org.apache.hadoop.fs.azurebfs.oauth2

Class IdentityTransformer

java.lang.Object

org.apache.hadoop.fs.azurebfs.oauth2.IdentityTransformer

public class IdentityTransformer
extends Object

Perform transformation for Azure Active Directory identities used in owner, group and acls.

Constructor Summary

Constructors

Constructor and Description
IdentityTransformer(org.apache.hadoop.conf.Configuration configuration)

Method Summary

Modifier and Type	Method and Description
void	transformAclEntriesForGetRequest(List<org.apache.hadoop.fs.permission.AclEntry> aclEntries, String localUser, String localGroup) Perform Identity transformation when calling GetAclStatus() If the AclEntry type is a user or group, and its name is one of the following:
void	transformAclEntriesForSetRequest(List<org.apache.hadoop.fs.permission.AclEntry> aclEntries) Perform Identity transformation when calling setAcl(),removeAclEntries() and modifyAclEntries() If the AclEntry type is a user or group, and its name is one of the following: 1.short name; 2.$superuser; 3.Fully qualified name; 4.
String	transformIdentityForGetRequest(String originalIdentity, boolean isUserName, String localIdentity) Perform identity transformation for the Get request results in AzureBlobFileSystemStore: getFileStatus(), listStatus(), getAclStatus().
String	transformUserOrGroupForSetRequest(String userOrGroup) Perform Identity transformation when setting owner on a path.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IdentityTransformer

public IdentityTransformer(org.apache.hadoop.conf.Configuration configuration)
                    throws IOException

Throws:

IOException

Method Detail

transformIdentityForGetRequest

public String transformIdentityForGetRequest(String originalIdentity,
                                             boolean isUserName,
                                             String localIdentity)

Perform identity transformation for the Get request results in AzureBlobFileSystemStore: getFileStatus(), listStatus(), getAclStatus(). Input originalIdentity can be one of the following:

 1. $superuser:
     by default it will be transformed to local user/group, this can be disabled by setting
     "fs.azure.identity.transformer.skip.superuser.replacement" to true.

 2. User principal id:
     can be transformed to localIdentity, if this principal id matches the principal id set in
     "fs.azure.identity.transformer.service.principal.id" and localIdentity is stated in
     "fs.azure.identity.transformer.service.principal.substitution.list"

 3. User principal name (UPN):
     can be transformed to a short name(localIdentity) if originalIdentity is owner name, and
     "fs.azure.identity.transformer.enable.short.name" is enabled.
 

Parameters:

originalIdentity - the original user or group in the get request results: FileStatus, AclStatus.

isUserName - indicate whether the input originalIdentity is an owner name or owning group name.

localIdentity - the local user or group, should be parsed from UserGroupInformation.

Returns:

owner or group after transformation.

transformUserOrGroupForSetRequest

public String transformUserOrGroupForSetRequest(String userOrGroup)

Perform Identity transformation when setting owner on a path. There are four possible input: 1.short name; 2.$superuser; 3.Fully qualified name; 4. principal id.

 short name could be transformed to:
    - A service principal id or $superuser, if short name belongs a daemon service
      stated in substitution list AND "fs.azure.identity.transformer.service.principal.id"
      is set with $superuser or a principal id.
    - Fully qualified name, if "fs.azure.identity.transformer.domain.name" is set in configuration.

 $superuser, fully qualified name and principalId should not be transformed.
 

Parameters:

userOrGroup - the user or group to be set as owner.

Returns:

user or group after transformation.

transformAclEntriesForSetRequest

public void transformAclEntriesForSetRequest(List<org.apache.hadoop.fs.permission.AclEntry> aclEntries)

Perform Identity transformation when calling setAcl(),removeAclEntries() and modifyAclEntries() If the AclEntry type is a user or group, and its name is one of the following: 1.short name; 2.$superuser; 3.Fully qualified name; 4. principal id.

 Short name could be transformed to:
    - A service principal id or $superuser, if short name belongs a daemon service
      stated in substitution list AND "fs.azure.identity.transformer.service.principal.id"
      is set with $superuser or a principal id.
    - A fully qualified name, if the AclEntry type is User AND if "fs.azure.identity.transformer.domain.name"
      is set in configuration. This is to make the behavior consistent with HDI.

 $superuser, fully qualified name and principal id should not be transformed.
 

Parameters:

aclEntries - list of AclEntry

transformAclEntriesForGetRequest

public void transformAclEntriesForGetRequest(List<org.apache.hadoop.fs.permission.AclEntry> aclEntries,
                                             String localUser,
                                             String localGroup)

Perform Identity transformation when calling GetAclStatus() If the AclEntry type is a user or group, and its name is one of the following:

 1. $superuser:
     by default it will be transformed to local user/group, this can be disabled by setting
     "fs.azure.identity.transformer.skip.superuser.replacement" to true.

 2. User principal id:
     can be transformed to localUser/localGroup, if this principal id matches the principal id set in
     "fs.azure.identity.transformer.service.principal.id" and localIdentity is stated in
     "fs.azure.identity.transformer.service.principal.substitution.list"

 3. User principal name (UPN):
     can be transformed to a short name(local identity) if originalIdentity is owner name, and
     "fs.azure.identity.transformer.enable.short.name" is enabled.
 

Parameters:

aclEntries - list of AclEntry

localUser - local user name

localGroup - local primary group