Make user group in security manager configurable. (azkaban#2392)

xandris · Dec 6, 2019 · df69f3b · df69f3b
1 parent cefd45f
commit df69f3b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 14 deletions.
diff --git a/az-core/src/main/java/azkaban/Constants.java b/az-core/src/main/java/azkaban/Constants.java
@@ -263,6 +263,8 @@ public static class ConfigurationKeys {
 
     public static final String OAUTH_CREDENTIAL_NAME = "azkaban.oauth.credential";
 
+    public static final String SECURITY_USER_GROUP = "azkaban.security.user.group";
+
     // dir to keep dependency plugins
     public static final String DEPENDENCY_PLUGIN_DIR = "azkaban.dependency.plugin.dir";
 

diff --git a/...an-hadoop-security-plugin/src/main/java/azkaban/security/HadoopSecurityManager_H_2_0.java b/...an-hadoop-security-plugin/src/main/java/azkaban/security/HadoopSecurityManager_H_2_0.java
@@ -86,14 +86,6 @@ public class HadoopSecurityManager_H_2_0 extends HadoopSecurityManager {
   // Use azkaban.Constants.ConfigurationKeys.AZKABAN_SERVER_NATIVE_LIB_FOLDER instead
   @Deprecated
   public static final String NATIVE_LIB_FOLDER = "azkaban.native.lib";
-  /**
-   * TODO: This should be exposed as a configurable parameter
-   *
-   * The assumption is that an "azkaban" group exists which has access to data created by the
-   * azkaban process. For example, this may include delegation tokens created for other users to run
-   * their jobs.
-   */
-  public static final String GROUP_NAME = "azkaban";
   /**
    * The Kerberos principal for the job tracker.
    */
@@ -518,7 +510,8 @@ private void getToken(final String userToProxy) throws InterruptedException,
       });
 
       logger.info("Preparing token file " + tokenFile.getAbsolutePath());
-      prepareTokenFile(userToProxy, cred, tokenFile, logger);
+      prepareTokenFile(userToProxy, cred, tokenFile, logger,
+          props.getString(Constants.ConfigurationKeys.SECURITY_USER_GROUP, "azkaban"));
       // stash them to cancel after use.
 
       logger.info("Tokens loaded in " + tokenFile.getAbsolutePath());
@@ -700,15 +693,17 @@ private void fetchMetaStoreToken(final Props props, final Logger logger, final S
    * @param credentials Credentials to be written to file
    * @param tokenFile file to be written
    * @param logger logger to use
+   * @param group user group to own the token file
    * @throws IOException If there are issues in reading / updating the token file
    */
   private void prepareTokenFile(final String user,
       final Credentials credentials,
       final File tokenFile,
-      final Logger logger) throws IOException {
+      final Logger logger,
+      final String group) throws IOException {
     writeCredentialsToFile(credentials, tokenFile, logger);
     try {
-      assignPermissions(user, tokenFile, logger);
+      assignPermissions(user, tokenFile, group);
     } catch (final IOException e) {
       // On any error managing token file. delete the file
       tokenFile.delete();
@@ -748,9 +743,9 @@ private void writeCredentialsToFile(final Credentials credentials, final File to
    *
    * @param user user to be proxied
    * @param tokenFile file to be written
-   * @param logger logger to use
+   * @param group user group to own the token file
    */
-  private void assignPermissions(final String user, final File tokenFile, final Logger logger)
+  private void assignPermissions(final String user, final File tokenFile, final String group)
       throws IOException {
     final List<String> changePermissionsCommand = Arrays.asList(
         CHMOD, TOKEN_FILE_PERMISSIONS, tokenFile.getAbsolutePath()
@@ -762,7 +757,7 @@ private void assignPermissions(final String user, final File tokenFile, final Lo
     }
 
     final List<String> changeOwnershipCommand = Arrays.asList(
-        CHOWN, user + ":" + GROUP_NAME, tokenFile.getAbsolutePath()
+        CHOWN, user + ":" + group, tokenFile.getAbsolutePath()
     );
     result = this.executeAsUser.execute("root", changeOwnershipCommand);
     if (result != 0) {