1 | /** |
---|
2 | * Licensed to the Apache Software Foundation (ASF) under one |
---|
3 | * or more contributor license agreements. See the NOTICE file |
---|
4 | * distributed with this work for additional information |
---|
5 | * regarding copyright ownership. The ASF licenses this file |
---|
6 | * to you under the Apache License, Version 2.0 (the |
---|
7 | * "License"); you may not use this file except in compliance |
---|
8 | * with the License. You may obtain a copy of the License at |
---|
9 | * |
---|
10 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
11 | * |
---|
12 | * Unless required by applicable law or agreed to in writing, software |
---|
13 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
15 | * See the License for the specific language governing permissions and |
---|
16 | * limitations under the License. |
---|
17 | */ |
---|
18 | |
---|
19 | package org.apache.hadoop.security; |
---|
20 | |
---|
21 | import java.io.DataInput; |
---|
22 | import java.io.DataOutput; |
---|
23 | import java.io.IOException; |
---|
24 | import java.util.Arrays; |
---|
25 | import java.util.HashMap; |
---|
26 | import java.util.StringTokenizer; |
---|
27 | import java.util.TreeSet; |
---|
28 | |
---|
29 | import javax.security.auth.login.LoginException; |
---|
30 | |
---|
31 | import org.apache.hadoop.conf.Configuration; |
---|
32 | import org.apache.hadoop.util.Shell; |
---|
33 | import org.apache.hadoop.io.Text; |
---|
34 | import org.apache.hadoop.io.WritableUtils; |
---|
35 | |
---|
36 | /** An implementation of UserGroupInformation in the Unix system */ |
---|
37 | public class UnixUserGroupInformation extends UserGroupInformation { |
---|
38 | public static final String DEFAULT_USERNAME = "DrWho"; |
---|
39 | public static final String DEFAULT_GROUP = "Tardis"; |
---|
40 | |
---|
41 | final static public String UGI_PROPERTY_NAME = "hadoop.job.ugi"; |
---|
42 | final static private HashMap<String, UnixUserGroupInformation> user2UGIMap = |
---|
43 | new HashMap<String, UnixUserGroupInformation>(); |
---|
44 | |
---|
45 | /** Create an immutable {@link UnixUserGroupInformation} object. */ |
---|
46 | public static UnixUserGroupInformation createImmutable(String[] ugi) { |
---|
47 | return new UnixUserGroupInformation(ugi) { |
---|
48 | public void readFields(DataInput in) throws IOException { |
---|
49 | throw new UnsupportedOperationException(); |
---|
50 | } |
---|
51 | }; |
---|
52 | } |
---|
53 | |
---|
54 | private String userName; |
---|
55 | private String[] groupNames; |
---|
56 | |
---|
57 | /** Default constructor |
---|
58 | */ |
---|
59 | public UnixUserGroupInformation() { |
---|
60 | } |
---|
61 | |
---|
62 | /** Constructor with parameters user name and its group names. |
---|
63 | * The first entry in the groups list is the default group. |
---|
64 | * |
---|
65 | * @param userName a user's name |
---|
66 | * @param groupNames groups list, first of which is the default group |
---|
67 | * @exception IllegalArgumentException if any argument is null |
---|
68 | */ |
---|
69 | public UnixUserGroupInformation(String userName, String[] groupNames) { |
---|
70 | setUserGroupNames(userName, groupNames); |
---|
71 | } |
---|
72 | |
---|
73 | /** Constructor with parameter user/group names |
---|
74 | * |
---|
75 | * @param ugi an array containing user/group names, the first |
---|
76 | * element of which is the user name, the second of |
---|
77 | * which is the default group name. |
---|
78 | * @exception IllegalArgumentException if the array size is less than 2 |
---|
79 | * or any element is null. |
---|
80 | */ |
---|
81 | public UnixUserGroupInformation(String[] ugi) { |
---|
82 | if (ugi==null || ugi.length < 2) { |
---|
83 | throw new IllegalArgumentException( "Parameter does contain at least "+ |
---|
84 | "one user name and one group name"); |
---|
85 | } |
---|
86 | String[] groupNames = new String[ugi.length-1]; |
---|
87 | System.arraycopy(ugi, 1, groupNames, 0, groupNames.length); |
---|
88 | setUserGroupNames(ugi[0], groupNames); |
---|
89 | } |
---|
90 | |
---|
91 | /* Set this object's user name and group names |
---|
92 | * |
---|
93 | * @param userName a user's name |
---|
94 | * @param groupNames groups list, the first of which is the default group |
---|
95 | * @exception IllegalArgumentException if any argument is null |
---|
96 | */ |
---|
97 | private void setUserGroupNames(String userName, String[] groupNames) { |
---|
98 | if (userName==null || userName.length()==0 || |
---|
99 | groupNames== null || groupNames.length==0) { |
---|
100 | throw new IllegalArgumentException( |
---|
101 | "Parameters should not be null or an empty string/array"); |
---|
102 | } |
---|
103 | for (int i=0; i<groupNames.length; i++) { |
---|
104 | if(groupNames[i] == null || groupNames[i].length() == 0) { |
---|
105 | throw new IllegalArgumentException("A null group name at index " + i); |
---|
106 | } |
---|
107 | } |
---|
108 | this.userName = userName; |
---|
109 | this.groupNames = groupNames; |
---|
110 | } |
---|
111 | |
---|
112 | /** Return an array of group names |
---|
113 | */ |
---|
114 | public String[] getGroupNames() { |
---|
115 | return groupNames; |
---|
116 | } |
---|
117 | |
---|
118 | /** Return the user's name |
---|
119 | */ |
---|
120 | public String getUserName() { |
---|
121 | return userName; |
---|
122 | } |
---|
123 | |
---|
124 | /* The following two methods implements Writable interface */ |
---|
125 | final private static String UGI_TECHNOLOGY = "STRING_UGI"; |
---|
126 | /** Deserialize this object |
---|
127 | * First check if this is a UGI in the string format. |
---|
128 | * If no, throw an IOException; otherwise |
---|
129 | * set this object's fields by reading them from the given data input |
---|
130 | * |
---|
131 | * @param in input stream |
---|
132 | * @exception IOException is thrown if encounter any error when reading |
---|
133 | */ |
---|
134 | public void readFields(DataInput in) throws IOException { |
---|
135 | // read UGI type first |
---|
136 | String ugiType = Text.readString(in); |
---|
137 | if (!UGI_TECHNOLOGY.equals(ugiType)) { |
---|
138 | throw new IOException("Expect UGI prefix: " + UGI_TECHNOLOGY + |
---|
139 | ", but receive a prefix: " + ugiType); |
---|
140 | } |
---|
141 | |
---|
142 | // read this object |
---|
143 | userName = Text.readString(in); |
---|
144 | int numOfGroups = WritableUtils.readVInt(in); |
---|
145 | groupNames = new String[numOfGroups]; |
---|
146 | for (int i = 0; i < numOfGroups; i++) { |
---|
147 | groupNames[i] = Text.readString(in); |
---|
148 | } |
---|
149 | } |
---|
150 | |
---|
151 | /** Serialize this object |
---|
152 | * First write a string marking that this is a UGI in the string format, |
---|
153 | * then write this object's serialized form to the given data output |
---|
154 | * |
---|
155 | * @param out output stream |
---|
156 | * @exception IOException if encounter any error during writing |
---|
157 | */ |
---|
158 | public void write(DataOutput out) throws IOException { |
---|
159 | // write a prefix indicating the type of UGI being written |
---|
160 | Text.writeString(out, UGI_TECHNOLOGY); |
---|
161 | // write this object |
---|
162 | Text.writeString(out, userName); |
---|
163 | WritableUtils.writeVInt(out, groupNames.length); |
---|
164 | for (String groupName : groupNames) { |
---|
165 | Text.writeString(out, groupName); |
---|
166 | } |
---|
167 | } |
---|
168 | |
---|
169 | /* The following two methods deal with transferring UGI through conf. |
---|
170 | * In this pass of implementation we store UGI as a string in conf. |
---|
171 | * Later we may change it to be a more general approach that stores |
---|
172 | * it as a byte array */ |
---|
173 | /** Store the given <code>ugi</code> as a comma separated string in |
---|
174 | * <code>conf</code> as a property <code>attr</code> |
---|
175 | * |
---|
176 | * The String starts with the user name followed by the default group names, |
---|
177 | * and other group names. |
---|
178 | * |
---|
179 | * @param conf configuration |
---|
180 | * @param attr property name |
---|
181 | * @param ugi a UnixUserGroupInformation |
---|
182 | */ |
---|
183 | public static void saveToConf(Configuration conf, String attr, |
---|
184 | UnixUserGroupInformation ugi ) { |
---|
185 | conf.set(attr, ugi.toString()); |
---|
186 | } |
---|
187 | |
---|
188 | /** Read a UGI from the given <code>conf</code> |
---|
189 | * |
---|
190 | * The object is expected to store with the property name <code>attr</code> |
---|
191 | * as a comma separated string that starts |
---|
192 | * with the user name followed by group names. |
---|
193 | * If the property name is not defined, return null. |
---|
194 | * It's assumed that there is only one UGI per user. If this user already |
---|
195 | * has a UGI in the ugi map, return the ugi in the map. |
---|
196 | * Otherwise, construct a UGI from the configuration, store it in the |
---|
197 | * ugi map and return it. |
---|
198 | * |
---|
199 | * @param conf configuration |
---|
200 | * @param attr property name |
---|
201 | * @return a UnixUGI |
---|
202 | * @throws LoginException if the stored string is ill-formatted. |
---|
203 | */ |
---|
204 | public static UnixUserGroupInformation readFromConf( |
---|
205 | Configuration conf, String attr) throws LoginException { |
---|
206 | String[] ugi = conf.getStrings(attr); |
---|
207 | if(ugi == null) { |
---|
208 | return null; |
---|
209 | } |
---|
210 | UnixUserGroupInformation currentUGI = null; |
---|
211 | if (ugi.length>0 ){ |
---|
212 | currentUGI = user2UGIMap.get(ugi[0]); |
---|
213 | } |
---|
214 | if (currentUGI == null) { |
---|
215 | try { |
---|
216 | currentUGI = new UnixUserGroupInformation(ugi); |
---|
217 | user2UGIMap.put(currentUGI.getUserName(), currentUGI); |
---|
218 | } catch (IllegalArgumentException e) { |
---|
219 | throw new LoginException("Login failed: "+e.getMessage()); |
---|
220 | } |
---|
221 | } |
---|
222 | |
---|
223 | return currentUGI; |
---|
224 | } |
---|
225 | |
---|
226 | /** |
---|
227 | * Get current user's name and the names of all its groups from Unix. |
---|
228 | * It's assumed that there is only one UGI per user. If this user already |
---|
229 | * has a UGI in the ugi map, return the ugi in the map. |
---|
230 | * Otherwise get the current user's information from Unix, store it |
---|
231 | * in the map, and return it. |
---|
232 | * |
---|
233 | * If the current user's UNIX username or groups are configured in such a way |
---|
234 | * to throw an Exception, for example if the user uses LDAP, then this method |
---|
235 | * will use a the {@link #DEFAULT_USERNAME} and {@link #DEFAULT_GROUP} |
---|
236 | * constants. |
---|
237 | */ |
---|
238 | public static UnixUserGroupInformation login() throws LoginException { |
---|
239 | try { |
---|
240 | String userName; |
---|
241 | |
---|
242 | // if an exception occurs, then uses the |
---|
243 | // default user |
---|
244 | try { |
---|
245 | userName = getUnixUserName(); |
---|
246 | } catch (Exception e) { |
---|
247 | userName = DEFAULT_USERNAME; |
---|
248 | } |
---|
249 | |
---|
250 | // check if this user already has a UGI object in the ugi map |
---|
251 | UnixUserGroupInformation ugi = user2UGIMap.get(userName); |
---|
252 | if (ugi != null) { |
---|
253 | return ugi; |
---|
254 | } |
---|
255 | |
---|
256 | /* get groups list from UNIX. |
---|
257 | * It's assumed that the first group is the default group. |
---|
258 | */ |
---|
259 | String[] groupNames; |
---|
260 | |
---|
261 | // if an exception occurs, then uses the |
---|
262 | // default group |
---|
263 | try { |
---|
264 | groupNames = getUnixGroups(); |
---|
265 | } catch (Exception e) { |
---|
266 | groupNames = new String[1]; |
---|
267 | groupNames[0] = DEFAULT_GROUP; |
---|
268 | } |
---|
269 | |
---|
270 | // construct a Unix UGI |
---|
271 | ugi = new UnixUserGroupInformation(userName, groupNames); |
---|
272 | user2UGIMap.put(ugi.getUserName(), ugi); |
---|
273 | return ugi; |
---|
274 | } catch (Exception e) { |
---|
275 | throw new LoginException("Login failed: "+e.getMessage()); |
---|
276 | } |
---|
277 | } |
---|
278 | |
---|
279 | /** Equivalent to login(conf, false). */ |
---|
280 | public static UnixUserGroupInformation login(Configuration conf) |
---|
281 | throws LoginException { |
---|
282 | return login(conf, false); |
---|
283 | } |
---|
284 | |
---|
285 | /** Get a user's name & its group names from the given configuration; |
---|
286 | * If it is not defined in the configuration, get the current user's |
---|
287 | * information from Unix. |
---|
288 | * If the user has a UGI in the ugi map, return the one in |
---|
289 | * the UGI map. |
---|
290 | * |
---|
291 | * @param conf either a job configuration or client's configuration |
---|
292 | * @param save saving it to conf? |
---|
293 | * @return UnixUserGroupInformation a user/group information |
---|
294 | * @exception LoginException if not able to get the user/group information |
---|
295 | */ |
---|
296 | public static UnixUserGroupInformation login(Configuration conf, boolean save |
---|
297 | ) throws LoginException { |
---|
298 | UnixUserGroupInformation ugi = readFromConf(conf, UGI_PROPERTY_NAME); |
---|
299 | if (ugi == null) { |
---|
300 | ugi = login(); |
---|
301 | LOG.debug("Unix Login: " + ugi); |
---|
302 | if (save) { |
---|
303 | saveToConf(conf, UGI_PROPERTY_NAME, ugi); |
---|
304 | } |
---|
305 | } |
---|
306 | return ugi; |
---|
307 | } |
---|
308 | |
---|
309 | /* Return a string representation of a string array. |
---|
310 | * Two strings are separated by a blank. |
---|
311 | */ |
---|
312 | private static String toString(String[] strArray) { |
---|
313 | if (strArray==null || strArray.length==0) { |
---|
314 | return ""; |
---|
315 | } |
---|
316 | StringBuilder buf = new StringBuilder(strArray[0]); |
---|
317 | for (int i=1; i<strArray.length; i++) { |
---|
318 | buf.append(' '); |
---|
319 | buf.append(strArray[i]); |
---|
320 | } |
---|
321 | return buf.toString(); |
---|
322 | } |
---|
323 | |
---|
324 | /** Get current user's name from Unix by running the command whoami. |
---|
325 | * |
---|
326 | * @return current user's name |
---|
327 | * @throws IOException if encounter any error while running the command |
---|
328 | */ |
---|
329 | static String getUnixUserName() throws IOException { |
---|
330 | String[] result = executeShellCommand( |
---|
331 | new String[]{Shell.USER_NAME_COMMAND}); |
---|
332 | if (result.length!=1) { |
---|
333 | throw new IOException("Expect one token as the result of " + |
---|
334 | Shell.USER_NAME_COMMAND + ": " + toString(result)); |
---|
335 | } |
---|
336 | return result[0]; |
---|
337 | } |
---|
338 | |
---|
339 | /** Get the current user's group list from Unix by running the command groups |
---|
340 | * |
---|
341 | * @return the groups list that the current user belongs to |
---|
342 | * @throws IOException if encounter any error when running the command |
---|
343 | */ |
---|
344 | private static String[] getUnixGroups() throws IOException { |
---|
345 | return executeShellCommand(Shell.getGROUPS_COMMAND()); |
---|
346 | } |
---|
347 | |
---|
348 | /* Execute a command and return the result as an array of Strings */ |
---|
349 | private static String[] executeShellCommand(String[] command) |
---|
350 | throws IOException { |
---|
351 | String groups = Shell.execCommand(command); |
---|
352 | StringTokenizer tokenizer = new StringTokenizer(groups); |
---|
353 | int numOfTokens = tokenizer.countTokens(); |
---|
354 | String[] tokens = new String[numOfTokens]; |
---|
355 | for (int i=0; tokenizer.hasMoreTokens(); i++) { |
---|
356 | tokens[i] = tokenizer.nextToken(); |
---|
357 | } |
---|
358 | |
---|
359 | return tokens; |
---|
360 | } |
---|
361 | |
---|
362 | /** Decide if two UGIs are the same |
---|
363 | * |
---|
364 | * @param other other object |
---|
365 | * @return true if they are the same; false otherwise. |
---|
366 | */ |
---|
367 | public boolean equals(Object other) { |
---|
368 | if (this == other) { |
---|
369 | return true; |
---|
370 | } |
---|
371 | |
---|
372 | if (!(other instanceof UnixUserGroupInformation)) { |
---|
373 | return false; |
---|
374 | } |
---|
375 | |
---|
376 | UnixUserGroupInformation otherUGI = (UnixUserGroupInformation)other; |
---|
377 | |
---|
378 | // check userName |
---|
379 | if (userName == null) { |
---|
380 | if (otherUGI.getUserName() != null) { |
---|
381 | return false; |
---|
382 | } |
---|
383 | } else { |
---|
384 | if (!userName.equals(otherUGI.getUserName())) { |
---|
385 | return false; |
---|
386 | } |
---|
387 | } |
---|
388 | |
---|
389 | // checkGroupNames |
---|
390 | if (groupNames == otherUGI.groupNames) { |
---|
391 | return true; |
---|
392 | } |
---|
393 | if (groupNames.length != otherUGI.groupNames.length) { |
---|
394 | return false; |
---|
395 | } |
---|
396 | // check default group name |
---|
397 | if (groupNames.length>0 && !groupNames[0].equals(otherUGI.groupNames[0])) { |
---|
398 | return false; |
---|
399 | } |
---|
400 | // check all group names, ignoring the order |
---|
401 | return new TreeSet<String>(Arrays.asList(groupNames)).equals( |
---|
402 | new TreeSet<String>(Arrays.asList(otherUGI.groupNames))); |
---|
403 | } |
---|
404 | |
---|
405 | /** Returns a hash code for this UGI. |
---|
406 | * The hash code for a UGI is the hash code of its user name string. |
---|
407 | * |
---|
408 | * @return a hash code value for this UGI. |
---|
409 | */ |
---|
410 | public int hashCode() { |
---|
411 | return getUserName().hashCode(); |
---|
412 | } |
---|
413 | |
---|
414 | /** Convert this object to a string |
---|
415 | * |
---|
416 | * @return a comma separated string containing the user name and group names |
---|
417 | */ |
---|
418 | public String toString() { |
---|
419 | StringBuilder buf = new StringBuilder(); |
---|
420 | buf.append(userName); |
---|
421 | for (String groupName : groupNames) { |
---|
422 | buf.append(','); |
---|
423 | buf.append(groupName); |
---|
424 | } |
---|
425 | return buf.toString(); |
---|
426 | } |
---|
427 | |
---|
428 | @Override |
---|
429 | public String getName() { |
---|
430 | return toString(); |
---|
431 | } |
---|
432 | } |
---|