44import com .fasterxml .jackson .core .JsonProcessingException ;
55import com .fasterxml .jackson .databind .DeserializationFeature ;
66import com .fasterxml .jackson .databind .ObjectMapper ;
7- import java .io .IOException ;
87import java .net .URI ;
98import java .net .http .HttpClient ;
109import java .net .http .HttpRequest ;
1110import java .net .http .HttpResponse ;
11+ import java .util .HashMap ;
1212import java .util .List ;
13+ import java .util .Map ;
1314import java .util .Objects ;
15+
16+ import com .fasterxml .jackson .databind .type .TypeFactory ;
1417import org .apache .hadoop .conf .Configuration ;
1518import org .apache .hadoop .security .GroupMappingServiceProvider ;
16- import org .apache .hadoop .security .UserGroupInformation ;
1719import org .slf4j .Logger ;
1820import org .slf4j .LoggerFactory ;
1921
2022public class StackableGroupMapper implements GroupMappingServiceProvider {
2123
22- public static final String OPA_MAPPING_URL_PROP = "hadoop.security.group.mapping.opa.policy.url" ;
2324 private static final Logger LOG = LoggerFactory .getLogger (StackableGroupMapper .class );
25+
26+ public static final String OPA_MAPPING_URL_PROP = "hadoop.security.group.mapping.opa.policy.url" ;
27+ // response base field: see https://www.openpolicyagent.org/docs/latest/rest-api/#response-message
28+ private static final String OPA_RESULT_FIELD = "result" ;
29+
2430 private final HttpClient httpClient = HttpClient .newHttpClient ();
2531 private final ObjectMapper json ;
2632 private URI opaUri ;
@@ -53,36 +59,21 @@ public StackableGroupMapper() {
5359 .setSerializationInclusion (JsonInclude .Include .NON_NULL );
5460 }
5561
62+ private static class OpaQueryResult {
63+ public List <String > result ;
64+ }
65+
5666 /**
57- * Returns list of groups for a user. Internally Hadoop will pass the short name to this function,
58- * but this prevents us from effectively separating users with the same names but with different
59- * kerberos principals. For this reason the user name is extracted from the UserGroupInformation
60- * instead (giving us the full name), defaulting to the original name if this is not possible.
67+ * Returns list of groups for a user.
6168 *
62- * @param user get groups from the associated user group information for this user
69+ * @param user get groups for this user
6370 * @return list of groups for a given user
6471 */
6572 @ Override
6673 public List <String > getGroups (String user ) {
6774 LOG .info ("Calling StackableGroupMapper.getGroups for user \" {}\" " , user );
6875
69- String workingUser = user ;
70- try {
71- UserGroupInformation currentUser = UserGroupInformation .getCurrentUser ();
72- LOG .debug (
73- "Current user [{}] with user-name [{}] and short-name [{}]" ,
74- currentUser ,
75- currentUser .getUserName (),
76- currentUser .getShortUserName ());
77- workingUser = currentUser .getUserName ();
78- } catch (IOException e ) {
79- LOG .warn (
80- "Unable to extract name from UserGroupInformation, defaulting to \" {}\" : {}" ,
81- user ,
82- e .getMessage ());
83- }
84-
85- OpaGroupsQuery query = new OpaGroupsQuery (new OpaGroupsQuery .OpaGroupsQueryInput (workingUser ));
76+ OpaGroupsQuery query = new OpaGroupsQuery (new OpaGroupsQuery .OpaGroupsQueryInput (user ));
8677
8778 String body ;
8879 try {
@@ -124,7 +115,7 @@ public List<String> getGroups(String user) {
124115 }
125116 List <String > groups = result .result ;
126117
127- LOG .debug ("Groups for \" {}\" : {}" , workingUser , groups );
118+ LOG .debug ("Groups for \" {}\" : {}" , user , groups );
128119
129120 return groups ;
130121 }
@@ -148,8 +139,4 @@ public void cacheGroupsAdd(List<String> groups) {
148139 "ignoring cacheGroupsAdd for groups [{}]: caching should be provided by the policy provider" ,
149140 groups );
150141 }
151-
152- private static class OpaQueryResult {
153- public List <String > result ;
154- }
155142}
0 commit comments