Example 1 with AclEntry
use of com.hortonworks.streamline.streams.security.catalog.AclEntry in project streamline by hortonworks.
the class SecurityCatalogResource method filter.
private Collection<AclEntry> filter(Collection<AclEntry> aclEntries, SecurityContext securityContext) {
User currentUser = getCurrentUser(securityContext);
Set<Role> currentUserRoles = catalogService.getAllUserRoles(currentUser);
boolean isSecurityAdmin = SecurityUtil.hasRole(authorizer, securityContext, ROLE_SECURITY_ADMIN);
return aclEntries.stream().filter(aclEntry -> isSecurityAdmin || matches(aclEntry, currentUser, currentUserRoles)).collect(Collectors.toSet());
}
Also used :
UserRole(com.hortonworks.streamline.streams.security.catalog.UserRole)
Role(com.hortonworks.streamline.streams.security.catalog.Role)
Roles(com.hortonworks.streamline.streams.security.Roles)
Produces(javax.ws.rs.Produces)
Date(java.util.Date)
BiFunction(java.util.function.BiFunction)
QueryParam(com.hortonworks.registries.common.QueryParam)
LoggerFactory(org.slf4j.LoggerFactory)
Path(javax.ws.rs.Path)
SecurityContext(javax.ws.rs.core.SecurityContext)
NewCookie(javax.ws.rs.core.NewCookie)
StringUtils(org.apache.commons.lang3.StringUtils)
MediaType(javax.ws.rs.core.MediaType)
WSUtils(com.hortonworks.streamline.common.util.WSUtils)
StreamlineAuthorizer(com.hortonworks.streamline.streams.security.StreamlineAuthorizer)
EnumSet(java.util.EnumSet)
DELETE(javax.ws.rs.DELETE)
SecurityUtil(com.hortonworks.streamline.streams.security.SecurityUtil)
WebserviceAuthorizationException(com.hortonworks.streamline.common.exception.service.exception.request.WebserviceAuthorizationException)
User(com.hortonworks.streamline.streams.security.catalog.User)
Context(javax.ws.rs.core.Context)
Permission(com.hortonworks.streamline.streams.security.Permission)
OK(javax.ws.rs.core.Response.Status.OK)
Collection(java.util.Collection)
Set(java.util.Set)
Collectors(java.util.stream.Collectors)
Sets(com.google.common.collect.Sets)
Cookie(javax.ws.rs.core.Cookie)
Timed(com.codahale.metrics.annotation.Timed)
AuthenticatedURL(org.apache.hadoop.security.authentication.client.AuthenticatedURL)
List(java.util.List)
Principal(java.security.Principal)
Response(javax.ws.rs.core.Response)
AuthenticationContext(com.hortonworks.streamline.streams.security.AuthenticationContext)
UriInfo(javax.ws.rs.core.UriInfo)
CREATED(javax.ws.rs.core.Response.Status.CREATED)
ROLE_SECURITY_ADMIN(com.hortonworks.streamline.streams.security.Roles.ROLE_SECURITY_ADMIN)
PathParam(javax.ws.rs.PathParam)
EntityNotFoundException(com.hortonworks.streamline.common.exception.service.exception.request.EntityNotFoundException)
GET(javax.ws.rs.GET)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
USER(com.hortonworks.streamline.streams.security.catalog.AclEntry.SidType.USER)
UserRole(com.hortonworks.streamline.streams.security.catalog.UserRole)
AclEntry(com.hortonworks.streamline.streams.security.catalog.AclEntry)
Logger(org.slf4j.Logger)
POST(javax.ws.rs.POST)
ROLE(com.hortonworks.streamline.streams.security.catalog.AclEntry.SidType.ROLE)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
PUT(javax.ws.rs.PUT)
RoleHierarchy(com.hortonworks.streamline.streams.security.catalog.RoleHierarchy)
Role(com.hortonworks.streamline.streams.security.catalog.Role)
User(com.hortonworks.streamline.streams.security.catalog.User)
Example 2 with AclEntry
use of com.hortonworks.streamline.streams.security.catalog.AclEntry in project streamline by hortonworks.
the class SecurityCatalogResource method getAcl.
@GET
@Path("/acls/{id}")
@Timed
public Response getAcl(@PathParam("id") Long aclId, @Context SecurityContext securityContext) {
AclEntry aclEntry = catalogService.getAcl(aclId);
checkAclOp(aclEntry, securityContext, this::shouldAllowAclGet);
if (aclEntry != null) {
return WSUtils.respondEntity(aclEntry, OK);
}
throw EntityNotFoundException.byId(aclId.toString());
}Example 3 with AclEntry
use of com.hortonworks.streamline.streams.security.catalog.AclEntry in project streamline by hortonworks.
the class SecurityCatalogResource method deleteAcl.
@DELETE
@Path("/acls/{id}")
@Timed
public Response deleteAcl(@PathParam("id") Long aclId, @Context SecurityContext securityContext) {
AclEntry aclEntry = catalogService.getAcl(aclId);
if (aclEntry != null) {
checkAclOp(aclEntry, securityContext, this::shouldAllowAclDelete);
AclEntry removedAcl = catalogService.removeAcl(aclId);
if (removedAcl != null) {
return WSUtils.respondEntity(aclEntry, OK);
}
}
throw EntityNotFoundException.byId(aclId.toString());
}Example 4 with AclEntry
use of com.hortonworks.streamline.streams.security.catalog.AclEntry in project streamline by hortonworks.
the class SecurityCatalogService method removeAcl.
public AclEntry removeAcl(Long id) {
AclEntry aclEntry = new AclEntry();
aclEntry.setId(id);
return dao.remove(new StorableKey(AclEntry.NAMESPACE, aclEntry.getPrimaryKey()));
}
Also used :
StorableKey(com.hortonworks.registries.storage.StorableKey)
AclEntry(com.hortonworks.streamline.streams.security.catalog.AclEntry)
Example 5 with AclEntry
use of com.hortonworks.streamline.streams.security.catalog.AclEntry in project streamline by hortonworks.
the class SecurityCatalogService method checkUserPermissions.
public boolean checkUserPermissions(String objectNamespace, Long objectId, Long userId, EnumSet<Permission> required) {
User user = getUser(userId);
if (user == null) {
return false;
}
EnumSet<Permission> remaining = EnumSet.copyOf(required);
// try direct user acl entry first
List<QueryParam> qps = QueryParam.params(AclEntry.OBJECT_NAMESPACE, objectNamespace, AclEntry.OBJECT_ID, String.valueOf(objectId), AclEntry.SID_TYPE, USER.toString(), AclEntry.SID_ID, String.valueOf(userId));
Collection<AclEntry> acls = listAcls(qps);
if (acls.size() > 1) {
throw new IllegalStateException("More than one ACL entry for " + qps);
} else if (acls.size() == 1) {
AclEntry aclEntry = acls.iterator().next();
remaining.removeAll(aclEntry.getPermissions());
}
// try role based permissions next
if (!remaining.isEmpty() && user.getRoles() != null) {
qps = QueryParam.params(AclEntry.OBJECT_NAMESPACE, objectNamespace, AclEntry.OBJECT_ID, String.valueOf(objectId), AclEntry.SID_TYPE, AclEntry.SidType.ROLE.toString());
acls = listAcls(qps);
Set<Role> userRoles = getAllUserRoles(user);
Iterator<AclEntry> it = acls.iterator();
while (!remaining.isEmpty() && it.hasNext()) {
AclEntry roleEntry = it.next();
if (userRoles.contains(getRole(roleEntry.getSidId()))) {
remaining.removeAll(roleEntry.getPermissions());
}
}
}
return remaining.isEmpty();
}
Also used :
UserRole(com.hortonworks.streamline.streams.security.catalog.UserRole)
Role(com.hortonworks.streamline.streams.security.catalog.Role)
User(com.hortonworks.streamline.streams.security.catalog.User)
QueryParam(com.hortonworks.registries.common.QueryParam)
Permission(com.hortonworks.streamline.streams.security.Permission)
AclEntry(com.hortonworks.streamline.streams.security.catalog.AclEntry)
Aggregations
AclEntry (com.hortonworks.streamline.streams.security.catalog.AclEntry)11
Timed (com.codahale.metrics.annotation.Timed)5
User (com.hortonworks.streamline.streams.security.catalog.User)5
Path (javax.ws.rs.Path)5
Role (com.hortonworks.streamline.streams.security.catalog.Role)4
QueryParam (com.hortonworks.registries.common.QueryParam)3
Permission (com.hortonworks.streamline.streams.security.Permission)3
UserRole (com.hortonworks.streamline.streams.security.catalog.UserRole)3
StorableKey (com.hortonworks.registries.storage.StorableKey)2
DELETE (javax.ws.rs.DELETE)2
GET (javax.ws.rs.GET)2
POST (javax.ws.rs.POST)2
PUT (javax.ws.rs.PUT)2
Sets (com.google.common.collect.Sets)1
EntityNotFoundException (com.hortonworks.streamline.common.exception.service.exception.request.EntityNotFoundException)1
WebserviceAuthorizationException (com.hortonworks.streamline.common.exception.service.exception.request.WebserviceAuthorizationException)1
WSUtils (com.hortonworks.streamline.common.util.WSUtils)1
AuthenticationContext (com.hortonworks.streamline.streams.security.AuthenticationContext)1
AuthorizationException (com.hortonworks.streamline.streams.security.AuthorizationException)1
Roles (com.hortonworks.streamline.streams.security.Roles)1
