1 /*
2 *
3 * Licensed to the Apache Software Foundation (ASF) under one
4 * or more contributor license agreements. See the NOTICE file
5 * distributed with this work for additional information
6 * regarding copyright ownership. The ASF licenses this file
7 * to you under the Apache License, Version 2.0 (the
8 * "License"); you may not use this file except in compliance
9 * with the License. You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 package org.apache.hadoop.hbase.security;
21
22 import org.apache.commons.logging.Log;
23 import org.apache.commons.logging.LogFactory;
24 import org.apache.hadoop.conf.Configuration;
25 import org.apache.hadoop.hbase.AuthUtil;
26 import org.apache.hadoop.hbase.classification.InterfaceAudience;
27
28 import java.io.IOException;
29 import java.util.ArrayList;
30 import java.util.List;
31
32 /**
33 * Keeps lists of superusers and super groups loaded from HBase configuration,
34 * checks if certain user is regarded as superuser.
35 */
36 @InterfaceAudience.Private
37 public final class Superusers {
38 private static final Log LOG = LogFactory.getLog(Superusers.class);
39
40 /** Configuration key for superusers */
41 public static final String SUPERUSER_CONF_KEY = "hbase.superuser"; // Not getting a name
42
43 private static List<String> superUsers;
44 private static List<String> superGroups;
45
46 private Superusers(){}
47
48 /**
49 * Should be called only once to pre-load list of super users and super
50 * groups from Configuration. This operation is idempotent.
51 * @param conf configuration to load users from
52 * @throws IOException if unable to initialize lists of superusers or super groups
53 * @throws IllegalStateException if current user is null
54 */
55 public static void initialize(Configuration conf) throws IOException {
56 superUsers = new ArrayList<>();
57 superGroups = new ArrayList<>();
58 User user = User.getCurrent();
59
60 if (user == null) {
61 throw new IllegalStateException("Unable to obtain the current user, "
62 + "authorization checks for internal operations will not work correctly!");
63 }
64
65 if (LOG.isTraceEnabled()) {
66 LOG.trace("Current user name is " + user.getShortName());
67 }
68 String currentUser = user.getShortName();
69 String[] superUserList = conf.getStrings(SUPERUSER_CONF_KEY, new String[0]);
70 for (String name : superUserList) {
71 if (AuthUtil.isGroupPrincipal(name)) {
72 superGroups.add(AuthUtil.getGroupName(name));
73 } else {
74 superUsers.add(name);
75 }
76 }
77 superUsers.add(currentUser);
78 }
79
80 /**
81 * @return true if current user is a super user (whether as user running process,
82 * declared as individual superuser or member of supergroup), false otherwise.
83 * @param user to check
84 * @throws IllegalStateException if lists of superusers/super groups
85 * haven't been initialized properly
86 */
87 public static boolean isSuperUser(User user) {
88 if (superUsers == null) {
89 throw new IllegalStateException("Super users/super groups lists"
90 + " haven't been initialized properly.");
91 }
92 if (superUsers.contains(user.getShortName())) {
93 return true;
94 }
95
96 for (String group : user.getGroupNames()) {
97 if (superGroups.contains(group)) {
98 return true;
99 }
100 }
101 return false;
102 }
103
104 /**
105 * @return true if current user is a super user (whether as user running process,
106 * or declared as superuser in configuration), false otherwise.
107 * @param user to check
108 * @throws IllegalStateException if lists of superusers/super groups
109 * haven't been initialized properly
110 * @deprecated this method is for backward compatibility, use {@link #isSuperUser(User)} instead
111 */
112 @Deprecated
113 public static boolean isSuperUser(String user) {
114 if (superUsers == null) {
115 throw new IllegalStateException("Super users/super groups lists"
116 + " haven't been initialized properly.");
117 }
118 if (superUsers.contains(user)) {
119 return true;
120 } else {
121 return false;
122 }
123 }
124 }