Examples with KerberosPrincipalId io.cdap.cdap.proto.id.KerberosPrincipalId used on opensource projects

Example 16 with KerberosPrincipalId

use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by cdapio.

the class DatasetInstanceService method create.

/**
 * Creates a dataset instance.
 *
 * @param namespaceId the namespace to create the dataset instance in
 * @param name the name of the new dataset instance
 * @param props the properties for the new dataset instance
 * @throws NamespaceNotFoundException if the specified namespace was not found
 * @throws DatasetAlreadyExistsException if a dataset with the same name already exists
 * @throws DatasetTypeNotFoundException if the dataset type was not found
 * @throws UnauthorizedException if perimeter security and authorization are enabled, and the current user does not
 *  have {@link StandardPermission#UPDATE} privilege on the #instance's namespace
 */
void create(String namespaceId, String name, DatasetInstanceConfiguration props) throws Exception {
    NamespaceId namespace = ConversionHelpers.toNamespaceId(namespaceId);
    DatasetId datasetId = ConversionHelpers.toDatasetInstanceId(namespaceId, name);
    Principal requestingUser = authenticationContext.getPrincipal();
    String ownerPrincipal = props.getOwnerPrincipal();
    // need to enforce on the principal id if impersonation is involved
    KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, namespace, ownerPrincipal);
    if (DatasetsUtil.isUserDataset(datasetId)) {
        LOG.trace("Authorizing impersonation for dataset {}", name);
        if (effectiveOwner != null) {
            accessEnforcer.enforce(effectiveOwner, requestingUser, AccessPermission.SET_OWNER);
        }
        accessEnforcer.enforce(datasetId, requestingUser, StandardPermission.CREATE);
        LOG.trace("Authorized impersonation for dataset {}", name);
    }
    LOG.trace("Ensuring existence of namespace {} for dataset {}", namespace, name);
    ensureNamespaceExists(namespace);
    LOG.trace("Ensured existence of namespace {} for dataset {}", namespace, name);
    LOG.trace("Retrieving instance metadata from MDS for dataset {}", name);
    DatasetSpecification existing = instanceManager.get(datasetId);
    if (existing != null) {
        throw new DatasetAlreadyExistsException(datasetId);
    }
    LOG.trace("Retrieved instance metadata from MDS for dataset {}", name);
    // for creation, we need enforcement for dataset type for user dataset, but bypass for system datasets
    DatasetTypeMeta typeMeta = getTypeInfo(namespace, props.getTypeName(), !DatasetsUtil.isUserDataset(datasetId));
    if (typeMeta == null) {
        // Type not found in the instance's namespace and the system namespace. Bail out.
        throw new DatasetTypeNotFoundException(ConversionHelpers.toDatasetTypeId(namespace, props.getTypeName()));
    }
    LOG.info("Creating dataset {}.{}, type name: {}, properties: {}", namespaceId, name, props.getTypeName(), props.getProperties());
    // exists or not
    if (ownerPrincipal != null) {
        LOG.trace("Adding owner for dataset {}", name);
        KerberosPrincipalId owner = new KerberosPrincipalId(ownerPrincipal);
        ownerAdmin.add(datasetId, owner);
        LOG.trace("Added owner {} for dataset {}", owner, name);
    }
    try {
        DatasetProperties datasetProperties = DatasetProperties.builder().addAll(props.getProperties()).setDescription(props.getDescription()).build();
        LOG.trace("Calling op executor service to configure dataset {}", name);
        DatasetCreationResponse response = opExecutorClient.create(datasetId, typeMeta, datasetProperties);
        LOG.trace("Received spec and metadata from op executor service for dataset {}: {}", name, response);
        LOG.trace("Adding instance metadata for dataset {}", name);
        DatasetSpecification spec = response.getSpec();
        instanceManager.add(namespace, spec);
        LOG.trace("Added instance metadata for dataset {}", name);
        metaCache.invalidate(datasetId);
        LOG.trace("Publishing audit for creation of dataset {}", name);
        publishAudit(datasetId, AuditType.CREATE);
        LOG.trace("Published audit for creation of dataset {}", name);
        SystemMetadata metadata = response.getMetadata();
        LOG.trace("Publishing system metadata for creation of dataset {}: {}", name, metadata);
        publishMetadata(datasetId, metadata);
        LOG.trace("Published system metadata for creation of dataset {}", name);
        // Enable explore
        enableExplore(datasetId, spec, props);
    } catch (Exception e) {
        // there was a problem in creating the dataset instance so delete the owner if it got added earlier
        // safe to call for entities which does not have an owner too
        ownerAdmin.delete(datasetId);
        throw e;
    }
}

Example 17 with KerberosPrincipalId

use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by cdapio.

the class OwnerStoreTest method test.

@Test
public void test() throws Exception {
    OwnerStore ownerStore = getOwnerStore();
    DatasetId datasetId = NamespaceId.DEFAULT.dataset("fooData");
    // No owner info should exist for above stream
    Assert.assertNull(ownerStore.getOwner(datasetId));
    // delete behavior is idempotent, so won't throw NotFoundException
    ownerStore.delete(datasetId);
    // Storing an owner for the first time should work
    KerberosPrincipalId kerberosPrincipalId = new KerberosPrincipalId("alice/somehost@SOMEKDC.NET");
    ownerStore.add(datasetId, kerberosPrincipalId);
    // owner principal should exists
    Assert.assertTrue(ownerStore.exists(datasetId));
    // Should be able to get the principal back
    Assert.assertEquals(kerberosPrincipalId, ownerStore.getOwner(datasetId));
    // Should not be able to update the owner principal
    try {
        ownerStore.add(datasetId, new KerberosPrincipalId("bob@SOMEKDC.NET"));
        Assert.fail();
    } catch (AlreadyExistsException e) {
    // expected
    }
    // Should not be able to update the owner principal
    try {
        ownerStore.add(datasetId, new KerberosPrincipalId("somePrincipal"));
        Assert.fail();
    } catch (AlreadyExistsException e) {
    // expected
    }
    // trying to update with invalid principal should fail early on with IllegalArgumentException
    try {
        ownerStore.add(datasetId, new KerberosPrincipalId("b@ob@SOMEKDC.NET"));
        Assert.fail();
    } catch (IllegalArgumentException e) {
    // expected
    }
    // Trying to store owner information for unsupported type should fail
    try {
        ownerStore.add(NamespaceId.DEFAULT.topic("anotherStream"), new KerberosPrincipalId("somePrincipal"));
        Assert.fail();
    } catch (IllegalArgumentException e) {
    // expected
    }
    // delete the owner information
    ownerStore.delete(datasetId);
    Assert.assertFalse(ownerStore.exists(datasetId));
    Assert.assertNull(ownerStore.getOwner(datasetId));
}

Example 18 with KerberosPrincipalId

use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by cdapio.

the class InMemoryOwnerStore method getOwners.

@Override
public synchronized <T extends NamespacedEntityId> Map<T, KerberosPrincipalId> getOwners(Set<T> ids) {
    ids.forEach(this::validate);
    Map<T, KerberosPrincipalId> result = new HashMap<>();
    for (T id : ids) {
        KerberosPrincipalId principalId = ownerInfo.get(id);
        if (principalId != null) {
            result.put(id, principalId);
        }
    }
    return result;
}

Example 19 with KerberosPrincipalId

use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by cdapio.

the class DefaultUGIProviderTest method init.

@BeforeClass
public static void init() throws Exception {
    cConf = CConfiguration.create();
    cConf.set(Constants.CFG_LOCAL_DATA_DIR, TEMP_FOLDER.newFolder().getAbsolutePath());
    namespaceClient = new InMemoryNamespaceAdmin();
    // Start KDC
    miniKdc = new MiniKdc(MiniKdc.createConf(), TEMP_FOLDER.newFolder());
    miniKdc.start();
    System.setProperty("java.security.krb5.conf", miniKdc.getKrb5conf().getAbsolutePath());
    localKeytabDirPath = TEMP_FOLDER.newFolder();
    // Generate keytab
    aliceKeytabFile = createPrincipal(localKeytabDirPath, "alice");
    bobKeytabFile = createPrincipal(localKeytabDirPath, "bob");
    eveKeytabFile = createPrincipal(localKeytabDirPath, "eve");
    // construct Kerberos PrincipalIds
    aliceKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("alice"));
    bobKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("bob"));
    eveKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("eve"));
    // Start mini DFS cluster
    Configuration hConf = new Configuration();
    hConf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, TEMP_FOLDER.newFolder().getAbsolutePath());
    hConf.setBoolean("ipc.client.fallback-to-simple-auth-allowed", true);
    hConf.setBoolean("ignore.secure.ports.for.testing", true);
    miniDFSCluster = new MiniDFSCluster.Builder(hConf).numDataNodes(1).build();
    miniDFSCluster.waitClusterUp();
    locationFactory = new FileContextLocationFactory(miniDFSCluster.getFileSystem().getConf());
    hConf = new Configuration();
    hConf.set("hadoop.security.authentication", "kerberos");
    hConf.set("hadoop.security.auth_to_local", "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//");
    UserGroupInformation.setConfiguration(hConf);
    store = getInjector().getInstance(DefaultStore.class);
}

Example 20 with KerberosPrincipalId

use of io.cdap.cdap.proto.id.KerberosPrincipalId in project cdap by cdapio.

the class ProgramRunners method getApplicationPrincipal.

/**
 * Returns the application principal if there is one.
 *
 * @param programOptions the program options to extract information from
 * @return the application principal or {@code null} if no application principal is available.
 */
@Nullable
public static KerberosPrincipalId getApplicationPrincipal(ProgramOptions programOptions) {
    Arguments systemArgs = programOptions.getArguments();
    boolean hasAppPrincipal = Boolean.parseBoolean(systemArgs.getOption(ProgramOptionConstants.APP_PRINCIPAL_EXISTS));
    return hasAppPrincipal ? new KerberosPrincipalId(systemArgs.getOption(ProgramOptionConstants.PRINCIPAL)) : null;
}