PageRenderTime 22ms CodeModel.GetById 15ms app.highlight 4ms RepoModel.GetById 1ms app.codeStats 0ms

/tags/release-0.2.0-rc0/src/java/org/apache/hcatalog/common/AuthUtils.java

#
Java | 108 lines | 65 code | 14 blank | 29 comment | 7 complexity | 8c5286f9feac5fc893a6f447aa8210a9 MD5 | raw file
  1/*
  2 * Licensed to the Apache Software Foundation (ASF) under one
  3 * or more contributor license agreements.  See the NOTICE file
  4 * distributed with this work for additional information
  5 * regarding copyright ownership.  The ASF licenses this file
  6 * to you under the Apache License, Version 2.0 (the
  7 * "License"); you may not use this file except in compliance
  8 * with the License.  You may obtain a copy of the License at
  9 *
 10 *     http://www.apache.org/licenses/LICENSE-2.0
 11 *
 12 * Unless required by applicable law or agreed to in writing, software
 13 * distributed under the License is distributed on an "AS IS" BASIS,
 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 15 * See the License for the specific language governing permissions and
 16 * limitations under the License.
 17 */
 18package org.apache.hcatalog.common;
 19
 20import java.io.FileNotFoundException;
 21import java.io.IOException;
 22
 23import javax.security.auth.login.LoginException;
 24
 25import org.apache.commons.lang.ArrayUtils;
 26import org.apache.hadoop.conf.Configuration;
 27import org.apache.hadoop.fs.FileStatus;
 28import org.apache.hadoop.fs.Path;
 29import org.apache.hadoop.fs.permission.FsAction;
 30import org.apache.hadoop.fs.permission.FsPermission;
 31import org.apache.hadoop.hive.conf.HiveConf;
 32import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 33import org.apache.hadoop.hive.ql.parse.SemanticException;
 34import org.apache.hadoop.hive.shims.ShimLoader;
 35import org.apache.hadoop.security.AccessControlException;
 36import org.apache.hadoop.security.UserGroupInformation;
 37
 38public class AuthUtils {
 39
 40  /**
 41   * @param path non-null
 42   * @param action non-null
 43   * @param conf
 44   * @throws SemanticException
 45   * @throws HCatException
 46   *
 47   * This method validates only for existing path. If path doesn't exist
 48   * there is nothing to validate. So, make sure that path passed in is non-null.
 49   */
 50
 51  @SuppressWarnings("deprecation")
 52  public static void authorize(final Path path, final FsAction action, final Configuration conf) throws SemanticException, HCatException{
 53
 54    if(path == null) {
 55      throw new HCatException(ErrorType.ERROR_INTERNAL_EXCEPTION);
 56    }
 57    final FileStatus stat;
 58
 59    try {
 60      stat = path.getFileSystem(conf).getFileStatus(path);
 61    } catch (FileNotFoundException fnfe){
 62      // File named by path doesn't exist; nothing to validate.
 63      return;
 64    }
 65    catch (AccessControlException ace) {
 66      throw new HCatException(ErrorType.ERROR_ACCESS_CONTROL, ace);
 67    } catch (org.apache.hadoop.fs.permission.AccessControlException ace){
 68      // Older hadoop version will throw this @deprecated Exception.
 69      throw new HCatException(ErrorType.ERROR_ACCESS_CONTROL, ace);
 70    } catch (IOException ioe){
 71      throw new SemanticException(ioe);
 72    }
 73
 74    final UserGroupInformation ugi;
 75    try {
 76      ugi = ShimLoader.getHadoopShims().getUGIForConf(conf);
 77    } catch (LoginException le) {
 78      throw new HCatException(ErrorType.ERROR_ACCESS_CONTROL,le);
 79    } catch (IOException ioe) {
 80      throw new SemanticException(ioe);
 81    }
 82
 83    final FsPermission dirPerms = stat.getPermission();
 84
 85    final String user = HiveConf.getBoolVar(conf, ConfVars.METASTORE_USE_THRIFT_SASL) ?
 86                          ugi.getShortUserName() : ugi.getUserName();
 87    final String grp = stat.getGroup();
 88    if(user.equals(stat.getOwner())){
 89      if(dirPerms.getUserAction().implies(action)){
 90        return;
 91      }
 92      throw new HCatException(ErrorType.ERROR_ACCESS_CONTROL);
 93    }
 94    if(ArrayUtils.contains(ugi.getGroupNames(), grp)){
 95      if(dirPerms.getGroupAction().implies(action)){
 96        return;
 97      }
 98      throw new HCatException(ErrorType.ERROR_ACCESS_CONTROL);
 99
100    }
101    if(dirPerms.getOtherAction().implies(action)){
102      return;
103    }
104    throw new HCatException(ErrorType.ERROR_ACCESS_CONTROL);
105
106
107  }
108}