Examples with UnauthorizedException co.cask.cdap.security.spi.authorization.UnauthorizedException used on opensource projects

Example 31 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class DatasetInstanceService method ensureAccess.

/**
   * Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
   *
   * @param datasetId the {@link DatasetId} to check for privileges
   * @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
   */
private void ensureAccess(DatasetId datasetId) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    if (!filter.apply(datasetId)) {
        throw new UnauthorizedException(principal, datasetId);
    }
}

Example 32 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class ProgramLifecycleHttpHandler method resetLogLevels.

private void resetLogLevels(HttpRequest request, HttpResponder responder, String namespace, String appName, String appVersion, String type, String programName, @Nullable String component, String runId) throws Exception {
    ProgramType programType = getProgramType(type);
    if (programType == null) {
        throw new BadRequestException("Invalid program type provided");
    }
    try {
        Set<String> loggerNames = parseBody(request, SET_STRING_TYPE);
        lifecycleService.resetProgramLogLevels(new ApplicationId(namespace, appName, appVersion).program(programType, programName), loggerNames == null ? Collections.<String>emptySet() : loggerNames, component, runId);
        responder.sendStatus(HttpResponseStatus.OK);
    } catch (JsonSyntaxException e) {
        throw new BadRequestException("Invalid JSON in body");
    } catch (SecurityException e) {
        throw new UnauthorizedException("Unauthorized to reset the log levels");
    }
}

Example 33 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class ProgramLifecycleHttpHandler method updateLogLevels.

private void updateLogLevels(HttpRequest request, HttpResponder responder, String namespace, String appName, String appVersion, String type, String programName, @Nullable String component, String runId) throws Exception {
    ProgramType programType = getProgramType(type);
    if (programType == null) {
        throw new BadRequestException("Invalid program type provided");
    }
    try {
        // we are decoding the body to Map<String, String> instead of Map<String, LogEntry.Level> here since Gson will
        // serialize invalid enum values to null, which is allowed for log level, instead of throw an Exception.
        lifecycleService.updateProgramLogLevels(new ApplicationId(namespace, appName, appVersion).program(programType, programName), transformLogLevelsMap(decodeArguments(request)), component, runId);
        responder.sendStatus(HttpResponseStatus.OK);
    } catch (JsonSyntaxException e) {
        throw new BadRequestException("Invalid JSON in body");
    } catch (IllegalArgumentException e) {
        throw new BadRequestException(e.getMessage());
    } catch (SecurityException e) {
        throw new UnauthorizedException("Unauthorized to update the log levels");
    }
}

Example 34 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class DatasetServiceClient method getInstance.

@Nullable
public DatasetMeta getInstance(String instanceName, @Nullable Iterable<? extends EntityId> owners) throws DatasetManagementException {
    String query = "";
    if (owners != null) {
        Set<String> ownerParams = Sets.newHashSet();
        for (EntityId owner : owners) {
            ownerParams.add("owner=" + owner.toString());
        }
        query = ownerParams.isEmpty() ? "" : "?" + Joiner.on("&").join(ownerParams);
    }
    HttpResponse response = doGet("datasets/" + instanceName + query);
    if (HttpResponseStatus.NOT_FOUND.code() == response.getResponseCode()) {
        return null;
    }
    if (HttpResponseStatus.FORBIDDEN.code() == response.getResponseCode()) {
        throw new DatasetManagementException(String.format("Failed to get dataset instance %s, details: %s", instanceName, response), new UnauthorizedException(response.getResponseBodyAsString()));
    }
    if (HttpResponseStatus.OK.code() != response.getResponseCode()) {
        throw new DatasetManagementException(String.format("Cannot retrieve dataset instance %s info, details: %s", instanceName, response));
    }
    return GSON.fromJson(response.getResponseBodyAsString(), DatasetMeta.class);
}

Example 35 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class StreamAdminTest method testConfigAndTruncate.

@Test
public void testConfigAndTruncate() throws Exception {
    StreamAdmin streamAdmin = getStreamAdmin();
    StreamId stream = FOO_NAMESPACE.stream("stream");
    grantAndAssertSuccess(stream, USER, EnumSet.of(Action.ADMIN));
    streamAdmin.create(stream);
    Assert.assertTrue(streamAdmin.exists(stream));
    writeEvent(stream);
    // Getting config / properties should work
    streamAdmin.getConfig(stream);
    streamAdmin.getProperties(stream);
    // Now revoke access to the user to the stream and to the namespace
    revokeAndAssertSuccess(stream, USER, EnumSet.allOf(Action.class));
    streamAdmin.getConfig(stream);
    try {
        streamAdmin.getProperties(stream);
        Assert.fail("User should not be able to get the properties.");
    } catch (UnauthorizedException e) {
    // expected
    }
    // read action should be enough to get the stream config
    grantAndAssertSuccess(stream, USER, ImmutableSet.of(Action.READ));
    streamAdmin.getConfig(stream);
    StreamProperties properties = streamAdmin.getProperties(stream);
    try {
        streamAdmin.updateConfig(stream, properties);
        Assert.fail("User should not be able to update the config with just READ permissions.");
    } catch (UnauthorizedException e) {
    // expected
    }
    // This call bypasses the stream handler and thus authorization is not checked for this call and so write
    // to stream will succeed. It is done so that we can check and perform truncate call.
    writeEvent(stream);
    grantAndAssertSuccess(stream, USER, ImmutableSet.of(Action.WRITE));
    writeEvent(stream);
    try {
        streamAdmin.updateConfig(stream, properties);
        Assert.fail("User should not be able to update the config with just READ and WRITE permissions.");
    } catch (UnauthorizedException e) {
    // expected
    }
    try {
        streamAdmin.truncate(stream);
        Assert.fail("User should not be able to truncate the stream without ADMIN permission.");
    } catch (UnauthorizedException e) {
    // expected
    }
    try {
        streamAdmin.drop(stream);
        Assert.fail("User should not be able to drop the stream without ADMIN permission.");
    } catch (UnauthorizedException e) {
    // expdcted
    }
    grantAndAssertSuccess(stream, USER, ImmutableSet.of(Action.ADMIN));
    streamAdmin.updateConfig(stream, properties);
    streamAdmin.truncate(stream);
    Assert.assertEquals(0, getStreamSize(stream));
    streamAdmin.drop(stream);
    revokeAndAssertSuccess(stream, USER, EnumSet.of(Action.ADMIN));
}