org.apache.oozie.service
Class AuthorizationService

java.lang.Object
  org.apache.oozie.service.AuthorizationService

All Implemented Interfaces:

Service

public class AuthorizationService
extends java.lang.Object
implements Service

The authorization service provides all authorization checks.

Field Summary

static java.lang.String	ADMIN_USERS_FILE File that contains list of admin users for Oozie.
static java.lang.String	CONF_PREFIX
static java.lang.String	CONF_SECURITY_ENABLED Configuration parameter to enable or disable Oozie admin role.
static java.lang.String	DEFAULT_GROUP Default group returned by getDefaultGroup().
protected static java.lang.String	INSTR_FAILED_AUTH_COUNTER
protected static java.lang.String	INSTRUMENTATION_GROUP

Constructor Summary

AuthorizationService()

Method Summary

void	authorizeForAdmin(java.lang.String user, boolean write) Check if the user has admin privileges.
void	authorizeForApp(java.lang.String user, java.lang.String group, java.lang.String appPath, org.apache.hadoop.conf.Configuration jobConf) Check if the user+group is authorized to use the specified application.
void	authorizeForApp(java.lang.String user, java.lang.String group, java.lang.String appPath, java.lang.String fileName, org.apache.hadoop.conf.Configuration conf) Check if the user+group is authorized to use the specified application.
void	authorizeForGroup(java.lang.String user, java.lang.String group) Check if the user belongs to the group or not.
void	authorizeForJob(java.lang.String user, java.lang.String jobId, boolean write) Check if the user+group is authorized to operate on the specified job.
void	destroy() Destroy the service.
java.lang.String	getDefaultGroup(java.lang.String user) Return the default group to which the user belongs.
java.lang.Class<? extends Service>	getInterface() Return the public interface of the service.
void	init(Services services) Initialize the service.
protected boolean	isAdmin(java.lang.String user) Check if the user has admin privileges.
boolean	isSecurityEnabled() Return if security is enabled or not.
protected boolean	isUserInGroup(java.lang.String user, java.lang.String group) Check if the user belongs to the group or not.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CONF_PREFIX

public static final java.lang.String CONF_PREFIX

See Also:

Constant Field Values

CONF_SECURITY_ENABLED

public static final java.lang.String CONF_SECURITY_ENABLED

Configuration parameter to enable or disable Oozie admin role.

See Also:

Constant Field Values

ADMIN_USERS_FILE

public static final java.lang.String ADMIN_USERS_FILE

File that contains list of admin users for Oozie.

See Also:

Constant Field Values

DEFAULT_GROUP

public static final java.lang.String DEFAULT_GROUP

Default group returned by getDefaultGroup().

See Also:

Constant Field Values

INSTRUMENTATION_GROUP

protected static final java.lang.String INSTRUMENTATION_GROUP

See Also:

Constant Field Values

INSTR_FAILED_AUTH_COUNTER

protected static final java.lang.String INSTR_FAILED_AUTH_COUNTER

See Also:

Constant Field Values

Constructor Detail

AuthorizationService

public AuthorizationService()

Method Detail

init

public void init(Services services)
          throws ServiceException

Initialize the service.

Reads the security related configuration. parameters - security enabled and list of super users.

Specified by:

init in interface Service

Parameters:

services - services instance.

Throws:

ServiceException - thrown if the service could not be initialized.

isSecurityEnabled

public boolean isSecurityEnabled()

Return if security is enabled or not.

Returns:

if security is enabled or not.

destroy

public void destroy()

Destroy the service.

This implementation does a NOP.

Specified by:

destroy in interface Service

getInterface

public java.lang.Class<? extends Service> getInterface()

Return the public interface of the service.

Specified by:

getInterface in interface Service

Returns:

AuthorizationService.

isUserInGroup

protected boolean isUserInGroup(java.lang.String user,
                                java.lang.String group)
                         throws AuthorizationException

Check if the user belongs to the group or not.

This implementation returns always true.

Parameters:

user - user name.

group - group name.

Returns:

if the user belongs to the group or not.

Throws:

AuthorizationException - thrown if the authorization query can not be performed.

authorizeForGroup

public void authorizeForGroup(java.lang.String user,
                              java.lang.String group)
                       throws AuthorizationException

Check if the user belongs to the group or not.

Subclasses should override the isUserInGroup(java.lang.String, java.lang.String) method.

Parameters:

user - user name.

group - group name.

Throws:

AuthorizationException - thrown if the user is not authorized for the group or if the authorization query can not be performed.

getDefaultGroup

public java.lang.String getDefaultGroup(java.lang.String user)
                                 throws AuthorizationException

Return the default group to which the user belongs.

This implementation always returns 'users'.

Parameters:

user - user name.

Returns:

default group of user.

Throws:

AuthorizationException - thrown if the default group con not be retrieved.

isAdmin

protected boolean isAdmin(java.lang.String user)

Check if the user has admin privileges.

If admin is disabled it returns always true.

If admin is enabled it returns true if the user is in the adminusers.txt file.

Parameters:

user - user name.

Returns:

if the user has admin privileges or not.

authorizeForAdmin

public void authorizeForAdmin(java.lang.String user,
                              boolean write)
                       throws AuthorizationException

Check if the user has admin privileges.

Subclasses should override the isUserInGroup(java.lang.String, java.lang.String) method.

Parameters:

user - user name.

write - indicates if the check is for read or write admin tasks (in this implementation this is ignored)

Throws:

AuthorizationException - thrown if user does not have admin priviledges.

authorizeForApp

public void authorizeForApp(java.lang.String user,
                            java.lang.String group,
                            java.lang.String appPath,
                            org.apache.hadoop.conf.Configuration jobConf)
                     throws AuthorizationException

Check if the user+group is authorized to use the specified application.

The check is done by checking the file system permissions on the workflow application.

Parameters:

user - user name.

group - group name.

appPath - application path.

Throws:

AuthorizationException - thrown if the user is not authorized for the app.

authorizeForApp

public void authorizeForApp(java.lang.String user,
                            java.lang.String group,
                            java.lang.String appPath,
                            java.lang.String fileName,
                            org.apache.hadoop.conf.Configuration conf)
                     throws AuthorizationException

Check if the user+group is authorized to use the specified application.

The check is done by checking the file system permissions on the workflow application.

Parameters:

user - user name.

group - group name.

appPath - application path.

fileName - workflow or coordinator.xml

conf -

Throws:

AuthorizationException - thrown if the user is not authorized for the app.

authorizeForJob

public void authorizeForJob(java.lang.String user,
                            java.lang.String jobId,
                            boolean write)
                     throws AuthorizationException

Check if the user+group is authorized to operate on the specified job.

Checks if the user is a super-user or the one who started the job.

Read operations are allowed to all users.

Parameters:

user - user name.

jobId - job id.

write - indicates if the check is for read or write job tasks.

Throws:

AuthorizationException - thrown if the user is not authorized for the job.