/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.hadoop.hdfsproxy; import java.io.IOException; import java.net.InetSocketAddress; import java.util.ArrayList; import java.util.Hashtable; import java.util.regex.Pattern; import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; import javax.naming.directory.BasicAttribute; import javax.naming.directory.BasicAttributes; import javax.naming.directory.SearchResult; import javax.naming.ldap.InitialLdapContext; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.Path; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.hdfs.HdfsConfiguration; public class LdapIpDirFilter implements Filter { public static final Log LOG = LogFactory.getLog(LdapIpDirFilter.class); private static String baseName; private static String hdfsIpSchemaStr; private static String hdfsIpSchemaStrPrefix; private static String hdfsUidSchemaStr; private static String hdfsPathSchemaStr; private InitialLdapContext lctx; private class LdapRoleEntry { String userId; ArrayList<Path> paths; void init(String userId, ArrayList<Path> paths) { this.userId = userId; this.paths = paths; } boolean contains(Path path) { return paths != null && paths.contains(path); } @Override public String toString() { return "LdapRoleEntry{" + ", userId='" + userId + '\'' + ", paths=" + paths + '}'; } } public void initialize(String bName, InitialLdapContext ctx) { // hook to cooperate unit test baseName = bName; hdfsIpSchemaStr = "uniqueMember"; hdfsIpSchemaStrPrefix = "cn="; hdfsUidSchemaStr = "uid"; hdfsPathSchemaStr = "documentLocation"; lctx = ctx; } /** {@inheritDoc} */ public void init(FilterConfig filterConfig) throws ServletException { ServletContext context = filterConfig.getServletContext(); Configuration conf = new HdfsConfiguration(false); conf.addResource("hdfsproxy-default.xml"); conf.addResource("hdfsproxy-site.xml"); // extract namenode from source conf. String nn = ProxyUtil.getNamenode(conf); InetSocketAddress nAddr = NetUtils.createSocketAddr(nn); context.setAttribute("name.node.address", nAddr); context.setAttribute("name.conf", conf); // for storing hostname <--> cluster mapping to decide which source cluster // to forward context.setAttribute("org.apache.hadoop.hdfsproxy.conf", conf); if (lctx == null) { Hashtable<String, String> env = new Hashtable<String, String>(); env.put(InitialLdapContext.INITIAL_CONTEXT_FACTORY, conf.get( "hdfsproxy.ldap.initial.context.factory", "com.sun.jndi.ldap.LdapCtxFactory")); env.put(InitialLdapContext.PROVIDER_URL, conf .get("hdfsproxy.ldap.provider.url")); try { lctx = new InitialLdapContext(env, null); } catch (NamingException ne) { throw new ServletException("NamingException in initializing ldap" + ne.toString()); } baseName = conf.get("hdfsproxy.ldap.role.base"); hdfsIpSchemaStr = conf.get("hdfsproxy.ldap.ip.schema.string", "uniqueMember"); hdfsIpSchemaStrPrefix = conf.get( "hdfsproxy.ldap.ip.schema.string.prefix", "cn="); hdfsUidSchemaStr = conf.get("hdfsproxy.ldap.uid.schema.string", "uid"); hdfsPathSchemaStr = conf.get("hdfsproxy.ldap.hdfs.path.schema.string", "documentLocation"); } LOG.info("LdapIpDirFilter initialization successful"); } /** {@inheritDoc} */ public void destroy() { } /** {@inheritDoc} */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String prevThreadName = Thread.currentThread().getName(); try { HttpServletRequest rqst = (HttpServletRequest) request; HttpServletResponse rsp = (HttpServletResponse) response; String contextPath = rqst.getContextPath(); Thread.currentThread().setName(contextPath); if (LOG.isDebugEnabled()) { StringBuilder b = new StringBuilder("Request from ").append( rqst.getRemoteHost()).append("/").append(rqst.getRemoteAddr()) .append(":").append(rqst.getRemotePort()); b.append("\n The Scheme is " + rqst.getScheme()); b.append("\n The Path Info is " + rqst.getPathInfo()); b.append("\n The Translated Path Info is " + rqst.getPathTranslated()); b.append("\n The Context Path is " + rqst.getContextPath()); b.append("\n The Query String is " + rqst.getQueryString()); b.append("\n The Request URI is " + rqst.getRequestURI()); b.append("\n The Request URL is " + rqst.getRequestURL()); b.append("\n The Servlet Path is " + rqst.getServletPath()); LOG.debug(b.toString()); } LdapRoleEntry ldapent = new LdapRoleEntry(); // check ip address String userIp = rqst.getRemoteAddr(); try { boolean isAuthorized = getLdapRoleEntryFromUserIp(userIp, ldapent); if (!isAuthorized) { rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "IP " + userIp + " is not authorized to access"); return; } } catch (NamingException ne) { throw new IOException("NamingException while searching ldap" + ne.toString()); } // since we cannot pass ugi object cross context as they are from // different // classloaders in different war file, we have to use String attribute. rqst.setAttribute("org.apache.hadoop.hdfsproxy.authorized.userID", ldapent.userId); rqst.setAttribute("org.apache.hadoop.hdfsproxy.authorized.paths", ldapent.paths); LOG.info("User: " + ldapent.userId + ", Request: " + rqst.getPathInfo() + " From: " + rqst.getRemoteAddr()); chain.doFilter(request, response); } finally { Thread.currentThread().setName(prevThreadName); } } /** * check if client's ip is listed in the Ldap Roles if yes, return true and * update ldapent. if not, return false * */ @SuppressWarnings("unchecked") private boolean getLdapRoleEntryFromUserIp(String userIp, LdapRoleEntry ldapent) throws NamingException { String ipMember = hdfsIpSchemaStrPrefix + userIp; Attributes matchAttrs = new BasicAttributes(true); matchAttrs.put(new BasicAttribute(hdfsIpSchemaStr, ipMember)); matchAttrs.put(new BasicAttribute(hdfsUidSchemaStr)); matchAttrs.put(new BasicAttribute(hdfsPathSchemaStr)); String[] attrIDs = { hdfsUidSchemaStr, hdfsPathSchemaStr }; NamingEnumeration<SearchResult> results = lctx.search(baseName, matchAttrs, attrIDs); if (results.hasMore()) { String userId = null; ArrayList<Path> paths = new ArrayList<Path>(); SearchResult sr = results.next(); Attributes attrs = sr.getAttributes(); for (NamingEnumeration ne = attrs.getAll(); ne.hasMore();) { Attribute attr = (Attribute) ne.next(); if (hdfsUidSchemaStr.equalsIgnoreCase(attr.getID())) { userId = (String) attr.get(); } else if (hdfsPathSchemaStr.equalsIgnoreCase(attr.getID())) { for (NamingEnumeration e = attr.getAll(); e.hasMore();) { String pathStr = (String) e.next(); paths.add(new Path(pathStr)); } } } ldapent.init(userId, paths); if (LOG.isDebugEnabled()) LOG.debug(ldapent); return true; } LOG.info("Ip address " + userIp + " is not authorized to access the proxy server"); return false; } }