View Javadoc

1   /*
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  
20  package org.apache.hadoop.hbase.security;
21  
22  import org.apache.commons.logging.Log;
23  import org.apache.commons.logging.LogFactory;
24  import org.apache.hadoop.conf.Configuration;
25  import org.apache.hadoop.hbase.AuthUtil;
26  import org.apache.hadoop.hbase.classification.InterfaceAudience;
27  
28  import java.io.IOException;
29  import java.util.ArrayList;
30  import java.util.List;
31  
32  /**
33   * Keeps lists of superusers and super groups loaded from HBase configuration,
34   * checks if certain user is regarded as superuser.
35   */
36  @InterfaceAudience.Private
37  public final class Superusers {
38    private static final Log LOG = LogFactory.getLog(Superusers.class);
39  
40    /** Configuration key for superusers */
41    public static final String SUPERUSER_CONF_KEY = "hbase.superuser"; // Not getting a name
42  
43    private static List<String> superUsers;
44    private static List<String> superGroups;
45  
46    private Superusers(){}
47  
48    /**
49     * Should be called only once to pre-load list of super users and super
50     * groups from Configuration. This operation is idempotent.
51     * @param conf configuration to load users from
52     * @throws IOException if unable to initialize lists of superusers or super groups
53     * @throws IllegalStateException if current user is null
54     */
55    public static void initialize(Configuration conf) throws IOException {
56      superUsers = new ArrayList<>();
57      superGroups = new ArrayList<>();
58      User user = User.getCurrent();
59  
60      if (user == null) {
61        throw new IllegalStateException("Unable to obtain the current user, "
62          + "authorization checks for internal operations will not work correctly!");
63      }
64  
65      if (LOG.isTraceEnabled()) {
66        LOG.trace("Current user name is " + user.getShortName());
67      }
68      String currentUser = user.getShortName();
69      String[] superUserList = conf.getStrings(SUPERUSER_CONF_KEY, new String[0]);
70      for (String name : superUserList) {
71        if (AuthUtil.isGroupPrincipal(name)) {
72          superGroups.add(AuthUtil.getGroupName(name));
73        } else {
74          superUsers.add(name);
75        }
76      }
77      superUsers.add(currentUser);
78    }
79  
80    /**
81     * @return true if current user is a super user (whether as user running process,
82     * declared as individual superuser or member of supergroup), false otherwise.
83     * @param user to check
84     * @throws IllegalStateException if lists of superusers/super groups
85     *   haven't been initialized properly
86     */
87    public static boolean isSuperUser(User user) {
88      if (superUsers == null) {
89        throw new IllegalStateException("Super users/super groups lists"
90          + " haven't been initialized properly.");
91      }
92      if (superUsers.contains(user.getShortName())) {
93        return true;
94      }
95  
96      for (String group : user.getGroupNames()) {
97        if (superGroups.contains(group)) {
98          return true;
99        }
100     }
101     return false;
102   }
103 
104   /**
105    * @return true if current user is a super user (whether as user running process,
106    * or declared as superuser in configuration), false otherwise.
107    * @param user to check
108    * @throws IllegalStateException if lists of superusers/super groups
109    *   haven't been initialized properly
110    * @deprecated this method is for backward compatibility, use {@link #isSuperUser(User)} instead
111    */
112   @Deprecated
113   public static boolean isSuperUser(String user) {
114     if (superUsers == null) {
115       throw new IllegalStateException("Super users/super groups lists"
116         + " haven't been initialized properly.");
117     }
118     if (superUsers.contains(user)) {
119       return true;
120     } else {
121       return false;
122     }
123   }
124 }