Examples of org.apache.hadoop.security.authorize.AccessControlList

• org.apache.hadoop.security.authorize.AccessControlList
  Class representing a configured access control list.

    // initialize the webserver for uploading files.
    int tmpInfoPort = infoSocAddr.getPort();
    infoServer = new HttpServer("secondary", infoBindAddress, tmpInfoPort,
                                tmpInfoPort == 0, conf,
                                new AccessControlList(conf.get(DFS_ADMIN, " "))) {
      {
        if (UserGroupInformation.isSecurityEnabled()) {
          initSpnego(conf, DFSConfigKeys.DFS_SECONDARY_NAMENODE_INTERNAL_SPNEGO_USER_NAME_KEY,
              DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY);
        }

    private JobACLsManager aclsMgr;

    public MockJobForAcls(Job mockJob, Configuration conf) {
      this.mockJob = mockJob;
      this.conf = conf;
      AccessControlList viewAcl = new AccessControlList(FRIENDLY_USER);
      this.jobAcls = new HashMap<JobACL, AccessControlList>();
      this.jobAcls.put(JobACL.VIEW_JOB, viewAcl);
      this.aclsMgr = new JobACLsManager(conf);
    }

  ACLsManager(Configuration conf, JobACLsManager jobACLsManager,
      QueueManager queueManager) throws IOException {

    mrOwner = UserGroupInformation.getCurrentUser();
    adminAcl = new AccessControlList(conf.get(MRConfig.MR_ADMINS, " "));
    adminAcl.addUser(mrOwner.getShortUserName());

    String deprecatedSuperGroup = conf.get(MRConfig.MR_SUPERGROUP);
    if (deprecatedSuperGroup != null) {
      LOG.warn(MRConfig.MR_SUPERGROUP + " is deprecated. Use "

    String queue = job.getProfile().getQueueName();
    String jobId = job.getJobID().toString();
    JobStatus jobStatus = job.getStatus();
    String jobOwner = jobStatus.getUsername();
    AccessControlList jobAcl =
        jobStatus.getJobACLs().get(operation.jobACLNeeded);

    checkAccess(jobId, callerUGI, queue, operation, jobOwner, jobAcl);
  }

  void checkAccess(JobStatus jobStatus, UserGroupInformation callerUGI,
      String queue, Operation operation) throws AccessControlException {

    String jobId = jobStatus.getJobID().toString();
    String jobOwner = jobStatus.getUsername();
    AccessControlList jobAcl =
      jobStatus.getJobACLs().get(operation.jobACLNeeded);

    // If acls are enabled, check if callerUGI is jobOwner, queue admin,
    // cluster admin or part of job ACL
    checkAccess(jobId, callerUGI, queue, operation, jobOwner, jobAcl);

          jobCopy.setNumMapTasks(maps);

          // write "queue admins of the queue to which job is being submitted"
          // to job file.
          String queue = jobCopy.getQueueName();
          AccessControlList acl = jobSubmitClient.getQueueAdmins(queue);
          jobCopy.set(QueueManager.toFullPropertyName(queue,
              QueueACL.ADMINISTER_JOBS.getAclName()), acl.getACLString());

          // Write job file to JobTracker's fs
          FSDataOutputStream out =
            FileSystem.create(fs, submitJobFile,
                new FsPermission(JobSubmissionFiles.JOB_FILE_PERMISSION));

        "ns1", "nn2"), "hdfs/_HOST@TEST-REALM.COM");

    // Initialize this conf object as though we're running on NN1.
    NameNode.initializeGenericKeys(conf, "ns1", "nn1");

    AccessControlList acls = Mockito.mock(AccessControlList.class);
    Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
    ServletContext context = Mockito.mock(ServletContext.class);
    Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);

    // Make sure that NN2 is considered a valid fsimage/edits requestor.
    assertTrue(ImageServlet.isValidRequestor(context,
        "hdfs/host2@TEST-REALM.COM", conf));

    // Mark atm as an admin.
    Mockito.when(acls.isUserAllowed(Mockito.argThat(new ArgumentMatcher<UserGroupInformation>() {
      @Override
      public boolean matches(Object argument) {
        return ((UserGroupInformation) argument).getShortUserName().equals("atm");
      }
    }))).thenReturn(true);

        String text = ((Text)field.getFirstChild()).getData().trim();
        SchedulingPolicy policy = SchedulingPolicy.parse(text);
        queuePolicies.put(queueName, policy);
      } else if ("aclSubmitApps".equals(field.getTagName())) {
        String text = ((Text)field.getFirstChild()).getData();
        acls.put(QueueACL.SUBMIT_APPLICATIONS, new AccessControlList(text));
      } else if ("aclAdministerApps".equals(field.getTagName())) {
        String text = ((Text)field.getFirstChild()).getData();
        acls.put(QueueACL.ADMINISTER_QUEUE, new AccessControlList(text));
      } else if ("queue".endsWith(field.getTagName()) ||
          "pool".equals(field.getTagName())) {
        loadQueue(queueName, field, minQueueResources, maxQueueResources,
            queueMaxApps, userMaxApps, queueMaxAMShares, queueWeights,
            queuePolicies, minSharePreemptionTimeouts, queueAcls,

   * nobody ("")
   */
  public AccessControlList getQueueAcl(String queue, QueueACL operation) {
    Map<QueueACL, AccessControlList> queueAcls = this.queueAcls.get(queue);
    if (queueAcls != null) {
      AccessControlList operationAcl = queueAcls.get(operation);
      if (operationAcl != null) {
        return operationAcl;
      }
    }
    return (queue.equals("root")) ? EVERYBODY_ACL : NOBODY_ACL;

   * for information related to the different configuration options and
   * Http Policy is decided.
   */
  private void startInfoServer(Configuration conf) throws IOException {
    HttpServer2.Builder builder = new HttpServer2.Builder().setName("datanode")
        .setConf(conf).setACL(new AccessControlList(conf.get(DFS_ADMIN, " ")));

    HttpConfig.Policy policy = DFSUtil.getHttpPolicy(conf);

    if (policy.isHttpEnabled()) {
      if (secureResources == null) {