Search in sources :

Example 1 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class AppLifecycleHttpHandler method updateApp.

/**
   * Updates an existing application.
   */
@POST
@Path("/apps/{app-id}/update")
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void updateApp(HttpRequest request, HttpResponder responder, @PathParam("namespace-id") final String namespaceId, @PathParam("app-id") final String appName) throws NotFoundException, BadRequestException, UnauthorizedException, IOException {
    ApplicationId appId = validateApplicationId(namespaceId, appName);
    AppRequest appRequest;
    try (Reader reader = new InputStreamReader(new ChannelBufferInputStream(request.getContent()), Charsets.UTF_8)) {
        appRequest = GSON.fromJson(reader, AppRequest.class);
    } catch (IOException e) {
        LOG.error("Error reading request to update app {} in namespace {}.", appName, namespaceId, e);
        throw new IOException("Error reading request body.");
    } catch (JsonSyntaxException e) {
        throw new BadRequestException("Request body is invalid json: " + e.getMessage());
    }
    try {
        applicationLifecycleService.updateApp(appId, appRequest, createProgramTerminator());
        responder.sendString(HttpResponseStatus.OK, "Update complete.");
    } catch (InvalidArtifactException e) {
        throw new BadRequestException(e.getMessage());
    } catch (ConflictException e) {
        responder.sendString(HttpResponseStatus.CONFLICT, e.getMessage());
    } catch (NotFoundException | UnauthorizedException e) {
        throw e;
    } catch (Exception e) {
        // this is the same behavior as deploy app pipeline, but this is bad behavior. Error handling needs improvement.
        LOG.error("Deploy failure", e);
        responder.sendString(HttpResponseStatus.BAD_REQUEST, e.getMessage());
    }
}
Also used : InputStreamReader(java.io.InputStreamReader) ConflictException(co.cask.cdap.common.ConflictException) WriteConflictException(co.cask.cdap.internal.app.runtime.artifact.WriteConflictException) Reader(java.io.Reader) InputStreamReader(java.io.InputStreamReader) FileReader(java.io.FileReader) ApplicationNotFoundException(co.cask.cdap.common.ApplicationNotFoundException) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException) ArtifactNotFoundException(co.cask.cdap.common.ArtifactNotFoundException) NotFoundException(co.cask.cdap.common.NotFoundException) IOException(java.io.IOException) ApplicationNotFoundException(co.cask.cdap.common.ApplicationNotFoundException) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException) ArtifactNotFoundException(co.cask.cdap.common.ArtifactNotFoundException) ArtifactAlreadyExistsException(co.cask.cdap.common.ArtifactAlreadyExistsException) ConflictException(co.cask.cdap.common.ConflictException) BadRequestException(co.cask.cdap.common.BadRequestException) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) WriteConflictException(co.cask.cdap.internal.app.runtime.artifact.WriteConflictException) JsonSyntaxException(com.google.gson.JsonSyntaxException) IOException(java.io.IOException) InvalidArtifactException(co.cask.cdap.common.InvalidArtifactException) ExecutionException(java.util.concurrent.ExecutionException) NotFoundException(co.cask.cdap.common.NotFoundException) AppRequest(co.cask.cdap.proto.artifact.AppRequest) JsonSyntaxException(com.google.gson.JsonSyntaxException) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) BadRequestException(co.cask.cdap.common.BadRequestException) ChannelBufferInputStream(org.jboss.netty.buffer.ChannelBufferInputStream) ApplicationId(co.cask.cdap.proto.id.ApplicationId) InvalidArtifactException(co.cask.cdap.common.InvalidArtifactException) Path(javax.ws.rs.Path) AuditPolicy(co.cask.cdap.common.security.AuditPolicy) POST(javax.ws.rs.POST)

Example 2 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class ApplicationLifecycleService method ensureAccess.

/**
   * Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
   *
   * @param appId the {@link ApplicationId} to check for privileges
   * @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
   */
private void ensureAccess(ApplicationId appId) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    if (!filter.apply(appId)) {
        throw new UnauthorizedException(principal, appId);
    }
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) Principal(co.cask.cdap.proto.security.Principal)

Example 3 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class DatasetInstanceService method get.

/**
   * Gets a dataset instance.
   *
   * @param instance instance to get
   * @param owners the {@link EntityId entities} that will be using the dataset instance
   * @return the dataset instance's {@link DatasetMeta}
   * @throws NotFoundException if either the namespace or dataset instance is not found,
   * @throws IOException if there is a problem in making an HTTP request to check if the namespace exists
   * @throws UnauthorizedException if perimeter security and authorization are enabled, and the current user does not
   *  have any privileges on the #instance
   */
DatasetMeta get(final DatasetId instance, List<? extends EntityId> owners) throws Exception {
    // Application Deployment first makes a call to the dataset service to check if the instance already exists with
    // a different type. To make sure that that call responds with the right exceptions if necessary, first fetch the
    // meta from the cache and throw appropriate exceptions if necessary.
    DatasetMeta datasetMeta;
    try {
        datasetMeta = metaCache.get(instance);
    } catch (ExecutionException e) {
        Throwable cause = e.getCause();
        if ((cause instanceof Exception) && (cause instanceof HttpErrorStatusProvider)) {
            throw (Exception) cause;
        }
        throw e;
    }
    // Only return the above datasetMeta if authorization succeeds
    ensureAccess(instance);
    return datasetMeta;
}
Also used : DatasetMeta(co.cask.cdap.proto.DatasetMeta) HttpErrorStatusProvider(co.cask.cdap.api.common.HttpErrorStatusProvider) ExecutionException(java.util.concurrent.ExecutionException) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException) DatasetNotFoundException(co.cask.cdap.common.DatasetNotFoundException) DatasetTypeNotFoundException(co.cask.cdap.common.DatasetTypeNotFoundException) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) HandlerException(co.cask.cdap.common.HandlerException) DatasetAlreadyExistsException(co.cask.cdap.common.DatasetAlreadyExistsException) IOException(java.io.IOException) ExecutionException(java.util.concurrent.ExecutionException) NotFoundException(co.cask.cdap.common.NotFoundException)

Example 4 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class DatasetTypeService method getModule.

/**
   * Returns the {@link DatasetModuleMeta metadata} of the specified {@link DatasetModuleId}.
   */
DatasetModuleMeta getModule(DatasetModuleId datasetModuleId) throws Exception {
    ensureNamespaceExists(datasetModuleId.getParent());
    DatasetModuleMeta moduleMeta = typeManager.getModule(datasetModuleId);
    if (moduleMeta == null) {
        throw new DatasetModuleNotFoundException(datasetModuleId);
    }
    Principal principal = authenticationContext.getPrincipal();
    final Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    if (!filter.apply(datasetModuleId)) {
        throw new UnauthorizedException(principal, datasetModuleId);
    }
    return moduleMeta;
}
Also used : DatasetModuleNotFoundException(co.cask.cdap.common.DatasetModuleNotFoundException) EntityId(co.cask.cdap.proto.id.EntityId) DatasetModuleMeta(co.cask.cdap.proto.DatasetModuleMeta) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) Principal(co.cask.cdap.proto.security.Principal)

Example 5 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class DatasetTypeService method getType.

/**
   * Returns details of the specified {@link DatasetTypeId dataset type}.
   */
DatasetTypeMeta getType(DatasetTypeId datasetTypeId) throws Exception {
    ensureNamespaceExists(datasetTypeId.getParent());
    DatasetTypeMeta typeMeta = typeManager.getTypeInfo(datasetTypeId);
    if (typeMeta == null) {
        throw new DatasetTypeNotFoundException(datasetTypeId);
    }
    // TODO: Test if this can be removed
    if (NamespaceId.SYSTEM.equals(datasetTypeId.getParent())) {
        return typeMeta;
    }
    // only return the type if the user has some privileges on it
    Principal principal = authenticationContext.getPrincipal();
    Predicate<EntityId> authFilter = authorizationEnforcer.createFilter(principal);
    if (!authFilter.apply(datasetTypeId)) {
        throw new UnauthorizedException(principal, datasetTypeId);
    }
    return typeMeta;
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) DatasetTypeMeta(co.cask.cdap.proto.DatasetTypeMeta) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) DatasetTypeNotFoundException(co.cask.cdap.common.DatasetTypeNotFoundException) Principal(co.cask.cdap.proto.security.Principal)

Aggregations

UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)49 Test (org.junit.Test)18 IOException (java.io.IOException)15 EntityId (co.cask.cdap.proto.id.EntityId)13 Principal (co.cask.cdap.proto.security.Principal)13 Action (co.cask.cdap.proto.security.Action)12 BadRequestException (co.cask.cdap.common.BadRequestException)11 ApplicationId (co.cask.cdap.proto.id.ApplicationId)10 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)9 ExecutionException (java.util.concurrent.ExecutionException)9 NotFoundException (co.cask.cdap.common.NotFoundException)8 NamespaceId (co.cask.cdap.proto.id.NamespaceId)7 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)6 ConflictException (co.cask.cdap.common.ConflictException)6 StreamId (co.cask.cdap.proto.id.StreamId)6 ArtifactAlreadyExistsException (co.cask.cdap.common.ArtifactAlreadyExistsException)5 ArtifactNotFoundException (co.cask.cdap.common.ArtifactNotFoundException)5 WriteConflictException (co.cask.cdap.internal.app.runtime.artifact.WriteConflictException)5 NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)5