getInitParameter(
          YarnConfiguration.TIMELINE_SERVICE_READ_ALLOWED_USERS);
      if (StringUtils.isEmpty(listAllowedUsers)) {
        listAllowedUsers =
            YarnConfiguration.DEFAULT_TIMELINE_SERVICE_READ_ALLOWED_USERS;
      }
      LOG.info("listAllowedUsers=" + listAllowedUsers);
      allowedUsersAclList = new AccessControlList(listAllowedUsers);
      LOG.info("allowedUsersAclList=" + allowedUsersAclList.getUsers());
      // also allow admins
      String adminAclListStr =
          conf.getInitParameter(YarnConfiguration.YARN_ADMIN_ACL);
      if (StringUtils.isEmpty(adminAclListStr)) {
        adminAclListStr =
            TimelineReaderWhitelistAuthorizationFilter.EMPTY_STRING;
        LOG.info("adminAclList not set, hence setting it to \"\"");
      }
      adminAclList = new AccessControlList(adminAclListStr);
      LOG.info("adminAclList=" + adminAclList.getUsers());
    }
  }
}

相关信息

hadoop 源码目录

相关文章

hadoop TimelineReaderAuthenticationFilterInitializer 源码

hadoop TimelineReaderWhitelistAuthorizationFilterInitializer 源码

hadoop package-info 源码

0  赞