hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java

   1 /*
   2  *
   3  * Licensed to the Apache Software Foundation (ASF) under one
   4  * or more contributor license agreements.  See the NOTICE file
   5  * distributed with this work for additional information
   6  * regarding copyright ownership.  The ASF licenses this file
   7  * to you under the Apache License, Version 2.0 (the
   8  * "License"); you may not use this file except in compliance
   9  * with the License.  You may obtain a copy of the License at
  10  *
  11  *     http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  */
  19
  20 package org.apache.hadoop.hbase.security;
  21
  22 import java.io.IOException;
  23 import java.util.Collection;
  24 import java.util.HashSet;
  25 import java.util.Set;
  26
  27 import org.apache.hadoop.conf.Configuration;
  28 import org.apache.hadoop.hbase.AuthUtil;
  29 import org.apache.yetus.audience.InterfaceAudience;
  30 import org.slf4j.Logger;
  31 import org.slf4j.LoggerFactory;
  32
  33 /**
  34  * Keeps lists of superusers and super groups loaded from HBase configuration,
  35  * checks if certain user is regarded as superuser.
  36  */
  37 @InterfaceAudience.Private
  38 public final class Superusers {
  39   private static final Logger LOG = LoggerFactory.getLogger(Superusers.class);
  40
  41   /** Configuration key for superusers */
  42   public static final String SUPERUSER_CONF_KEY = "hbase.superuser"; // Not getting a name
  43
  44   private static Set<String> superUsers;
  45   private static Set<String> superGroups;
  46   private static User systemUser;
  47
  48   private Superusers(){}
  49
  50   /**
  51    * Should be called only once to pre-load list of super users and super
  52    * groups from Configuration. This operation is idempotent.
  53    * @param conf configuration to load users from
  54    * @throws IOException if unable to initialize lists of superusers or super groups
  55    * @throws IllegalStateException if current user is null
  56    */
  57   public static void initialize(Configuration conf) throws IOException {
  58     superUsers = new HashSet<>();
  59     superGroups = new HashSet<>();
  60     systemUser = User.getCurrent();
  61
  62     if (systemUser == null) {
  63       throw new IllegalStateException("Unable to obtain the current user, "
  64         + "authorization checks for internal operations will not work correctly!");
  65     }
  66
  67     String currentUser = systemUser.getShortName();
  68     LOG.trace("Current user name is {}", currentUser);
  69     superUsers.add(currentUser);
  70
  71     String[] superUserList = conf.getStrings(SUPERUSER_CONF_KEY, new String[0]);
  72     for (String name : superUserList) {
  73       if (AuthUtil.isGroupPrincipal(name)) {
  74         // Let's keep the '@' for distinguishing from user.
  75         superGroups.add(name);
  76       } else {
  77         superUsers.add(name);
  78       }
  79     }
  80   }
  81
  82   /**
  83    * @return true if current user is a super user (whether as user running process,
  84    * declared as individual superuser or member of supergroup), false otherwise.
  85    * @param user to check
  86    * @throws IllegalStateException if lists of superusers/super groups
  87    *   haven't been initialized properly
  88    */
  89   public static boolean isSuperUser(User user) {
  90     if (superUsers == null) {
  91       throw new IllegalStateException("Super users/super groups lists"
  92         + " have not been initialized properly.");
  93     }
  94     if (user == null){
  95       throw new IllegalArgumentException("Null user passed for super user check");
  96     }
  97     if (superUsers.contains(user.getShortName())) {
  98       return true;
  99     }
 100     for (String group : user.getGroupNames()) {
 101       if (superGroups.contains(AuthUtil.toGroupEntry(group))) {
 102         return true;
 103       }
 104     }
 105     return false;
 106   }
 107
 108   /**
 109    * @return true if current user is a super user, false otherwise.
 110    * @param user to check
 111    */
 112   public static boolean isSuperUser(String user) {
 113     return superUsers.contains(user) || superGroups.contains(user);
 114   }
 115
 116   public static Collection<String> getSuperUsers() {
 117     return superUsers;
 118   }
 119
 120   public static Collection<String> getSuperGroups() {
 121     return superGroups;
 122   }
 123
 124   public static User getSystemUser() {
 125     return systemUser;
 126   }
 127 }