Search in sources :

Example 6 with KerberosPrincipalId

use of co.cask.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.

the class DefaultOwnerAdmin method getImpersonationPrincipal.

@Nullable
@Override
public String getImpersonationPrincipal(NamespacedEntityId entityId) throws IOException {
    entityId = getEffectiveEntity(entityId);
    KerberosPrincipalId effectiveOwner = null;
    if (!entityId.getEntityType().equals(EntityType.NAMESPACE)) {
        effectiveOwner = ownerStore.getOwner(entityId);
    }
    // (CDAP-8176) Since no owner was found for the entity return namespace principal if present.
    return effectiveOwner != null ? effectiveOwner.getPrincipal() : getNamespaceConfig(entityId).getPrincipal();
}
Also used : KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId) Nullable(javax.annotation.Nullable)

Example 7 with KerberosPrincipalId

use of co.cask.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.

the class UGIProviderTest method init.

@BeforeClass
public static void init() throws Exception {
    cConf = CConfiguration.create();
    cConf.set(Constants.CFG_LOCAL_DATA_DIR, TEMP_FOLDER.newFolder().getAbsolutePath());
    namespaceClient = new InMemoryNamespaceClient();
    // Start KDC
    miniKdc = new MiniKdc(MiniKdc.createConf(), TEMP_FOLDER.newFolder());
    miniKdc.start();
    System.setProperty("java.security.krb5.conf", miniKdc.getKrb5conf().getAbsolutePath());
    localKeytabDirPath = TEMP_FOLDER.newFolder();
    // Generate keytab
    aliceKeytabFile = createPrincipal(localKeytabDirPath, "alice");
    bobKeytabFile = createPrincipal(localKeytabDirPath, "bob");
    eveKeytabFile = createPrincipal(localKeytabDirPath, "eve");
    // construct Kerberos PrincipalIds
    aliceKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("alice"));
    bobKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("bob"));
    eveKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("eve"));
    // Start mini DFS cluster
    Configuration hConf = new Configuration();
    hConf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, TEMP_FOLDER.newFolder().getAbsolutePath());
    hConf.setBoolean("ipc.client.fallback-to-simple-auth-allowed", true);
    miniDFSCluster = new MiniDFSCluster.Builder(hConf).numDataNodes(1).build();
    miniDFSCluster.waitClusterUp();
    locationFactory = new FileContextLocationFactory(miniDFSCluster.getFileSystem().getConf());
    hConf = new Configuration();
    hConf.set("hadoop.security.authentication", "kerberos");
    UserGroupInformation.setConfiguration(hConf);
}
Also used : MiniDFSCluster(org.apache.hadoop.hdfs.MiniDFSCluster) CConfiguration(co.cask.cdap.common.conf.CConfiguration) Configuration(org.apache.hadoop.conf.Configuration) MiniKdc(org.apache.hadoop.minikdc.MiniKdc) InMemoryNamespaceClient(co.cask.cdap.common.namespace.InMemoryNamespaceClient) FileContextLocationFactory(org.apache.twill.filesystem.FileContextLocationFactory) KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId) BeforeClass(org.junit.BeforeClass)

Example 8 with KerberosPrincipalId

use of co.cask.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.

the class OwnerStoreTest method test.

@Test
public void test() throws Exception {
    OwnerStore ownerStore = getOwnerStore();
    StreamId streamId = NamespaceId.DEFAULT.stream("fooStream");
    // No owner info should exist for above stream
    Assert.assertNull(ownerStore.getOwner(streamId));
    // delete behavior is idempotent, so won't throw NotFoundException
    ownerStore.delete(streamId);
    // Storing an owner for the first time should work
    KerberosPrincipalId kerberosPrincipalId = new KerberosPrincipalId("alice/somehost@SOMEKDC.NET");
    ownerStore.add(streamId, kerberosPrincipalId);
    // owner principal should exists
    Assert.assertTrue(ownerStore.exists(streamId));
    // Should be able to get the principal back
    Assert.assertEquals(kerberosPrincipalId, ownerStore.getOwner(streamId));
    // Should not be able to update the owner principal
    try {
        ownerStore.add(streamId, new KerberosPrincipalId("bob@SOMEKDC.NET"));
        Assert.fail();
    } catch (AlreadyExistsException e) {
    // expected
    }
    // Should not be able to update the owner principal
    try {
        ownerStore.add(streamId, new KerberosPrincipalId("somePrincipal"));
        Assert.fail();
    } catch (AlreadyExistsException e) {
    // expected
    }
    // trying to update with invalid principal should fail early on with IllegalArgumentException
    try {
        ownerStore.add(streamId, new KerberosPrincipalId("b@ob@SOMEKDC.NET"));
        Assert.fail();
    } catch (IllegalArgumentException e) {
    // expected
    }
    // Trying to store owner information for unsupported type should fail
    try {
        ownerStore.add(NamespaceId.DEFAULT.topic("anotherStream"), new KerberosPrincipalId("somePrincipal"));
        Assert.fail();
    } catch (IllegalArgumentException e) {
    // expected
    }
    // delete the owner information
    ownerStore.delete(streamId);
    Assert.assertFalse(ownerStore.exists(streamId));
    Assert.assertNull(ownerStore.getOwner(streamId));
}
Also used : StreamId(co.cask.cdap.proto.id.StreamId) AlreadyExistsException(co.cask.cdap.common.AlreadyExistsException) KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId) OwnerStore(co.cask.cdap.security.impersonation.OwnerStore) Test(org.junit.Test)

Example 9 with KerberosPrincipalId

use of co.cask.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.

the class AppLifecycleHttpHandler method deployAppFromArtifact.

// normally we wouldn't want to use a body consumer but would just want to read the request body directly
// since it wont be big. But the deploy app API has one path with different behavior based on content type
// the other behavior requires a BodyConsumer and only have one method per path is allowed,
// so we have to use a BodyConsumer
private BodyConsumer deployAppFromArtifact(final ApplicationId appId) throws IOException {
    // createTempFile() needs a prefix of at least 3 characters
    return new AbstractBodyConsumer(File.createTempFile("apprequest-" + appId, ".json", tmpDir)) {

        @Override
        protected void onFinish(HttpResponder responder, File uploadedFile) {
            try (FileReader fileReader = new FileReader(uploadedFile)) {
                AppRequest<?> appRequest = GSON.fromJson(fileReader, AppRequest.class);
                ArtifactSummary artifactSummary = appRequest.getArtifact();
                KerberosPrincipalId ownerPrincipalId = appRequest.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(appRequest.getOwnerPrincipal());
                // if we don't null check, it gets serialized to "null"
                String configString = appRequest.getConfig() == null ? null : GSON.toJson(appRequest.getConfig());
                applicationLifecycleService.deployApp(appId.getParent(), appId.getApplication(), appId.getVersion(), artifactSummary, configString, createProgramTerminator(), ownerPrincipalId, appRequest.canUpdateSchedules());
                responder.sendString(HttpResponseStatus.OK, "Deploy Complete");
            } catch (ArtifactNotFoundException e) {
                responder.sendString(HttpResponseStatus.NOT_FOUND, e.getMessage());
            } catch (ConflictException e) {
                responder.sendString(HttpResponseStatus.CONFLICT, e.getMessage());
            } catch (UnauthorizedException e) {
                responder.sendString(HttpResponseStatus.FORBIDDEN, e.getMessage());
            } catch (InvalidArtifactException e) {
                responder.sendString(HttpResponseStatus.BAD_REQUEST, e.getMessage());
            } catch (IOException e) {
                LOG.error("Error reading request body for creating app {}.", appId);
                responder.sendString(HttpResponseStatus.INTERNAL_SERVER_ERROR, String.format("Error while reading json request body for app %s.", appId));
            } catch (Exception e) {
                LOG.error("Deploy failure", e);
                responder.sendString(HttpResponseStatus.BAD_REQUEST, e.getMessage());
            }
        }
    };
}
Also used : HttpResponder(co.cask.http.HttpResponder) ConflictException(co.cask.cdap.common.ConflictException) WriteConflictException(co.cask.cdap.internal.app.runtime.artifact.WriteConflictException) IOException(java.io.IOException) ApplicationNotFoundException(co.cask.cdap.common.ApplicationNotFoundException) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException) ArtifactNotFoundException(co.cask.cdap.common.ArtifactNotFoundException) ArtifactAlreadyExistsException(co.cask.cdap.common.ArtifactAlreadyExistsException) ConflictException(co.cask.cdap.common.ConflictException) BadRequestException(co.cask.cdap.common.BadRequestException) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) WriteConflictException(co.cask.cdap.internal.app.runtime.artifact.WriteConflictException) JsonSyntaxException(com.google.gson.JsonSyntaxException) IOException(java.io.IOException) InvalidArtifactException(co.cask.cdap.common.InvalidArtifactException) ExecutionException(java.util.concurrent.ExecutionException) NotFoundException(co.cask.cdap.common.NotFoundException) ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary) AbstractBodyConsumer(co.cask.cdap.common.http.AbstractBodyConsumer) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) FileReader(java.io.FileReader) File(java.io.File) KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId) ArtifactNotFoundException(co.cask.cdap.common.ArtifactNotFoundException) InvalidArtifactException(co.cask.cdap.common.InvalidArtifactException)

Example 10 with KerberosPrincipalId

use of co.cask.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.

the class AppFabricClient method deployApplication.

public Location deployApplication(Id.Namespace namespace, Class<?> applicationClz, String config, @Nullable KerberosPrincipalId ownerPrincipal, File... bundleEmbeddedJars) throws Exception {
    Preconditions.checkNotNull(applicationClz, "Application cannot be null.");
    Location deployedJar = AppJarHelper.createDeploymentJar(locationFactory, applicationClz, bundleEmbeddedJars);
    LOG.info("Created deployedJar at {}", deployedJar);
    String archiveName = String.format("%s-1.0.%d.jar", applicationClz.getSimpleName(), System.currentTimeMillis());
    DefaultHttpRequest request = new DefaultHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, String.format("/v3/namespaces/%s/apps", namespace.getId()));
    request.setHeader(Constants.Gateway.API_KEY, "api-key-example");
    request.setHeader(AbstractAppFabricHttpHandler.ARCHIVE_NAME_HEADER, archiveName);
    if (config != null) {
        request.setHeader(AbstractAppFabricHttpHandler.APP_CONFIG_HEADER, config);
    }
    String owner = null;
    if (ownerPrincipal != null) {
        owner = GSON.toJson(ownerPrincipal, KerberosPrincipalId.class);
        request.setHeader(AbstractAppFabricHttpHandler.PRINCIPAL_HEADER, owner);
    }
    MockResponder mockResponder = new MockResponder();
    BodyConsumer bodyConsumer = appLifecycleHttpHandler.deploy(request, mockResponder, namespace.getId(), archiveName, config, owner, true);
    Preconditions.checkNotNull(bodyConsumer, "BodyConsumer from deploy call should not be null");
    try (BufferFileInputStream is = new BufferFileInputStream(deployedJar.getInputStream(), 100 * 1024)) {
        byte[] chunk = is.read();
        while (chunk.length > 0) {
            mockResponder = new MockResponder();
            bodyConsumer.chunk(ChannelBuffers.wrappedBuffer(chunk), mockResponder);
            Preconditions.checkState(mockResponder.getStatus() == null, "failed to deploy app");
            chunk = is.read();
        }
        mockResponder = new MockResponder();
        bodyConsumer.finished(mockResponder);
        verifyResponse(HttpResponseStatus.OK, mockResponder.getStatus(), "Failed to deploy app");
    }
    return deployedJar;
}
Also used : DefaultHttpRequest(org.jboss.netty.handler.codec.http.DefaultHttpRequest) BodyConsumer(co.cask.http.BodyConsumer) KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId) BufferFileInputStream(co.cask.cdap.internal.app.BufferFileInputStream) Location(org.apache.twill.filesystem.Location)

Aggregations

KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)10 IOException (java.io.IOException)5 NotFoundException (co.cask.cdap.common.NotFoundException)4 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)4 ExecutionException (java.util.concurrent.ExecutionException)4 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)3 NamespaceId (co.cask.cdap.proto.id.NamespaceId)3 Nullable (javax.annotation.Nullable)3 Location (org.apache.twill.filesystem.Location)3 ApplicationNotFoundException (co.cask.cdap.common.ApplicationNotFoundException)2 ArtifactAlreadyExistsException (co.cask.cdap.common.ArtifactAlreadyExistsException)2 ArtifactNotFoundException (co.cask.cdap.common.ArtifactNotFoundException)2 BadRequestException (co.cask.cdap.common.BadRequestException)2 ConflictException (co.cask.cdap.common.ConflictException)2 InvalidArtifactException (co.cask.cdap.common.InvalidArtifactException)2 AbstractBodyConsumer (co.cask.cdap.common.http.AbstractBodyConsumer)2 WriteConflictException (co.cask.cdap.internal.app.runtime.artifact.WriteConflictException)2 DatasetId (co.cask.cdap.proto.id.DatasetId)2 Action (co.cask.cdap.proto.security.Action)2 ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)1