Examples with AccessException io.cdap.cdap.api.security.AccessException used on opensource projects

Example 6 with AccessException

use of io.cdap.cdap.api.security.AccessException in project cdap by cdapio.

the class ProvisionerNotifier method publish.

private void publish(Map<String, String> properties) {
    final StoreRequest storeRequest = StoreRequestBuilder.of(topic).addPayload(GSON.toJson(new Notification(Notification.Type.PROGRAM_STATUS, properties))).build();
    Retries.supplyWithRetries(() -> {
        try {
            messagingService.publish(storeRequest);
        } catch (TopicNotFoundException e) {
            throw new RetryableException(e);
        } catch (IOException | AccessException e) {
            throw Throwables.propagate(e);
        }
        return null;
    }, retryStrategy);
}

Example 7 with AccessException

use of io.cdap.cdap.api.security.AccessException in project cdap by cdapio.

the class InternalAccessEnforcer method validateAccessTokenAndIdentity.

private void validateAccessTokenAndIdentity(String principalName, Credential credential) throws AccessException {
    if (credential == null) {
        throw new IllegalStateException("Attempted to internally enforce access on null credential");
    }
    if (!credential.getType().equals(Credential.CredentialType.INTERNAL)) {
        throw new IllegalStateException("Attempted to internally enforce access on non-internal credential type");
    }
    AccessToken accessToken;
    try {
        accessToken = accessTokenCodec.decode(Base64.getDecoder().decode(credential.getValue()));
    } catch (IOException e) {
        throw new AccessException("Failed to deserialize access token", e);
    }
    try {
        tokenManager.validateSecret(accessToken);
    } catch (InvalidTokenException e) {
        throw new AccessException("Failed to validate access token", e);
    }
    UserIdentity userIdentity = accessToken.getIdentifier();
    if (!userIdentity.getUsername().equals(principalName)) {
        LOG.debug(String.format("Internal access token username differs from principal name; got token " + "name '%s', expected principal name '%s'", userIdentity.getUsername(), principalName));
    }
    if (userIdentity.getIdentifierType() == null || !userIdentity.getIdentifierType().equals(UserIdentity.IdentifierType.INTERNAL)) {
        throw new AccessException(String.format("Invalid internal access token type; got '%s', want '%s'", userIdentity.getIdentifierType(), UserIdentity.IdentifierType.INTERNAL));
    }
}

Example 8 with AccessException

use of io.cdap.cdap.api.security.AccessException in project cdap by cdapio.

the class RemoteAccessEnforcer method isVisible.

@Override
public Set<? extends EntityId> isVisible(Set<? extends EntityId> entityIds, Principal principal) throws AccessException {
    if (!isSecurityAuthorizationEnabled()) {
        return entityIds;
    }
    Preconditions.checkNotNull(entityIds, "entityIds cannot be null");
    try {
        if (cacheEnabled) {
            Iterable<VisibilityKey> visibilityKeys = toVisibilityKeys(principal, entityIds);
            ImmutableMap<VisibilityKey, Boolean> visibilityMap = visibilityCache.getAll(visibilityKeys);
            return toEntityIds(Maps.filterEntries(visibilityMap, VISIBILITY_KEYS_FILTER).keySet());
        } else {
            return visibilityCheckCall(new VisibilityRequest(principal, entityIds));
        }
    } catch (Exception e) {
        throw AuthEnforceUtil.propagateAccessException(e);
    }
}

Example 9 with AccessException

use of io.cdap.cdap.api.security.AccessException in project cdap by cdapio.

the class UnitTestManager method deployApplication.

@Override
public ApplicationManager deployApplication(NamespaceId namespace, Class<? extends Application> applicationClz, @Nullable Config configObject, File... bundleEmbeddedJars) throws AccessException {
    Preconditions.checkNotNull(applicationClz, "Application class cannot be null.");
    Type configType = Artifacts.getConfigType(applicationClz);
    try {
        ArtifactId artifactId = new ArtifactId(namespace.getNamespace(), applicationClz.getSimpleName(), "1.0-SNAPSHOT");
        addAppArtifact(artifactId, applicationClz, new Manifest(), bundleEmbeddedJars);
        if (configObject == null) {
            configObject = (Config) TypeToken.of(configType).getRawType().newInstance();
        }
        Application app = applicationClz.newInstance();
        MockAppConfigurer configurer = new MockAppConfigurer(app);
        app.configure(configurer, new DefaultApplicationContext<>(configObject));
        ApplicationId applicationId = new ApplicationId(namespace.getNamespace(), configurer.getName());
        ArtifactSummary artifactSummary = new ArtifactSummary(artifactId.getArtifact(), artifactId.getVersion());
        appFabricClient.deployApplication(Id.Application.fromEntityId(applicationId), new AppRequest(artifactSummary, configObject));
        return appManagerFactory.create(applicationId);
    } catch (AccessException e) {
        throw e;
    } catch (Exception e) {
        throw Throwables.propagate(e);
    }
}

Example 10 with AccessException

use of io.cdap.cdap.api.security.AccessException in project cdap by cdapio.

the class ImpersonationHandler method getCredentials.

@POST
@Path("/credentials")
public void getCredentials(FullHttpRequest request, HttpResponder responder) throws Exception {
    String requestContent = request.content().toString(StandardCharsets.UTF_8);
    if (requestContent == null) {
        throw new BadRequestException("Request body is empty.");
    }
    ImpersonationRequest impersonationRequest = GSON.fromJson(requestContent, ImpersonationRequest.class);
    LOG.debug("Fetching credentials for {}", impersonationRequest);
    UGIWithPrincipal ugiWithPrincipal;
    try {
        ugiWithPrincipal = ugiProvider.getConfiguredUGI(impersonationRequest);
    } catch (AccessException e) {
        throw new ServiceException(e, HttpResponseStatus.INTERNAL_SERVER_ERROR);
    }
    Credentials credentials = ImpersonationUtils.doAs(ugiWithPrincipal.getUGI(), new Callable<Credentials>() {

        @Override
        public Credentials call() throws Exception {
            return tokenSecureStoreRenewer.createCredentials();
        }
    });
    // example: hdfs:///cdap/credentials
    Location credentialsDir = locationFactory.create("credentials");
    if (credentialsDir.isDirectory() || credentialsDir.mkdirs() || credentialsDir.isDirectory()) {
        // the getTempFile() doesn't create the file within the directory that you call it on. It simply appends the path
        // without a separator, which is why we manually append the "tmp"
        // example: hdfs:///cdap/credentials/tmp.5960fe60-6fd8-4f3e-8e92-3fb6d4726006.credentials
        Location credentialsFile = credentialsDir.append("tmp").getTempFile(".credentials");
        // 600 is owner-only READ_WRITE
        try (DataOutputStream os = new DataOutputStream(new BufferedOutputStream(credentialsFile.getOutputStream("600")))) {
            credentials.writeTokenStorageToStream(os);
        }
        LOG.debug("Wrote credentials for user {} to {}", ugiWithPrincipal.getPrincipal(), credentialsFile);
        PrincipalCredentials principalCredentials = new PrincipalCredentials(ugiWithPrincipal.getPrincipal(), credentialsFile.toURI().toString());
        responder.sendJson(HttpResponseStatus.OK, GSON.toJson(principalCredentials));
    } else {
        throw new IllegalStateException("Unable to create credentials directory.");
    }
}