/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.drill.exec.util;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.drill.common.exceptions.DrillRuntimeException;
import org.apache.drill.exec.ops.OperatorStats;
import org.apache.drill.exec.store.dfs.DrillFileSystem;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.Sets;
/**
* Utilities for impersonation purpose.
*/
public class ImpersonationUtil {
private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(ImpersonationUtil.class);
private static final LoadingCache<Key, UserGroupInformation> CACHE = CacheBuilder.newBuilder()
.maximumSize(100)
.expireAfterAccess(60, TimeUnit.MINUTES)
.build(new CacheLoader<Key, UserGroupInformation>() {
@Override
public UserGroupInformation load(Key key) throws Exception {
return UserGroupInformation.createProxyUser(key.proxyUserName, key.loginUser);
}
});
private static final Splitter SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();
private static class Key {
final String proxyUserName;
final UserGroupInformation loginUser;
public Key(String proxyUserName, UserGroupInformation loginUser) {
super();
this.proxyUserName = proxyUserName;
this.loginUser = loginUser;
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((loginUser == null) ? 0 : loginUser.hashCode());
result = prime * result + ((proxyUserName == null) ? 0 : proxyUserName.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj) {
return true;
}
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
Key other = (Key) obj;
if (loginUser == null) {
if (other.loginUser != null) {
return false;
}
} else if (!loginUser.equals(other.loginUser)) {
return false;
}
if (proxyUserName == null) {
if (other.proxyUserName != null) {
return false;
}
} else if (!proxyUserName.equals(other.proxyUserName)) {
return false;
}
return true;
}
}
/**
* Create and return proxy user {@link org.apache.hadoop.security.UserGroupInformation} of operator owner if operator
* owner is valid. Otherwise create and return proxy user {@link org.apache.hadoop.security.UserGroupInformation} for
* query user.
*
* @param opUserName Name of the user whom to impersonate while setting up the operator.
* @param queryUserName Name of the user who issues the query. If <i>opUserName</i> is invalid,
* then this parameter must be valid user name.
* @return
*/
public static UserGroupInformation createProxyUgi(String opUserName, String queryUserName) {
if (!Strings.isNullOrEmpty(opUserName)) {
return createProxyUgi(opUserName);
}
if (Strings.isNullOrEmpty(queryUserName)) {
// TODO(DRILL-2097): Tests that use SimpleRootExec have don't assign any query user name in FragmentContext.
// Disable throwing exception to modifying the long list of test files.
// throw new DrillRuntimeException("Invalid value for query user name");
return getProcessUserUGI();
}
return createProxyUgi(queryUserName);
}
/**
* Create and return proxy user {@link org.apache.hadoop.security.UserGroupInformation} for give user name.
*
* @param proxyUserName Proxy user name (must be valid)
* @return
*/
public static UserGroupInformation createProxyUgi(String proxyUserName) {
try {
if (Strings.isNullOrEmpty(proxyUserName)) {
throw new DrillRuntimeException("Invalid value for proxy user name");
}
// If the request proxy user is same as process user name, return the process UGI.
if (proxyUserName.equals(getProcessUserName())) {
return getProcessUserUGI();
}
return CACHE.get(new Key(proxyUserName, UserGroupInformation.getLoginUser()));
} catch (IOException | ExecutionException e) {
final String errMsg = "Failed to create proxy user UserGroupInformation object: " + e.getMessage();
logger.error(errMsg, e);
throw new DrillRuntimeException(errMsg, e);
}
}
/**
* If the given user name is empty, return the current process user name. This is a temporary change to avoid
* modifying long list of tests files which have GroupScan operator with no user name property.
* @param userName User name found in GroupScan POP definition.
*/
public static String resolveUserName(String userName) {
if (!Strings.isNullOrEmpty(userName)) {
return userName;
}
return getProcessUserName();
}
/**
* Return the name of the user who is running the Drillbit.
*
* @return Drillbit process user.
*/
public static String getProcessUserName() {
return getProcessUserUGI().getShortUserName();
}
/**
* Return the list of groups to which the process user belongs.
*
* @return Drillbit process user group names
*/
public static String[] getProcessUserGroupNames() {
return getProcessUserUGI().getGroupNames();
}
/**
* Return the {@link org.apache.hadoop.security.UserGroupInformation} of user who is running the Drillbit.
*
* @return Drillbit process user {@link org.apache.hadoop.security.UserGroupInformation}.
*/
public static UserGroupInformation getProcessUserUGI() {
try {
return UserGroupInformation.getLoginUser();
} catch (IOException e) {
final String errMsg = "Failed to get process user UserGroupInformation object.";
logger.error(errMsg, e);
throw new DrillRuntimeException(errMsg, e);
}
}
/**
* Create DrillFileSystem for given <i>proxyUserName</i> and configuration.
*
* @param proxyUserName Name of the user whom to impersonate while accessing the FileSystem contents.
* @param fsConf FileSystem configuration.
* @return
*/
public static DrillFileSystem createFileSystem(String proxyUserName, Configuration fsConf) {
return createFileSystem(createProxyUgi(proxyUserName), fsConf, null);
}
/** Helper method to create DrillFileSystem */
private static DrillFileSystem createFileSystem(UserGroupInformation proxyUserUgi, final Configuration fsConf,
final OperatorStats stats) {
DrillFileSystem fs;
try {
fs = proxyUserUgi.doAs(new PrivilegedExceptionAction<DrillFileSystem>() {
public DrillFileSystem run() throws Exception {
logger.trace("Creating DrillFileSystem for proxy user: " + UserGroupInformation.getCurrentUser());
return new DrillFileSystem(fsConf, stats);
}
});
} catch (InterruptedException | IOException e) {
final String errMsg = "Failed to create DrillFileSystem for proxy user: " + e.getMessage();
logger.error(errMsg, e);
throw new DrillRuntimeException(errMsg, e);
}
return fs;
}
/**
* Given admin user/group list, finds whether the given username has admin privileges.
*
* @param userName User who is checked for administrative privileges.
* @param adminUsers Comma separated list of admin usernames,
* @param adminGroups Comma separated list of admin usergroups
* @return
*/
public static boolean hasAdminPrivileges(final String userName, final String adminUsers, final String adminGroups) {
// Process user is by default an admin
if (getProcessUserName().equals(userName)) {
return true;
}
final Set<String> adminUsersSet = Sets.newHashSet(SPLITTER.split(adminUsers));
if (adminUsersSet.contains(userName)) {
return true;
}
final UserGroupInformation ugi = createProxyUgi(userName);
final String[] userGroups = ugi.getGroupNames();
if (userGroups == null || userGroups.length == 0) {
return false;
}
final Set<String> adminUserGroupsSet = Sets.newHashSet(SPLITTER.split(adminGroups));
for (String userGroup : userGroups) {
if (adminUserGroupsSet.contains(userGroup)) {
return true;
}
}
return false;
}
// avoid instantiation
private ImpersonationUtil() {
}
}