Author: tucu
Date: Tue May 8 15:35:11 2012
New Revision: 1335595
URL: http://svn.apache.org/viewvc?rev=1335595&view=rev
Log:
OOZIE-773 AuthorizationService should be able to use a group to identify
superusers (tucu)
Modified:
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java
incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki
incubator/oozie/trunk/release-log.txt
Modified:
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java?rev=1335595&r1=1335594&r2=1335595&view=diff
==============================================================================
---
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java
(original)
+++
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java
Tue May 8 15:35:11 2012
@@ -66,6 +66,11 @@ public class AuthorizationService implem
public static final String CONF_DEFAULT_GROUP_AS_ACL = CONF_PREFIX +
"default.group.as.acl";
/**
+ * Configuration parameter to define admin groups, if NULL/empty the
adminusers.txt file is used.
+ */
+ public static final String CONF_ADMIN_GROUPS = CONF_PREFIX +
"admin.groups";
+
+ /**
* File that contains list of admin users for Oozie.
*/
public static final String ADMIN_USERS_FILE = "adminusers.txt";
@@ -73,6 +78,7 @@ public class AuthorizationService implem
protected static final String INSTRUMENTATION_GROUP = "authorization";
protected static final String INSTR_FAILED_AUTH_COUNTER =
"authorization.failed";
+ private Set<String> adminGroups;
private Set<String> adminUsers;
private boolean authorizationEnabled;
private boolean useDefaultGroupAsAcl;
@@ -80,6 +86,13 @@ public class AuthorizationService implem
private final XLog log = XLog.getLog(getClass());
private Instrumentation instrumentation;
+ private String[] getTrimmedStrings(String str) {
+ if (null == str || "".equals(str.trim())) {
+ return new String[0];
+ }
+ return str.trim().split("\\s*,\\s*");
+ }
+
/**
* Initialize the service. <p/> Reads the security related configuration.
parameters - security enabled and list of
* super users.
@@ -88,20 +101,30 @@ public class AuthorizationService implem
* @throws ServiceException thrown if the service could not be initialized.
*/
public void init(Services services) throws ServiceException {
- adminUsers = new HashSet<String>();
- authorizationEnabled =
ConfigUtils.getWithDeprecatedCheck(services.getConf(),
CONF_AUTHORIZATION_ENABLED,
-
CONF_SECURITY_ENABLED, false);
- instrumentation =
Services.get().get(InstrumentationService.class).get();
+ authorizationEnabled =
+ ConfigUtils.getWithDeprecatedCheck(services.getConf(),
CONF_AUTHORIZATION_ENABLED,
+ CONF_SECURITY_ENABLED, false);
if (authorizationEnabled) {
- log.info("Oozie running with security enabled");
- loadAdminUsers();
+ log.info("Oozie running with authorization enabled");
+ useDefaultGroupAsAcl =
Services.get().getConf().getBoolean(CONF_DEFAULT_GROUP_AS_ACL, false);
+ String[] str =
getTrimmedStrings(Services.get().getConf().get(CONF_ADMIN_GROUPS));
+ if (str.length > 0) {
+ log.info("Admin users will be checked against the defined
admin groups");
+ adminGroups = new HashSet<String>();
+ for (String s : str) {
+ adminGroups.add(s.trim());
+ }
+ }
+ else {
+ log.info("Admin users will be checked against the
'adminusers.txt' file contents");
+ adminUsers = new HashSet<String>();
+ loadAdminUsers();
+ }
}
else {
- log.warn("Oozie running with security disabled");
+ log.warn("Oozie running with authorization disabled");
}
-
- useDefaultGroupAsAcl =
Services.get().getConf().getBoolean(CONF_DEFAULT_GROUP_AS_ACL, false);
-
+ instrumentation =
Services.get().get(InstrumentationService.class).get();
}
/**
@@ -238,7 +261,25 @@ public class AuthorizationService implem
* @return if the user has admin privileges or not.
*/
protected boolean isAdmin(String user) {
- return adminUsers.contains(user);
+ boolean admin = false;
+ if (adminUsers != null) {
+ admin = adminUsers.contains(user);
+ }
+ else {
+ for (String adminGroup : adminGroups) {
+ try {
+ admin = isUserInGroup(user, adminGroup);
+ if (admin) {
+ break;
+ }
+ }
+ catch (AuthorizationException ex) {
+ log.warn("Admin check failed, " + ex.toString(), ex);
+ break;
+ }
+ }
+ }
+ return admin;
}
/**
Modified:
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java?rev=1335595&r1=1335594&r2=1335595&view=diff
==============================================================================
---
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java
(original)
+++
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java
Tue May 8 15:35:11 2012
@@ -73,15 +73,19 @@ public class TestAuthorizationService ex
}
private Services services;
- private void init(boolean useDefaultGroup) throws Exception {
+ private void init(boolean useDefaultGroup, boolean useAdminUsersFile)
throws Exception {
setSystemProperty(SchemaService.WF_CONF_EXT_SCHEMAS,
"wf-ext-schema.xsd");
- Reader adminListReader = IOUtils.getResourceAsReader("adminusers.txt",
-1);
- Writer adminListWriter = new FileWriter(new File(getTestCaseConfDir(),
"adminusers.txt"));
- IOUtils.copyCharStream(adminListReader, adminListWriter);
-
services = new Services();
Configuration conf = services.getConf();
+ if (useAdminUsersFile) {
+ Reader adminListReader =
IOUtils.getResourceAsReader("adminusers.txt", -1);
+ Writer adminListWriter = new FileWriter(new
File(getTestCaseConfDir(), "adminusers.txt"));
+ IOUtils.copyCharStream(adminListReader, adminListWriter);
+ }
+ else {
+ conf.set(AuthorizationService.CONF_ADMIN_GROUPS, getTestGroup());
+ }
conf.set(Services.CONF_SERVICE_CLASSES,
conf.get(Services.CONF_SERVICE_CLASSES) + "," +
AuthorizationService.class.getName() +
"," + DummyGroupsService.class.getName());
@@ -111,7 +115,7 @@ public class TestAuthorizationService ex
}
private void _testAuthorizationService(boolean useDefaultGroup) throws
Exception {
- init(useDefaultGroup);
+ init(useDefaultGroup, true);
Reader reader = IOUtils.getResourceAsReader("wf-ext-schema-valid.xml",
-1);
Writer writer = new FileWriter(getTestCaseDir() + "/workflow.xml");
IOUtils.copyCharStream(reader, writer);
@@ -160,33 +164,16 @@ public class TestAuthorizationService ex
assertNotNull(as);
as.authorizeForGroup(getTestUser(), getTestGroup());
assertNotNull(as.getDefaultGroup(getTestUser()));
- as.authorizeForAdmin("admin", false);
- as.authorizeForAdmin("admin", true);
- try {
- as.authorizeForAdmin(getTestUser(), true);
- fail();
- }
- catch (AuthorizationException ex) {
- }
+
+ as.authorizeForApp(getTestUser2(), getTestGroup(), appPath, jobConf);
+
try {
- as.authorizeForAdmin(getTestUser(), true);
+ as.authorizeForApp(getTestUser3(), getTestGroup(), appPath,
jobConf);
fail();
}
catch (AuthorizationException ex) {
}
- as.authorizeForApp(getTestUser2(), getTestGroup(), appPath, jobConf);
-
- // this test fails in pre Hadoop 20S
- if (System.getProperty("hadoop20",
"false").toLowerCase().equals("false")) {
- try {
- as.authorizeForApp(getTestUser3(), getTestGroup(), appPath,
jobConf);
- fail();
- }
- catch (AuthorizationException ex) {
- }
- }
-
as.authorizeForJob(getTestUser(), jobId, false);
as.authorizeForJob(getTestUser(), jobId, true);
if (!useDefaultGroup) {
@@ -201,7 +188,7 @@ public class TestAuthorizationService ex
}
public void testAuthorizationServiceForCoord() throws Exception {
- init(false);
+ init(false, true);
CoordinatorJobBean job =
addRecordToCoordJobTable(CoordinatorJob.Status.PREP, false, false);
assertNotNull(job);
AuthorizationService as = services.get(AuthorizationService.class);
@@ -211,7 +198,7 @@ public class TestAuthorizationService ex
}
public void testAuthorizationServiceForBundle() throws Exception {
- init(false);
+ init(false, true);
BundleJobBean job = this.addRecordToBundleJobTable(Job.Status.PREP,
false);
assertNotNull(job);
AuthorizationService as = services.get(AuthorizationService.class);
@@ -221,14 +208,14 @@ public class TestAuthorizationService ex
}
public void testDefaultGroup() throws Exception {
- init(false);
+ init(false, true);
AuthorizationService as = services.get(AuthorizationService.class);
assertNotNull(as);
assertNotNull(as.getDefaultGroup(getTestUser()));
}
public void testErrors() throws Exception {
- init(false);
+ init(false, true);
services.setService(ForTestAuthorizationService.class);
AuthorizationService as = services.get(AuthorizationService.class);
@@ -313,4 +300,31 @@ public class TestAuthorizationService ex
}
}
+ private void _testAdminUsers(boolean useAdminFile, String adminUser,
String regularUser) throws Exception {
+ init(true, useAdminFile);
+
+ AuthorizationService as = services.get(AuthorizationService.class);
+ as.authorizeForAdmin(adminUser, false);
+ as.authorizeForAdmin(adminUser, true);
+ try {
+ as.authorizeForAdmin(regularUser, true);
+ fail();
+ }
+ catch (AuthorizationException ex) {
+ }
+ try {
+ as.authorizeForAdmin(regularUser, true);
+ fail();
+ }
+ catch (AuthorizationException ex) {
+ }
+ }
+
+ public void testAdminUsersWithAdminFile() throws Exception {
+ _testAdminUsers(true, "admin", getTestUser());
+ }
+
+ public void testAdminUsersWithAdminGroup() throws Exception {
+ _testAdminUsers(false, getTestUser(), getTestUser2());
+ }
}
Modified: incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki?rev=1335595&r1=1335594&r2=1335595&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki Tue May 8
15:35:11 2012
@@ -344,18 +344,23 @@ Oozie security is set via the following
oozie.service.AuthorizationService.security.enabled=false
</verbatim>
-If security is enabled, the admin users are read from the
=conf/adminusers.txt= file:
-
- * One user name per line
- * Empty lines and lines starting with '#' are ignored
-
-NOTE: the old ACL model where a group was provided is still supported if the
following property is set
-in =oozie-stei.xml=:
+NOTE: the old ACL model where a group was provided is still supported if the
following property is set
+in =oozie-site.xml=:
<verbatim>
oozie.service.AuthorizationService.default.group.as.acl=true
</verbatim>
+Admin users are determined from the list of admin groups, specified in
+ =oozie.service.AuthorizationService.admin.groups= property. Use commas to
separate multiple groups, spaces, tabs
+and ENTER characters are trimmed.
+
+If the above property for admin groups is not set, then the admin users are
the users specified in the
+ =conf/adminusers.txt= file. The syntax of this file is:
+
+ * One user name per line
+ * Empty lines and lines starting with '#' are ignored
+
---+++ Oozie System ID Configuration
Oozie has a system ID that is is used to generate the Oozie temporary runtime
directory, the workflow job IDs, and the
Modified: incubator/oozie/trunk/release-log.txt
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/release-log.txt?rev=1335595&r1=1335594&r2=1335595&view=diff
==============================================================================
--- incubator/oozie/trunk/release-log.txt (original)
+++ incubator/oozie/trunk/release-log.txt Tue May 8 15:35:11 2012
@@ -1,5 +1,6 @@
-- Oozie 3.2.0 release
+OOZIE-773 AuthorizationService should be able to use a group to identify
superusers (tucu)
OOZIE-827 StatusTransitService fails to run if a stale reference to coord job
is present (virag via tucu)
OOZIE-783 Upgrade to Junit4 (virag via tucu)
OOZIE-815 Remove select * from queries related to coord action (Virag via
Mohammad)
