Search in sources :

Example 1 with UGIWithPrincipal

use of co.cask.cdap.security.impersonation.UGIWithPrincipal in project cdap by caskdata.

the class ImpersonationHandler method getCredentials.

@POST
@Path("/credentials")
public void getCredentials(HttpRequest request, HttpResponder responder) throws Exception {
    String requestContent = request.getContent().toString(Charsets.UTF_8);
    if (requestContent == null) {
        throw new BadRequestException("Request body is empty.");
    }
    ImpersonationRequest impersonationRequest = GSON.fromJson(requestContent, ImpersonationRequest.class);
    LOG.debug("Fetching credentials for {}", impersonationRequest);
    UGIWithPrincipal ugiWithPrincipal = ugiProvider.getConfiguredUGI(impersonationRequest);
    Credentials credentials = ImpersonationUtils.doAs(ugiWithPrincipal.getUGI(), new Callable<Credentials>() {

        @Override
        public Credentials call() throws Exception {
            return tokenSecureStoreRenewer.createCredentials();
        }
    });
    // example: hdfs:///cdap/credentials
    Location credentialsDir = locationFactory.create("credentials");
    if (credentialsDir.isDirectory() || credentialsDir.mkdirs() || credentialsDir.isDirectory()) {
        // the getTempFile() doesn't create the file within the directory that you call it on. It simply appends the path
        // without a separator, which is why we manually append the "tmp"
        // example: hdfs:///cdap/credentials/tmp.5960fe60-6fd8-4f3e-8e92-3fb6d4726006.credentials
        Location credentialsFile = credentialsDir.append("tmp").getTempFile(".credentials");
        // 600 is owner-only READ_WRITE
        try (DataOutputStream os = new DataOutputStream(new BufferedOutputStream(credentialsFile.getOutputStream("600")))) {
            credentials.writeTokenStorageToStream(os);
        }
        LOG.debug("Wrote credentials for user {} to {}", ugiWithPrincipal.getPrincipal(), credentialsFile);
        PrincipalCredentials principalCredentials = new PrincipalCredentials(ugiWithPrincipal.getPrincipal(), credentialsFile.toURI().toString());
        responder.sendJson(HttpResponseStatus.OK, principalCredentials);
    } else {
        throw new IllegalStateException("Unable to create credentials directory.");
    }
}
Also used : PrincipalCredentials(co.cask.cdap.security.impersonation.PrincipalCredentials) UGIWithPrincipal(co.cask.cdap.security.impersonation.UGIWithPrincipal) DataOutputStream(java.io.DataOutputStream) BadRequestException(co.cask.cdap.common.BadRequestException) ImpersonationRequest(co.cask.cdap.security.impersonation.ImpersonationRequest) BadRequestException(co.cask.cdap.common.BadRequestException) BufferedOutputStream(java.io.BufferedOutputStream) Credentials(org.apache.hadoop.security.Credentials) PrincipalCredentials(co.cask.cdap.security.impersonation.PrincipalCredentials) Location(org.apache.twill.filesystem.Location) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Aggregations

BadRequestException (co.cask.cdap.common.BadRequestException)1 ImpersonationRequest (co.cask.cdap.security.impersonation.ImpersonationRequest)1 PrincipalCredentials (co.cask.cdap.security.impersonation.PrincipalCredentials)1 UGIWithPrincipal (co.cask.cdap.security.impersonation.UGIWithPrincipal)1 BufferedOutputStream (java.io.BufferedOutputStream)1 DataOutputStream (java.io.DataOutputStream)1 POST (javax.ws.rs.POST)1 Path (javax.ws.rs.Path)1 Credentials (org.apache.hadoop.security.Credentials)1 Location (org.apache.twill.filesystem.Location)1