Example 6 with KerberosPrincipalId
use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.
the class AppCreator method execute.
@Override
public void execute(Arguments arguments) throws Exception {
ApplicationId appId = arguments.getId();
ArtifactSummary artifactSummary = arguments.getArtifact();
if (appExists(appId) && !arguments.overwrite) {
return;
}
KerberosPrincipalId ownerPrincipalId = arguments.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(arguments.getOwnerPrincipal());
// if we don't null check, it gets serialized to "null"
String configString = arguments.getConfig() == null ? null : GSON.toJson(arguments.getConfig());
try {
appLifecycleService.deployApp(appId.getParent(), appId.getApplication(), appId.getVersion(), artifactSummary, configString, x -> {
}, ownerPrincipalId, arguments.canUpdateSchedules(), false, Collections.emptyMap());
} catch (NotFoundException | UnauthorizedException | InvalidArtifactException e) {
// up to the default time limit
throw e;
} catch (DatasetManagementException e) {
if (e.getCause() instanceof UnauthorizedException) {
throw (UnauthorizedException) e.getCause();
} else {
throw new RetryableException(e);
}
} catch (Exception e) {
throw new RetryableException(e);
}
}
Also used :
DatasetManagementException(io.cdap.cdap.api.dataset.DatasetManagementException)
ArtifactSummary(io.cdap.cdap.api.artifact.ArtifactSummary)
RetryableException(io.cdap.cdap.api.retry.RetryableException)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
ApplicationNotFoundException(io.cdap.cdap.common.ApplicationNotFoundException)
NotFoundException(io.cdap.cdap.common.NotFoundException)
ApplicationId(io.cdap.cdap.proto.id.ApplicationId)
KerberosPrincipalId(io.cdap.cdap.proto.id.KerberosPrincipalId)
InvalidArtifactException(io.cdap.cdap.common.InvalidArtifactException)
RetryableException(io.cdap.cdap.api.retry.RetryableException)
DatasetManagementException(io.cdap.cdap.api.dataset.DatasetManagementException)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
ApplicationNotFoundException(io.cdap.cdap.common.ApplicationNotFoundException)
InvalidArtifactException(io.cdap.cdap.common.InvalidArtifactException)
NotFoundException(io.cdap.cdap.common.NotFoundException)
Example 7 with KerberosPrincipalId
use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.
the class ApplicationLifecycleService method deployApp.
private ApplicationWithPrograms deployApp(NamespaceId namespaceId, @Nullable String appName, @Nullable String appVersion, @Nullable String configStr, ProgramTerminator programTerminator, ArtifactDetail artifactDetail, @Nullable KerberosPrincipalId ownerPrincipal, boolean updateSchedules, boolean isPreview, Map<String, String> userProps) throws Exception {
// Now to deploy an app, we need ADMIN privilege on the owner principal if it is present, and also ADMIN on the app
// But since at this point, app name is unknown to us, so the enforcement on the app is happening in the deploy
// pipeline - LocalArtifactLoaderStage
// need to enforce on the principal id if impersonation is involved
KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, namespaceId, ownerPrincipal == null ? null : ownerPrincipal.getPrincipal());
Principal requestingUser = authenticationContext.getPrincipal();
// impersonated principal
if (effectiveOwner != null) {
accessEnforcer.enforce(effectiveOwner, requestingUser, AccessPermission.SET_OWNER);
}
ApplicationClass appClass = Iterables.getFirst(artifactDetail.getMeta().getClasses().getApps(), null);
if (appClass == null) {
throw new InvalidArtifactException(String.format("No application class found in artifact '%s' in namespace '%s'.", artifactDetail.getDescriptor().getArtifactId(), namespaceId));
}
if (!NamespaceId.SYSTEM.equals(namespaceId)) {
capabilityReader.checkAllEnabled(appClass.getRequirements().getCapabilities());
}
// deploy application with newly added artifact
AppDeploymentInfo deploymentInfo = new AppDeploymentInfo(Artifacts.toProtoArtifactId(namespaceId, artifactDetail.getDescriptor().getArtifactId()), artifactDetail.getDescriptor().getLocation(), namespaceId, appClass, appName, appVersion, configStr, ownerPrincipal, updateSchedules, isPreview ? new AppDeploymentRuntimeInfo(null, userProps, Collections.emptyMap()) : null);
Manager<AppDeploymentInfo, ApplicationWithPrograms> manager = managerFactory.create(programTerminator);
// TODO: (CDAP-3258) Manager needs MUCH better error handling.
ApplicationWithPrograms applicationWithPrograms;
try {
applicationWithPrograms = manager.deploy(deploymentInfo).get();
} catch (ExecutionException e) {
Throwables.propagateIfPossible(e.getCause(), Exception.class);
throw Throwables.propagate(e.getCause());
}
adminEventPublisher.publishAppCreation(applicationWithPrograms.getApplicationId(), applicationWithPrograms.getSpecification());
return applicationWithPrograms;
}
Also used :
AppDeploymentInfo(io.cdap.cdap.internal.app.deploy.pipeline.AppDeploymentInfo)
ApplicationWithPrograms(io.cdap.cdap.internal.app.deploy.pipeline.ApplicationWithPrograms)
ApplicationClass(io.cdap.cdap.api.artifact.ApplicationClass)
ExecutionException(java.util.concurrent.ExecutionException)
KerberosPrincipalId(io.cdap.cdap.proto.id.KerberosPrincipalId)
Principal(io.cdap.cdap.proto.security.Principal)
InvalidArtifactException(io.cdap.cdap.common.InvalidArtifactException)
ApplicationNotFoundException(io.cdap.cdap.common.ApplicationNotFoundException)
CapabilityNotAvailableException(io.cdap.cdap.internal.capability.CapabilityNotAvailableException)
IOException(java.io.IOException)
CannotBeDeletedException(io.cdap.cdap.common.CannotBeDeletedException)
ExecutionException(java.util.concurrent.ExecutionException)
AccessException(io.cdap.cdap.api.security.AccessException)
JsonIOException(com.google.gson.JsonIOException)
InvalidArtifactException(io.cdap.cdap.common.InvalidArtifactException)
ArtifactAlreadyExistsException(io.cdap.cdap.common.ArtifactAlreadyExistsException)
NotFoundException(io.cdap.cdap.common.NotFoundException)
ArtifactNotFoundException(io.cdap.cdap.common.ArtifactNotFoundException)
AppDeploymentRuntimeInfo(io.cdap.cdap.internal.app.deploy.pipeline.AppDeploymentRuntimeInfo)
Example 8 with KerberosPrincipalId
use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.
the class ProgramLifecycleService method authorizePipelineRuntimeImpersonation.
private void authorizePipelineRuntimeImpersonation(Map<String, String> userArgs) throws Exception {
if ((userArgs.containsKey(SystemArguments.RUNTIME_PRINCIPAL_NAME)) && (userArgs.containsKey(SystemArguments.RUNTIME_KEYTAB_PATH))) {
String principal = userArgs.get(SystemArguments.RUNTIME_PRINCIPAL_NAME);
LOG.debug("Checking authorisation for user: {}, using runtime config principal: {}", authenticationContext.getPrincipal(), principal);
KerberosPrincipalId kid = new KerberosPrincipalId(principal);
accessEnforcer.enforce(kid, authenticationContext.getPrincipal(), AccessPermission.IMPERSONATE);
}
}
Also used :
KerberosPrincipalId(io.cdap.cdap.proto.id.KerberosPrincipalId)
Example 9 with KerberosPrincipalId
use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.
the class WorkflowDriver method createLocalDatasets.
private void createLocalDatasets() throws IOException, DatasetManagementException {
final KerberosPrincipalId principalId = ProgramRunners.getApplicationPrincipal(programOptions);
for (final Map.Entry<String, String> entry : datasetFramework.getDatasetNameMapping().entrySet()) {
final String localInstanceName = entry.getValue();
final DatasetId instanceId = new DatasetId(workflowRunId.getNamespace(), localInstanceName);
final DatasetCreationSpec instanceSpec = workflowSpec.getLocalDatasetSpecs().get(entry.getKey());
LOG.debug("Adding Workflow local dataset instance: {}", localInstanceName);
try {
Retries.callWithRetries(new Retries.Callable<Void, Exception>() {
@Override
public Void call() throws Exception {
DatasetProperties properties = addLocalDatasetProperty(instanceSpec.getProperties(), keepLocal(entry.getKey()));
// we have to do this check since addInstance method can only be used when app impersonation is enabled
if (principalId != null) {
datasetFramework.addInstance(instanceSpec.getTypeName(), instanceId, properties, principalId);
} else {
datasetFramework.addInstance(instanceSpec.getTypeName(), instanceId, properties);
}
return null;
}
}, RetryStrategies.fixDelay(Constants.Retry.LOCAL_DATASET_OPERATION_RETRY_DELAY_SECONDS, TimeUnit.SECONDS));
} catch (IOException | DatasetManagementException e) {
throw e;
} catch (Exception e) {
// this should never happen
throw new IllegalStateException(e);
}
}
}
Also used :
DatasetProperties(io.cdap.cdap.api.dataset.DatasetProperties)
IOException(java.io.IOException)
DatasetManagementException(io.cdap.cdap.api.dataset.DatasetManagementException)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
DatasetId(io.cdap.cdap.proto.id.DatasetId)
DatasetManagementException(io.cdap.cdap.api.dataset.DatasetManagementException)
Retries(io.cdap.cdap.common.service.Retries)
DatasetCreationSpec(io.cdap.cdap.internal.dataset.DatasetCreationSpec)
KerberosPrincipalId(io.cdap.cdap.proto.id.KerberosPrincipalId)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Example 10 with KerberosPrincipalId
use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by caskdata.
the class OwnerStoreTest method testGetOwners.
@Test
public void testGetOwners() throws IOException, AlreadyExistsException {
OwnerStore ownerStore = getOwnerStore();
ownerStore.add(NamespaceId.DEFAULT.dataset("dataset"), new KerberosPrincipalId("ds"));
ownerStore.add(NamespaceId.DEFAULT.app("app"), new KerberosPrincipalId("app"));
ownerStore.add(NamespaceId.DEFAULT.artifact("artifact", "1.2.3"), new KerberosPrincipalId("artifact"));
Set<NamespacedEntityId> ids = ImmutableSet.of(NamespaceId.DEFAULT.dataset("dataset"), NamespaceId.DEFAULT.app("app"), NamespaceId.DEFAULT.artifact("artifact", "1.2.3"), NamespaceId.DEFAULT.app("noowner"));
Map<NamespacedEntityId, KerberosPrincipalId> owners = ownerStore.getOwners(ids);
Assert.assertEquals(3, owners.size());
Assert.assertEquals(new KerberosPrincipalId("ds"), owners.get(NamespaceId.DEFAULT.dataset("dataset")));
Assert.assertEquals(new KerberosPrincipalId("app"), owners.get(NamespaceId.DEFAULT.app("app")));
Assert.assertEquals(new KerberosPrincipalId("artifact"), owners.get(NamespaceId.DEFAULT.artifact("artifact", "1.2.3")));
Assert.assertNull(owners.get(NamespaceId.DEFAULT.app("noowner")));
}
Also used :
NamespacedEntityId(io.cdap.cdap.proto.id.NamespacedEntityId)
KerberosPrincipalId(io.cdap.cdap.proto.id.KerberosPrincipalId)
OwnerStore(io.cdap.cdap.security.impersonation.OwnerStore)
Test(org.junit.Test)
Aggregations
KerberosPrincipalId (io.cdap.cdap.proto.id.KerberosPrincipalId)50
UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)14
IOException (java.io.IOException)14
NotFoundException (io.cdap.cdap.common.NotFoundException)12
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)12
ExecutionException (java.util.concurrent.ExecutionException)12
DatasetManagementException (io.cdap.cdap.api.dataset.DatasetManagementException)10
InvalidArtifactException (io.cdap.cdap.common.InvalidArtifactException)10
ArtifactSummary (io.cdap.cdap.api.artifact.ArtifactSummary)8
ApplicationNotFoundException (io.cdap.cdap.common.ApplicationNotFoundException)8
ApplicationId (io.cdap.cdap.proto.id.ApplicationId)8
DatasetId (io.cdap.cdap.proto.id.DatasetId)8
Principal (io.cdap.cdap.proto.security.Principal)8
AccessException (io.cdap.cdap.api.security.AccessException)6
ArtifactAlreadyExistsException (io.cdap.cdap.common.ArtifactAlreadyExistsException)6
ArtifactNotFoundException (io.cdap.cdap.common.ArtifactNotFoundException)6
BadRequestException (io.cdap.cdap.common.BadRequestException)6
NamespaceNotFoundException (io.cdap.cdap.common.NamespaceNotFoundException)6
Nullable (javax.annotation.Nullable)6
Test (org.junit.Test)6
