HADOOP-17367. Add InetAddress api to ProxyUsers.authorize

hadoop-common-project/hadoop-common/pom.xml

@@ -37,7 +37,6 @@
     <wsce.config.file>wsce-site.xml</wsce.config.file>
   </properties>
 
-
   <dependencies>
     <dependency>
       <groupId>org.apache.hadoop.thirdparty</groupId>

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java

@@ -18,6 +18,7 @@
 
 package org.apache.hadoop.security.authorize;
 
+import java.net.InetAddress;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
@@ -105,8 +106,8 @@ public Configuration getConf() {
   }
 
   @Override
-  public void authorize(UserGroupInformation user, 
-      String remoteAddress) throws AuthorizationException {
+  public void authorize(UserGroupInformation user,
+      InetAddress remoteAddress) throws AuthorizationException {
 
     if (user == null) {
       throw new IllegalArgumentException("user is null.");

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ImpersonationProvider.java

@@ -18,6 +18,9 @@
 
 package org.apache.hadoop.security.authorize;
 
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configurable;
@@ -38,12 +41,29 @@ public interface ImpersonationProvider  extends Configurable {
   public void init(String configurationPrefix);
 
   /**
-   * Authorize the superuser which is doing doAs
-   * 
+   * Authorize the superuser which is doing doAs.
+   * {@link #authorize(UserGroupInformation, InetAddress)} should
+   *             be preferred to avoid possibly re-resolving the ip address.
+   * @param user ugi of the effective or proxy user which contains a real user.
+   * @param remoteAddress the ip address of client.
+   * @throws AuthorizationException
+   */
+  default void authorize(UserGroupInformation user, String remoteAddress)
+      throws AuthorizationException {
+    try {
+      authorize(user, InetAddress.getByName(remoteAddress));
+    } catch (UnknownHostException e) {
+      throw new AuthorizationException(e);
+    }
+  }
+
+  /**
+   * Authorize the superuser which is doing doAs.
+   *
    * @param user ugi of the effective or proxy user which contains a real user
    * @param remoteAddress the ip address of client
    * @throws AuthorizationException
    */
-  public void authorize(UserGroupInformation user, String remoteAddress)
+  void authorize(UserGroupInformation user, InetAddress remoteAddress)
       throws AuthorizationException;
 }

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java

@@ -18,6 +18,8 @@
 
 package org.apache.hadoop.security.authorize;
 
+import java.net.InetAddress;
+
 import org.apache.hadoop.thirdparty.com.google.common.base.Preconditions;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
@@ -86,22 +88,41 @@ public static void refreshSuperUserGroupsConfiguration(Configuration conf) {
   }
 
   /**
-   * Authorize the superuser which is doing doAs
-   * 
+   * Authorize the superuser which is doing doAs.
+   * {@link #authorize(UserGroupInformation, InetAddress)} should be preferred
+   * to avoid possibly re-resolving the ip address.
+   *
    * @param user ugi of the effective or proxy user which contains a real user
    * @param remoteAddress the ip address of client
    * @throws AuthorizationException
    */
   public static void authorize(UserGroupInformation user, 
       String remoteAddress) throws AuthorizationException {
-    if (sip==null) {
-      // In a race situation, It is possible for multiple threads to satisfy this condition.
+    getSip().authorize(user, remoteAddress);
+  }
+
+  /**
+   * Authorize the superuser which is doing doAs.
+   *
+   * @param user ugi of the effective or proxy user which contains a real user
+   * @param remoteAddress the inet address of client
+   * @throws AuthorizationException
+   */
+  public static void authorize(UserGroupInformation user,
+      InetAddress remoteAddress) throws AuthorizationException {
+    getSip().authorize(user, remoteAddress);
+  }
+
+  private static ImpersonationProvider getSip() {
+    if (sip == null) {
+      // In a race situation, It is possible for multiple threads to satisfy
+      // this condition.
       // The last assignment will prevail.
-      refreshSuperUserGroupsConfiguration(); 
+      refreshSuperUserGroupsConfiguration();
     }
-    sip.authorize(user, remoteAddress);
+    return sip;
   }
-  
+
   /**
    * This function is kept to provide backward compatibility.
    * @param user
@@ -118,7 +139,7 @@ public static void authorize(UserGroupInformation user,
 
   @VisibleForTesting 
   public static DefaultImpersonationProvider getDefaultImpersonationProvider() {
-    return ((DefaultImpersonationProvider)sip);
+    return ((DefaultImpersonationProvider) getSip());
   }
 
 }

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java

@@ -21,6 +21,7 @@
 import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
@@ -29,7 +30,6 @@
 import org.apache.commons.net.util.SubnetUtils;
 
 import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
-import org.apache.hadoop.thirdparty.com.google.common.net.InetAddresses;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -61,17 +61,21 @@ public InetAddress getByName (String host) throws UnknownHostException {
   }
 
   private final boolean all;
-  private final Set<String> ipAddresses;
+  private final Set<InetAddress> inetAddresses;
+  private final Collection<String> entries;
   private final List<SubnetUtils.SubnetInfo> cidrAddresses;
-  private final Set<String> hostNames;
   private final InetAddressFactory addressFactory;
 
   /**
    * 
    * @param hostEntries comma separated ip/cidr/host addresses
    */
   public MachineList(String hostEntries) {
-    this(StringUtils.getTrimmedStringCollection(hostEntries));
+    this(hostEntries, InetAddressFactory.S_INSTANCE);
+  }
+
+  public MachineList(String hostEntries, InetAddressFactory addressFactory) {
+    this(StringUtils.getTrimmedStringCollection(hostEntries), addressFactory);
   }
 
   /**
@@ -88,19 +92,19 @@ public MachineList(Collection<String> hostEntries) {
    * @param hostEntries
    * @param addressFactory addressFactory to convert host to InetAddress
    */
-  public MachineList(Collection<String> hostEntries, InetAddressFactory addressFactory) {
+  public MachineList(Collection<String> hostEntries,
+      InetAddressFactory addressFactory) {
     this.addressFactory = addressFactory;
     if (hostEntries != null) {
+      entries = new ArrayList<>(hostEntries);
       if ((hostEntries.size() == 1) && (hostEntries.contains(WILDCARD_VALUE))) {
-        all = true; 
-        ipAddresses = null; 
-        hostNames = null; 
+        all = true;
+        inetAddresses = null;
         cidrAddresses = null; 
       } else {
         all = false;
-        Set<String> ips = new HashSet<String>();
+        Set<InetAddress> addrs = new HashSet<>();
         List<SubnetUtils.SubnetInfo> cidrs = new LinkedList<SubnetUtils.SubnetInfo>();
-        Set<String> hosts = new HashSet<String>();
         for (String hostEntry : hostEntries) {
           //ip address range
           if (hostEntry.indexOf("/") > -1) {
@@ -112,25 +116,29 @@ public MachineList(Collection<String> hostEntries, InetAddressFactory addressFac
               LOG.warn("Invalid CIDR syntax : " + hostEntry);
               throw e;
             }
-          } else if (InetAddresses.isInetAddress(hostEntry)) { //ip address
-            ips.add(hostEntry);
-          } else { //hostname
-            hosts.add(hostEntry);
+          } else {
+            try {
+              addrs.add(addressFactory.getByName(hostEntry));
+            } catch (UnknownHostException e) {
+              LOG.warn(e.toString());
+            }
           }
         }
-        ipAddresses = (ips.size() > 0) ? ips : null;
+        inetAddresses = (addrs.size() > 0) ? addrs : null;
         cidrAddresses = (cidrs.size() > 0) ? cidrs : null;
-        hostNames = (hosts.size() > 0) ? hosts : null;
       }
     } else {
-      all = false; 
-      ipAddresses = null;
-      hostNames = null; 
-      cidrAddresses = null; 
+      all = false;
+      inetAddresses = null;
+      cidrAddresses = null;
+      entries = Collections.emptyList();
     }
   }
   /**
-   * Accepts an ip address and return true if ipAddress is in the list
+   * Accepts an ip address and return true if ipAddress is in the list.
+   * {@link #includes(InetAddress)} should be preferred
+   * to avoid possibly re-resolving the ip address.
+   *
    * @param ipAddress
    * @return true if ipAddress is part of the list
    */
@@ -144,71 +152,47 @@ public boolean includes(String ipAddress) {
       throw new IllegalArgumentException("ipAddress is null.");
     }
 
-    //check in the set of ipAddresses
-    if ((ipAddresses != null) && ipAddresses.contains(ipAddress)) {
+    try {
+      return includes(addressFactory.getByName(ipAddress));
+    } catch (UnknownHostException e) {
+      return false;
+    }
+  }
+
+  /**
+   * Accepts an inet address and return true if address is in the list.
+   * @param address
+   * @return true if address is part of the list
+   */
+  public boolean includes(InetAddress address) {
+    if (all) {
       return true;
     }
-
-    //iterate through the ip ranges for inclusion
+    if (address == null) {
+      throw new IllegalArgumentException("address is null.");
+    }
+    if (inetAddresses != null && inetAddresses.contains(address)) {
+      return true;
+    }
+    // iterate through the ip ranges for inclusion
     if (cidrAddresses != null) {
+      String ipAddress = address.getHostAddress();
       for(SubnetUtils.SubnetInfo cidrAddress : cidrAddresses) {
         if(cidrAddress.isInRange(ipAddress)) {
           return true;
         }
       }
     }
-
-    //check if the ipAddress matches one of hostnames
-    if (hostNames != null) {
-      //convert given ipAddress to hostname and look for a match
-      InetAddress hostAddr;
-      try {
-        hostAddr = addressFactory.getByName(ipAddress);
-        if ((hostAddr != null) && hostNames.contains(hostAddr.getCanonicalHostName())) {
-          return true;
-        }
-      } catch (UnknownHostException e) {
-        //ignore the exception and proceed to resolve the list of hosts
-      }
-
-      //loop through host addresses and convert them to ip and look for a match
-      for (String host : hostNames) {
-        try {
-          hostAddr = addressFactory.getByName(host);
-        } catch (UnknownHostException e) {
-          continue;
-        }
-        if (hostAddr.getHostAddress().equals(ipAddress)) {
-          return true;
-        }
-      }
-    }
     return false;
   }
-
   /**
-   * returns the contents of the MachineList as a Collection&lt;String&gt;
-   * This can be used for testing 
-   * @return contents of the MachineList
+   * returns the contents of the MachineList as a Collection&lt;String&gt; .
+   * This can be used for testing .
+   *
+   * @return contents of the MachineList.
    */
   @VisibleForTesting
   public Collection<String> getCollection() {
-    Collection<String> list = new ArrayList<String>();
-    if (all) {
-      list.add("*"); 
-    } else {
-      if (ipAddresses != null) {
-        list.addAll(ipAddresses);
-      }
-      if (hostNames != null) {
-        list.addAll(hostNames);
-      }
-      if (cidrAddresses != null) {
-        for(SubnetUtils.SubnetInfo cidrAddress : cidrAddresses) {
-          list.add(cidrAddress.getCidrSignature());
-        }
-      }
-    }
-    return list;
+    return entries;
   }
 }