Examples with EntityImpersonator io.cdap.cdap.security.impersonation.EntityImpersonator used on opensource projects

Example 1 with EntityImpersonator

use of io.cdap.cdap.security.impersonation.EntityImpersonator in project cdap by caskdata.

the class ArtifactStore method deleteMeta.

private void deleteMeta(StructuredTableContext context, Id.Artifact artifactId, ArtifactData oldMeta) throws IOException {
    // delete old artifact data
    StructuredTable artifactTable = getTable(context, StoreDefinition.ArtifactStore.ARTIFACT_DATA_TABLE);
    ArtifactCell artifactCell = new ArtifactCell(artifactId);
    artifactTable.delete(artifactCell.keys);
    // delete old appclass metadata
    StructuredTable appClassTable = getTable(context, StoreDefinition.ArtifactStore.APP_DATA_TABLE);
    for (ApplicationClass appClass : oldMeta.meta.getClasses().getApps()) {
        AppClassKey appClassKey = new AppClassKey(artifactId.getNamespace().toEntityId(), appClass.getClassName());
        deleteRangeFromTable(appClassTable, Range.singleton(appClassKey.keys));
    }
    // delete old plugins, we loop twice to only access to one table at a time to prevent deadlock
    StructuredTable pluginDataTable = getTable(context, StoreDefinition.ArtifactStore.PLUGIN_DATA_TABLE);
    for (PluginClass pluginClass : oldMeta.meta.getClasses().getPlugins()) {
        // delete metadata for each artifact this plugin extends
        for (ArtifactRange artifactRange : oldMeta.meta.getUsableBy()) {
            // these four fields are prefixes of the plugin table primary keys
            PluginKeyPrefix pluginKey = new PluginKeyPrefix(artifactRange.getNamespace(), artifactRange.getName(), pluginClass.getType(), pluginClass.getName());
            pluginDataTable.delete(concatFields(pluginKey.keys, artifactCell.keys));
        }
    }
    // Delete the universal plugin row
    StructuredTable uniPluginTable = getTable(context, StoreDefinition.ArtifactStore.UNIV_PLUGIN_DATA_TABLE);
    for (PluginClass pluginClass : oldMeta.meta.getClasses().getPlugins()) {
        if (oldMeta.meta.getUsableBy().isEmpty()) {
            UniversalPluginKeyPrefix pluginKey = new UniversalPluginKeyPrefix(artifactId.getNamespace().getId(), pluginClass.getType(), pluginClass.getName());
            uniPluginTable.delete(concatFields(pluginKey.keys, artifactCell.keys));
        }
    }
    // delete the old jar file
    try {
        new EntityImpersonator(artifactId.toEntityId(), impersonator).impersonate(() -> {
            Locations.getLocationFromAbsolutePath(locationFactory, oldMeta.getLocationPath()).delete();
            return null;
        });
    } catch (IOException ioe) {
        throw ioe;
    } catch (Exception e) {
        // this should not happen
        throw Throwables.propagate(e);
    }
}

Example 2 with EntityImpersonator

use of io.cdap.cdap.security.impersonation.EntityImpersonator in project cdap by caskdata.

the class SystemAppTask method run.

@Override
public void run(RunnableTaskContext context) throws Exception {
    ArtifactId systemAppArtifactId = context.getArtifactId();
    if (systemAppArtifactId == null) {
        throw new IllegalArgumentException("Missing artifactId from the system app task request");
    }
    LOG.debug("Received system app task for artifact {}", systemAppArtifactId);
    Injector injector = createInjector(cConf);
    ArtifactRepository artifactRepository = injector.getInstance(ArtifactRepository.class);
    Impersonator impersonator = injector.getInstance(Impersonator.class);
    String systemAppNamespace = context.getNamespace();
    Id.Artifact artifactId = Id.Artifact.from(Id.Namespace.from(systemAppNamespace), systemAppArtifactId.getName(), systemAppArtifactId.getVersion());
    ArtifactLocalizerClient localizerClient = injector.getInstance(ArtifactLocalizerClient.class);
    File artifactLocation = localizerClient.getUnpackedArtifactLocation(Artifacts.toProtoArtifactId(new NamespaceId(systemAppNamespace), systemAppArtifactId));
    EntityImpersonator classLoaderImpersonator = new EntityImpersonator(artifactId.toEntityId(), impersonator);
    try (CloseableClassLoader artifactClassLoader = artifactRepository.createArtifactClassLoader(new ArtifactDescriptor(artifactId.getNamespace().getId(), artifactId.toArtifactId(), Locations.toLocation(artifactLocation)), classLoaderImpersonator);
        SystemAppTaskContext systemAppTaskContext = buildTaskSystemAppContext(injector, systemAppNamespace, systemAppArtifactId, artifactClassLoader)) {
        RunnableTaskRequest taskRequest = context.getEmbeddedRequest();
        String taskClassName = taskRequest.getClassName();
        if (taskClassName == null) {
            LOG.debug("No system app task to execute");
            return;
        }
        LOG.debug("Requested to run system app task {}", taskClassName);
        Class<?> clazz = artifactClassLoader.loadClass(taskClassName);
        if (!(RunnableTask.class.isAssignableFrom(clazz))) {
            throw new ClassCastException(String.format("%s is not a RunnableTask", taskClassName));
        }
        LOG.debug("Launching system app task {}", taskClassName);
        RunnableTask runnableTask = (RunnableTask) injector.getInstance(clazz);
        RunnableTaskContext runnableTaskContext = new RunnableTaskContext(taskRequest.getParam().getSimpleParam(), null, null, null, systemAppTaskContext) {

            @Override
            public void writeResult(byte[] data) throws IOException {
                context.writeResult(data);
            }

            @Override
            public void setTerminateOnComplete(boolean terminate) {
                context.setTerminateOnComplete(terminate);
            }

            @Override
            public boolean isTerminateOnComplete() {
                return context.isTerminateOnComplete();
            }
        };
        runnableTask.run(runnableTaskContext);
        LOG.debug("System app task completed {}", taskClassName);
    }
}

Example 3 with EntityImpersonator

use of io.cdap.cdap.security.impersonation.EntityImpersonator in project cdap by caskdata.

the class DeployDatasetModulesStage method process.

/**
 * Deploys dataset modules specified in the given application spec.
 *
 * @param input An instance of {@link ApplicationDeployable}
 */
@Override
public void process(ApplicationDeployable input) throws Exception {
    Map<String, String> datasetModules = input.getSpecification().getDatasetModules();
    if (allowCustomModule) {
        KerberosPrincipalId ownerPrincipal = input.getOwnerPrincipal();
        // get the authorizing user
        String authorizingUser = AuthorizationUtil.getAppAuthorizingUser(ownerAdmin, authenticationContext, input.getApplicationId(), ownerPrincipal);
        EntityImpersonator classLoaderImpersonator = new EntityImpersonator(input.getArtifactId(), impersonator);
        try (CloseableClassLoader classLoader = artifactRepository.createArtifactClassLoader(new ArtifactDescriptor(input.getArtifactId().getNamespace(), input.getArtifactId().toApiArtifactId(), input.getArtifactLocation()), classLoaderImpersonator)) {
            deployer.deployModules(input.getApplicationId().getParent(), datasetModules, input.getArtifactLocation(), classLoader, authorizingUser);
        }
    } else if (deployer.hasNonSystemDatasetModules(datasetModules)) {
        throw new IllegalStateException("Custom dataset module is not supported. " + "One of the dataset module is a custom module: " + datasetModules);
    }
    // Emit the input to next stage.
    emit(input);
}

Example 4 with EntityImpersonator

use of io.cdap.cdap.security.impersonation.EntityImpersonator in project cdap by caskdata.

the class ApplicationLifecycleService method updateApplicationInternal.

/**
 * Updates an application config by applying given update actions. The app should know how to apply these actions
 * to its config.
 */
private void updateApplicationInternal(ApplicationId appId, @Nullable String currentConfigStr, ProgramTerminator programTerminator, ArtifactDetail artifactDetail, List<ApplicationConfigUpdateAction> updateActions, Set<ArtifactScope> allowedArtifactScopes, boolean allowSnapshot, @Nullable KerberosPrincipalId ownerPrincipal, boolean updateSchedules) throws Exception {
    ApplicationClass appClass = Iterables.getFirst(artifactDetail.getMeta().getClasses().getApps(), null);
    if (appClass == null) {
        // This should never happen.
        throw new IllegalStateException(String.format("No application class found in artifact '%s' in namespace '%s'.", artifactDetail.getDescriptor().getArtifactId(), appId.getParent()));
    }
    io.cdap.cdap.proto.id.ArtifactId artifactId = Artifacts.toProtoArtifactId(appId.getParent(), artifactDetail.getDescriptor().getArtifactId());
    EntityImpersonator classLoaderImpersonator = new EntityImpersonator(artifactId, this.impersonator);
    String updatedAppConfig;
    DefaultApplicationUpdateContext updateContext = new DefaultApplicationUpdateContext(appId.getParent(), appId, artifactDetail.getDescriptor().getArtifactId(), artifactRepository, currentConfigStr, updateActions, allowedArtifactScopes, allowSnapshot);
    try (CloseableClassLoader artifactClassLoader = artifactRepository.createArtifactClassLoader(artifactDetail.getDescriptor(), classLoaderImpersonator)) {
        Object appMain = artifactClassLoader.loadClass(appClass.getClassName()).newInstance();
        // Run config update logic for the application to generate updated config.
        if (!(appMain instanceof Application)) {
            throw new IllegalStateException(String.format("Application main class is of invalid type: %s", appMain.getClass().getName()));
        }
        Application app = (Application) appMain;
        Type configType = Artifacts.getConfigType(app.getClass());
        if (!app.isUpdateSupported()) {
            String errorMessage = String.format("Application %s does not support update.", appId);
            throw new UnsupportedOperationException(errorMessage);
        }
        ApplicationUpdateResult<?> updateResult = app.updateConfig(updateContext);
        updatedAppConfig = GSON.toJson(updateResult.getNewConfig(), configType);
    }
    // Deploy application with with potentially new app config and new artifact.
    AppDeploymentInfo deploymentInfo = new AppDeploymentInfo(artifactId, artifactDetail.getDescriptor().getLocation(), appId.getParent(), appClass, appId.getApplication(), appId.getVersion(), updatedAppConfig, ownerPrincipal, updateSchedules, null);
    Manager<AppDeploymentInfo, ApplicationWithPrograms> manager = managerFactory.create(programTerminator);
    // TODO: (CDAP-3258) Manager needs MUCH better error handling.
    ApplicationWithPrograms applicationWithPrograms;
    try {
        applicationWithPrograms = manager.deploy(deploymentInfo).get();
    } catch (ExecutionException e) {
        Throwables.propagateIfPossible(e.getCause(), Exception.class);
        throw Throwables.propagate(e.getCause());
    }
    adminEventPublisher.publishAppCreation(applicationWithPrograms.getApplicationId(), applicationWithPrograms.getSpecification());
}

Example 5 with EntityImpersonator

use of io.cdap.cdap.security.impersonation.EntityImpersonator in project cdap by caskdata.

the class DefaultArtifactInspector method inspectArtifact.

/**
 * Inspect the given artifact to determine the classes contained in the artifact.
 *
 * @param artifactId the id of the artifact to inspect
 * @param artifactFile the artifact file
 * @param parentDescriptor {@link ArtifactDescriptor} of parent and grandparent (if any) artifacts.
 * @param additionalPlugins Additional plugin classes
 * @return metadata about the classes contained in the artifact
 * @throws IOException              if there was an exception opening the jar file
 * @throws InvalidArtifactException if the artifact is invalid. For example, if the application main class is not
 *                                  actually an Application.
 */
@Override
public ArtifactClassesWithMetadata inspectArtifact(Id.Artifact artifactId, File artifactFile, List<ArtifactDescriptor> parentDescriptor, Set<PluginClass> additionalPlugins) throws IOException, InvalidArtifactException {
    Path tmpDir = Paths.get(cConf.get(Constants.CFG_LOCAL_DATA_DIR), cConf.get(Constants.AppFabric.TEMP_DIR)).toAbsolutePath();
    Files.createDirectories(tmpDir);
    Location artifactLocation = Locations.toLocation(artifactFile);
    EntityImpersonator entityImpersonator = new EntityImpersonator(artifactId.toEntityId(), impersonator);
    Path stageDir = Files.createTempDirectory(tmpDir, artifactFile.getName());
    try (ClassLoaderFolder clFolder = BundleJarUtil.prepareClassLoaderFolder(artifactLocation, () -> Files.createTempDirectory(stageDir, "unpacked-").toFile());
        CloseableClassLoader parentClassLoader = createParentClassLoader(parentDescriptor, entityImpersonator);
        CloseableClassLoader artifactClassLoader = artifactClassLoaderFactory.createClassLoader(clFolder.getDir());
        PluginInstantiator pluginInstantiator = new PluginInstantiator(cConf, parentClassLoader == null ? artifactClassLoader : parentClassLoader, Files.createTempDirectory(stageDir, "plugins-").toFile(), false)) {
        pluginInstantiator.addArtifact(artifactLocation, artifactId.toArtifactId());
        ArtifactClasses.Builder builder = inspectApplications(artifactId, ArtifactClasses.builder(), artifactLocation, artifactClassLoader);
        List<MetadataMutation> mutations = new ArrayList<>();
        inspectPlugins(builder, artifactFile, artifactId.toEntityId(), pluginInstantiator, additionalPlugins, mutations);
        return new ArtifactClassesWithMetadata(builder.build(), mutations);
    } catch (EOFException | ZipException e) {
        throw new InvalidArtifactException("Artifact " + artifactId + " is not a valid zip file.", e);
    } finally {
        try {
            DirUtils.deleteDirectoryContents(stageDir.toFile());
        } catch (IOException e) {
            LOG.warn("Exception raised while deleting directory {}", stageDir, e);
        }
    }
}