use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AppLifecycleHttpHandler method updateApp.
/**
* Updates an existing application.
*/
@POST
@Path("/apps/{app-id}/update")
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void updateApp(HttpRequest request, HttpResponder responder, @PathParam("namespace-id") final String namespaceId, @PathParam("app-id") final String appName) throws NotFoundException, BadRequestException, UnauthorizedException, IOException {
ApplicationId appId = validateApplicationId(namespaceId, appName);
AppRequest appRequest;
try (Reader reader = new InputStreamReader(new ChannelBufferInputStream(request.getContent()), Charsets.UTF_8)) {
appRequest = GSON.fromJson(reader, AppRequest.class);
} catch (IOException e) {
LOG.error("Error reading request to update app {} in namespace {}.", appName, namespaceId, e);
throw new IOException("Error reading request body.");
} catch (JsonSyntaxException e) {
throw new BadRequestException("Request body is invalid json: " + e.getMessage());
}
try {
applicationLifecycleService.updateApp(appId, appRequest, createProgramTerminator());
responder.sendString(HttpResponseStatus.OK, "Update complete.");
} catch (InvalidArtifactException e) {
throw new BadRequestException(e.getMessage());
} catch (ConflictException e) {
responder.sendString(HttpResponseStatus.CONFLICT, e.getMessage());
} catch (NotFoundException | UnauthorizedException e) {
throw e;
} catch (Exception e) {
// this is the same behavior as deploy app pipeline, but this is bad behavior. Error handling needs improvement.
LOG.error("Deploy failure", e);
responder.sendString(HttpResponseStatus.BAD_REQUEST, e.getMessage());
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class ApplicationLifecycleService method ensureAccess.
/**
* Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
*
* @param appId the {@link ApplicationId} to check for privileges
* @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
*/
private void ensureAccess(ApplicationId appId) throws Exception {
Principal principal = authenticationContext.getPrincipal();
Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
if (!filter.apply(appId)) {
throw new UnauthorizedException(principal, appId);
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DatasetInstanceService method get.
/**
* Gets a dataset instance.
*
* @param instance instance to get
* @param owners the {@link EntityId entities} that will be using the dataset instance
* @return the dataset instance's {@link DatasetMeta}
* @throws NotFoundException if either the namespace or dataset instance is not found,
* @throws IOException if there is a problem in making an HTTP request to check if the namespace exists
* @throws UnauthorizedException if perimeter security and authorization are enabled, and the current user does not
* have any privileges on the #instance
*/
DatasetMeta get(final DatasetId instance, List<? extends EntityId> owners) throws Exception {
// Application Deployment first makes a call to the dataset service to check if the instance already exists with
// a different type. To make sure that that call responds with the right exceptions if necessary, first fetch the
// meta from the cache and throw appropriate exceptions if necessary.
DatasetMeta datasetMeta;
try {
datasetMeta = metaCache.get(instance);
} catch (ExecutionException e) {
Throwable cause = e.getCause();
if ((cause instanceof Exception) && (cause instanceof HttpErrorStatusProvider)) {
throw (Exception) cause;
}
throw e;
}
// Only return the above datasetMeta if authorization succeeds
ensureAccess(instance);
return datasetMeta;
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DatasetTypeService method getModule.
/**
* Returns the {@link DatasetModuleMeta metadata} of the specified {@link DatasetModuleId}.
*/
DatasetModuleMeta getModule(DatasetModuleId datasetModuleId) throws Exception {
ensureNamespaceExists(datasetModuleId.getParent());
DatasetModuleMeta moduleMeta = typeManager.getModule(datasetModuleId);
if (moduleMeta == null) {
throw new DatasetModuleNotFoundException(datasetModuleId);
}
Principal principal = authenticationContext.getPrincipal();
final Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
if (!filter.apply(datasetModuleId)) {
throw new UnauthorizedException(principal, datasetModuleId);
}
return moduleMeta;
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DatasetTypeService method getType.
/**
* Returns details of the specified {@link DatasetTypeId dataset type}.
*/
DatasetTypeMeta getType(DatasetTypeId datasetTypeId) throws Exception {
ensureNamespaceExists(datasetTypeId.getParent());
DatasetTypeMeta typeMeta = typeManager.getTypeInfo(datasetTypeId);
if (typeMeta == null) {
throw new DatasetTypeNotFoundException(datasetTypeId);
}
// TODO: Test if this can be removed
if (NamespaceId.SYSTEM.equals(datasetTypeId.getParent())) {
return typeMeta;
}
// only return the type if the user has some privileges on it
Principal principal = authenticationContext.getPrincipal();
Predicate<EntityId> authFilter = authorizationEnforcer.createFilter(principal);
if (!authFilter.apply(datasetTypeId)) {
throw new UnauthorizedException(principal, datasetTypeId);
}
return typeMeta;
}
Aggregations