/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.falcon.security;
import org.apache.commons.lang3.StringUtils;
import org.apache.falcon.FalconException;
import org.apache.falcon.entity.v0.Entity;
import org.apache.falcon.util.ReflectionUtils;
import org.apache.falcon.util.StartupProperties;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
/**
* Security Util - bunch of security related helper methods.
*/
public final class SecurityUtil {
/**
* Constant for the configuration property that indicates the prefix.
*/
private static final String CONFIG_PREFIX = "falcon.authentication.";
/**
* Constant for the configuration property that indicates the authentication type.
*/
public static final String AUTHENTICATION_TYPE = CONFIG_PREFIX + "type";
/**
* Constant for the configuration property that indicates the Name node principal.
*/
public static final String NN_PRINCIPAL = "dfs.namenode.kerberos.principal";
/**
* Constant for the configuration property that indicates the
* Resource Manager principal. This is useful when the remote cluster realm
* (with cross domain trust) or the auth to local rule definition results in a
* different RM principal than in Falcon server cluster.
*/
public static final String RM_PRINCIPAL = "yarn.resourcemanager.principal";
/**
* Constant for the configuration property that indicates the Name node principal.
* This is used to talk to Hive Meta Store during parsing and validations only.
*/
public static final String HIVE_METASTORE_KERBEROS_PRINCIPAL = "hive.metastore.kerberos.principal";
public static final String METASTORE_USE_THRIFT_SASL = "hive.metastore.sasl.enabled";
public static final String METASTORE_PRINCIPAL = "hcat.metastore.principal";
private static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class);
private SecurityUtil() {
}
public static String getAuthenticationType() {
return StartupProperties.get().getProperty(
AUTHENTICATION_TYPE, PseudoAuthenticationHandler.TYPE);
}
/**
* Checks if kerberos authentication is enabled in the configuration.
*
* @return true if falcon.authentication.type is kerberos, false otherwise
*/
public static boolean isSecurityEnabled() {
String authenticationType = StartupProperties.get().getProperty(
AUTHENTICATION_TYPE, PseudoAuthenticationHandler.TYPE);
final boolean useKerberos;
if (authenticationType == null || PseudoAuthenticationHandler.TYPE.equals(authenticationType)) {
useKerberos = false;
} else if (KerberosAuthenticationHandler.TYPE.equals(authenticationType)) {
useKerberos = true;
} else {
throw new IllegalArgumentException("Invalid attribute value for "
+ AUTHENTICATION_TYPE + " of " + authenticationType);
}
return useKerberos;
}
public static String getLocalHostName() throws UnknownHostException {
return InetAddress.getLocalHost().getCanonicalHostName();
}
/**
* Checks if authorization is enabled in the configuration.
*
* @return true if falcon.security.authorization.enabled is enabled, false otherwise
*/
public static boolean isAuthorizationEnabled() {
return Boolean.valueOf(StartupProperties.get().getProperty(
"falcon.security.authorization.enabled", "false"));
}
/**
* Checks if CSRF filter is enabled in the configuration.
*
* @return true if falcon.security.csrf.enabled is enabled, false otherwise
*/
public static boolean isCSRFFilterEnabled() {
return Boolean.valueOf(StartupProperties.get().getProperty(
"falcon.security.csrf.enabled", "false"));
}
public static AuthorizationProvider getAuthorizationProvider() throws FalconException {
String providerClassName = StartupProperties.get().getProperty(
"falcon.security.authorization.provider",
"org.apache.falcon.security.DefaultAuthorizationProvider");
return ReflectionUtils.getInstanceByClassName(providerClassName);
}
public static void tryProxy(Entity entity, final String doAsUser) throws IOException, FalconException {
if (entity != null && entity.getACL() != null && SecurityUtil.isAuthorizationEnabled()) {
final String aclOwner = entity.getACL().getOwner();
final String aclGroup = entity.getACL().getGroup();
if (StringUtils.isNotEmpty(doAsUser)) {
if (!doAsUser.equalsIgnoreCase(aclOwner)) {
LOG.warn("doAs user {} not same as acl owner {}. Ignoring acl owner.", doAsUser, aclOwner);
throw new FalconException("doAs user and ACL owner mismatch. doAs user " + doAsUser
+ " should be same as ACL owner " + aclOwner);
}
return;
}
if (SecurityUtil.getAuthorizationProvider().shouldProxy(
CurrentUser.getAuthenticatedUGI(), aclOwner, aclGroup)) {
CurrentUser.proxy(aclOwner, aclGroup);
}
}
}
}