diff --git src/java/org/apache/hadoop/ipc/Server.java src/java/org/apache/hadoop/ipc/Server.java
index 8905698..4fc93c4 100644
--- src/java/org/apache/hadoop/ipc/Server.java
+++ src/java/org/apache/hadoop/ipc/Server.java
@@ -893,8 +893,9 @@ public abstract class Server {
}
// TODO: Get the user name from the GSS API for Kerberbos-based security
- // Create the user subject
- user = SecurityUtil.getSubject(header.getUgi());
+ // Create the user subject; however use the groups as defined on the
+ // server-side, don't trust the user groups provided by the client
+ user = SecurityUtil.getSubject(header.getUgi().getUserName());
}
private void processData() throws IOException, InterruptedException {
diff --git src/java/org/apache/hadoop/security/GroupMappingServiceImpl.java src/java/org/apache/hadoop/security/GroupMappingServiceImpl.java
new file mode 100644
index 0000000..172a07a
--- /dev/null
+++ src/java/org/apache/hadoop/security/GroupMappingServiceImpl.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * An abstraction for the implementation of a user-to-groups mapping service
+ * used by {@link Groups}.
+ */
+abstract class GroupMappingServiceImpl {
+
+ /**
+ * Get all various {@link Group} memberships of a given {@link User}.
+ * @param user User name
+ * @return Group memberships of user
+ * @throws IOException
+ */
+ public abstract List getGroups(String user) throws IOException;
+}
diff --git src/java/org/apache/hadoop/security/Groups.java src/java/org/apache/hadoop/security/Groups.java
new file mode 100644
index 0000000..d4ab302
--- /dev/null
+++ src/java/org/apache/hadoop/security/Groups.java
@@ -0,0 +1,123 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+import java.util.TimerTask;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.ReflectionUtils;
+
+/**
+ * A user-to-groups mapping service.
+ *
+ * {@link Groups} allows for server to get the various {@link Group} memberships
+ * of a given {@link User} via the {@link #getGroups(String)} call, thus ensuring
+ * a consistent user-to-groups mapping and protects against vagaries of different
+ * mappings on servers and clients in a Hadoop cluster.
+ */
+public class Groups {
+ private static final Log LOG = LogFactory.getLog(Groups.class);
+
+ private final GroupMappingServiceImpl impl;
+
+ private final Map userToGroupsMap =
+ new ConcurrentHashMap();
+
+ public Groups(Configuration conf) {
+ impl =
+ ReflectionUtils.newInstance(conf.getClass("hadoop.security.group.mapping",
+ ShellBasedUnixGroupsMapping.class,
+ GroupMappingServiceImpl.class),
+ conf);
+
+ // Start the timer thread to purge stale user-to-groups mappings
+ final long cacheTimeout =
+ conf.getLong("hadoop.security.groups.cache.mins", 5) * 60 * 1000;
+ Timer timer =
+ new Timer("Timer thread for purging stale user-to-groups mappings.", true);
+ TimerTask task = new TimerTask() {
+ @Override
+ public void run() {
+ long now = System.currentTimeMillis();
+ for (Iterator> iter =
+ userToGroupsMap.entrySet().iterator();
+ iter.hasNext();) {
+ Map.Entry entry = iter.next();
+ if (entry.getValue().getTimestamp() + cacheTimeout < now) {
+ iter.remove();
+ }
+ }
+ }
+ };
+ timer.schedule(task, cacheTimeout, cacheTimeout);
+ }
+
+ /**
+ * Get the {@link Group} memberships of a given {@link User}.
+ * @param user User name
+ * @return the Group memberships of user
+ * @throws IOException
+ */
+ public List getGroups(String user) throws IOException {
+ // Return cached value if available
+ CachedGroups groups = userToGroupsMap.get(user);
+ if (groups != null) {
+ LOG.info("Returning cached groups for '" + user + "'");
+ return groups.getGroups();
+ }
+
+ // Create and cache user's groups
+ groups = new CachedGroups(impl.getGroups(user));
+ userToGroupsMap.put(user, groups);
+ LOG.info("Returning fetched groups for '" + user + "'");
+ return groups.getGroups();
+ }
+
+ /**
+ * Refresh all user-to-groups mappings.
+ */
+ public void refresh() {
+ userToGroupsMap.clear();
+ }
+
+ private static class CachedGroups {
+ final long timestamp;
+ final List groups;
+
+ CachedGroups(List groups) {
+ this.groups = groups;
+ this.timestamp = System.currentTimeMillis();
+ }
+
+ public long getTimestamp() {
+ return timestamp;
+ }
+
+ public List getGroups() {
+ return groups;
+ }
+ }
+}
diff --git src/java/org/apache/hadoop/security/RefreshUserToGroupMappingsProtocol.java src/java/org/apache/hadoop/security/RefreshUserToGroupMappingsProtocol.java
new file mode 100644
index 0000000..b9816cf
--- /dev/null
+++ src/java/org/apache/hadoop/security/RefreshUserToGroupMappingsProtocol.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+
+import org.apache.hadoop.ipc.VersionedProtocol;
+
+/**
+ * Protocol use
+ * @author arunc
+ *
+ */
+public interface RefreshUserToGroupMappingsProtocol extends VersionedProtocol {
+
+ /**
+ * Version 1: Initial version.
+ */
+ public static final long versionID = 1L;
+
+ /**
+ * Refresh {@link User} to {@link Group} mappings.
+ * @throws IOException
+ */
+ public void refreshUserToGroupsMappings() throws IOException;
+}
diff --git src/java/org/apache/hadoop/security/SecurityUtil.java src/java/org/apache/hadoop/security/SecurityUtil.java
index 94b6825..d8a341b 100644
--- src/java/org/apache/hadoop/security/SecurityUtil.java
+++ src/java/org/apache/hadoop/security/SecurityUtil.java
@@ -17,9 +17,11 @@
*/
package org.apache.hadoop.security;
+import java.io.IOException;
import java.security.Policy;
import java.security.Principal;
import java.util.HashSet;
+import java.util.List;
import java.util.Set;
import java.util.TreeSet;
@@ -41,6 +43,8 @@ public class SecurityUtil {
PolicyProvider.DEFAULT_POLICY_PROVIDER));
}
+ private static Groups GROUPS = new Groups(new Configuration());
+
/**
* Set the global security policy for Hadoop.
*
@@ -62,6 +66,14 @@ public class SecurityUtil {
}
/**
+ * Get the {@link Groups} being used to map user-to-groups.
+ * @return the Groups being used to map user-to-groups.
+ */
+ public static Groups getUserToGroupsMappingService() {
+ return GROUPS;
+ }
+
+ /**
* Get the {@link Subject} for the user identified by ugi.
* @param ugi user
* @return the {@link Subject} for the user identified by ugi
@@ -87,6 +99,43 @@ public class SecurityUtil {
}
/**
+ * Get the {@link Subject} for the user identified by userName.
+ * @param userName user name
+ * @return the {@link Subject} for the user identified by userName
+ * @throws IOException
+ */
+ public static Subject getSubject(String userName) throws IOException {
+ if (userName == null) {
+ return null;
+ }
+
+ Set principals = new HashSet();
+ User userPrincipal = new User(userName);
+ principals.add(userPrincipal);
+
+ // Get user's groups
+ List groups = GROUPS.getGroups(userName);
+ StringBuffer sb = new StringBuffer("Groups for '" + userName + "': <");
+ for (String group : groups) {
+ Group groupPrincipal = new Group(group);
+ principals.add(groupPrincipal);
+ sb.append(group + " ");
+ }
+ sb.append(">");
+ LOG.info(sb);
+
+ // Create the ugi with the right groups
+ UserGroupInformation ugi =
+ new UnixUserGroupInformation(userName,
+ groups.toArray(new String[groups.size()]));
+ principals.add(ugi);
+ Subject user =
+ new Subject(false, principals, new HashSet