public class AuthorizationService extends Object implements Service
Modifier and Type | Field and Description |
---|---|
static String |
ADMIN_USERS_FILE
File that contains list of admin users for Oozie.
|
static String |
CONF_ADMIN_GROUPS
Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used.
|
static String |
CONF_AUTHORIZATION_ENABLED
Configuration parameter to enable or disable Oozie admin role.
|
static String |
CONF_DEFAULT_GROUP_AS_ACL
Configuration parameter to enable old behavior default group as ACL.
|
static String |
CONF_PREFIX |
static String |
CONF_SECURITY_ENABLED
Configuration parameter to enable or disable Oozie admin role.
|
protected static String |
INSTR_FAILED_AUTH_COUNTER |
protected static String |
INSTRUMENTATION_GROUP |
DEFAULT_LOCK_TIMEOUT, lockTimeout
Constructor and Description |
---|
AuthorizationService() |
Modifier and Type | Method and Description |
---|---|
void |
authorizeForAdmin(String user,
boolean write)
Check if the user has admin privileges.
|
void |
authorizeForApp(String user,
String group,
String appPath,
org.apache.hadoop.conf.Configuration jobConf)
Check if the user+group is authorized to use the specified application.
|
void |
authorizeForApp(String user,
String group,
String appPath,
String fileName,
org.apache.hadoop.conf.Configuration conf)
Check if the user+group is authorized to use the specified application.
|
void |
authorizeForGroup(String user,
String group)
Check if the user belongs to the group or not.
|
void |
authorizeForJob(String user,
String jobId,
boolean write)
Check if the user+group is authorized to operate on the specified job.
|
void |
authorizeForJobs(String user,
Map<String,List<String>> filter,
String jobType,
int start,
int len,
boolean write)
Check if the user+group is authorized to operate on the specified jobs.
|
void |
destroy()
Destroy the service.
|
String |
getDefaultGroup(String user)
Return the default group to which the user belongs.
|
Class<? extends Service> |
getInterface()
Return the public interface of the service.
|
void |
init(Services services)
Initialize the service.
|
protected boolean |
isAdmin(String user)
Check if the user has admin privileges.
|
boolean |
isAuthorizationEnabled()
Return if security is enabled or not.
|
boolean |
isSecurityEnabled()
Deprecated.
|
protected boolean |
isUserInGroup(String user,
String group)
Check if the user belongs to the group or not.
|
boolean |
useDefaultGroupAsAcl() |
public static final String CONF_PREFIX
public static final String CONF_SECURITY_ENABLED
public static final String CONF_AUTHORIZATION_ENABLED
public static final String CONF_DEFAULT_GROUP_AS_ACL
public static final String CONF_ADMIN_GROUPS
public static final String ADMIN_USERS_FILE
protected static final String INSTRUMENTATION_GROUP
protected static final String INSTR_FAILED_AUTH_COUNTER
public AuthorizationService()
public void init(Services services) throws ServiceException
init
in interface Service
services
- services instance.ServiceException
- thrown if the service could not be initialized.@Deprecated public boolean isSecurityEnabled()
public boolean useDefaultGroupAsAcl()
public boolean isAuthorizationEnabled()
public void destroy()
public Class<? extends Service> getInterface()
getInterface
in interface Service
AuthorizationService
.protected boolean isUserInGroup(String user, String group) throws AuthorizationException
user
- user name.group
- group name.AuthorizationException
- thrown if the authorization query can not be performed.public void authorizeForGroup(String user, String group) throws AuthorizationException
isUserInGroup(java.lang.String, java.lang.String)
method.user
- user name.group
- group name.AuthorizationException
- thrown if the user is not authorized for the group or if the authorization query
can not be performed.public String getDefaultGroup(String user) throws AuthorizationException
user
- user name.AuthorizationException
- thrown if the default group con not be retrieved.protected boolean isAdmin(String user)
true
. If
admin is enabled it returns true
if the user is in the adminusers.txt
file.user
- user name.public void authorizeForAdmin(String user, boolean write) throws AuthorizationException
isUserInGroup(java.lang.String, java.lang.String)
method.user
- user name.write
- indicates if the check is for read or write admin tasks (in this implementation this is ignored)AuthorizationException
- thrown if user does not have admin priviledges.public void authorizeForApp(String user, String group, String appPath, org.apache.hadoop.conf.Configuration jobConf) throws AuthorizationException
user
- user name.group
- group name.appPath
- application path.AuthorizationException
- thrown if the user is not authorized for the app.public void authorizeForApp(String user, String group, String appPath, String fileName, org.apache.hadoop.conf.Configuration conf) throws AuthorizationException
user
- user name.group
- group name.appPath
- application path.fileName
- workflow or coordinator.xmlconf
- AuthorizationException
- thrown if the user is not authorized for the app.public void authorizeForJob(String user, String jobId, boolean write) throws AuthorizationException
user
- user name.jobId
- job id.write
- indicates if the check is for read or write job tasks.AuthorizationException
- thrown if the user is not authorized for the job.public void authorizeForJobs(String user, Map<String,List<String>> filter, String jobType, int start, int len, boolean write) throws AuthorizationException
user
- user name.filter
- filter used to select jobsstart
- starting index of the jobs in DBlen
- maximum amount of jbos to selectwrite
- indicates if the check is for read or write job tasks.AuthorizationException
- thrown if the user is not authorized for the job.Copyright © 2015 Apache Software Foundation. All Rights Reserved.