vanzin commented on a change in pull request #141: [LIVY-551] Add "doAs"
impersonation support
URL: https://github.com/apache/incubator-livy/pull/141#discussion_r250291967
##########
File path: server/src/main/scala/org/apache/livy/server/AccessManager.scala
##########
@@ -97,47 +99,71 @@ private[livy] class AccessManager(conf: LivyConf) extends
Logging {
*/
def isAccessControlOn: Boolean = aclsOn
+ def getRequestUser(request: HttpServletRequest): String = {
+ request.getRemoteUser
+ }
+
+ def getImpersonatedUser(request: HttpServletRequest): Option[String] = {
+ val impersonatedUser = Option(request.getParameter("doAs"))
+ impersonatedUser.filter(checkImpersonation(request, _))
+ }
+
+ def getEffectiveUser(request: HttpServletRequest): String = {
+ val requestUser = getRequestUser(request)
+ val impersonatedUser = getImpersonatedUser(request)
+ impersonatedUser.getOrElse(requestUser)
+ }
+
/**
* Checks that the requesting user can impersonate the target user.
* If the user does not have permission to impersonate, then throws an
`AccessControlException`.
- *
- * @return The user that should be impersonated. That can be the target user
if defined, the
- * request's user - which may not be defined - otherwise, or `None`
if impersonation is
- * disabled.
*/
- def checkImpersonation(
- target: Option[String],
- requestUser: String,
- livyConf: LivyConf): Option[String] = {
- if (livyConf.getBoolean(LivyConf.IMPERSONATION_ENABLED)) {
- if (!target.forall(hasSuperAccess(_, requestUser))) {
- throw new AccessControlException(
- s"User '$requestUser' not allowed to impersonate '$target'.")
+ def checkImpersonation(request: HttpServletRequest, impersonatedUser:
String): Boolean = {
+ if (conf.getBoolean(LivyConf.IMPERSONATION_ENABLED)) {
+ if (hasSuperAccess(request, impersonatedUser) || checkProxyUser(request,
impersonatedUser)) {
+ return true
}
- target.orElse(Option(requestUser))
- } else {
- None
+ val requestUser = getRequestUser(request)
+ throw new AccessControlException(
+ s"User '$requestUser' not allowed to impersonate '$impersonatedUser'.")
}
+ false
+ }
+
+ def checkProxyUser(request: HttpServletRequest, impersonatedUser: String):
Boolean = {
+ val proxyUser = getRequestUser(request)
+ val remoteHost = request.getRemoteHost
+ val allowedHosts = conf.hadoopConf.get("hadoop.proxyuser." + proxyUser +
".hosts")
Review comment:
If you want to add this functionality, you shouldn't use the Hadoop configs.
Every different service has its own configs for this.
It should also be a separate change, since it's not really related to what
you're implementing here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
