Example 1 with PrincipalCredentials
use of io.cdap.cdap.security.impersonation.PrincipalCredentials in project cdap by caskdata.
the class ImpersonationHandler method getCredentials.
@POST
@Path("/credentials")
public void getCredentials(FullHttpRequest request, HttpResponder responder) throws Exception {
String requestContent = request.content().toString(StandardCharsets.UTF_8);
if (requestContent == null) {
throw new BadRequestException("Request body is empty.");
}
ImpersonationRequest impersonationRequest = GSON.fromJson(requestContent, ImpersonationRequest.class);
LOG.debug("Fetching credentials for {}", impersonationRequest);
UGIWithPrincipal ugiWithPrincipal;
try {
ugiWithPrincipal = ugiProvider.getConfiguredUGI(impersonationRequest);
} catch (AccessException e) {
throw new ServiceException(e, HttpResponseStatus.INTERNAL_SERVER_ERROR);
}
Credentials credentials = ImpersonationUtils.doAs(ugiWithPrincipal.getUGI(), new Callable<Credentials>() {
@Override
public Credentials call() throws Exception {
return tokenSecureStoreRenewer.createCredentials();
}
});
// example: hdfs:///cdap/credentials
Location credentialsDir = locationFactory.create("credentials");
if (credentialsDir.isDirectory() || credentialsDir.mkdirs() || credentialsDir.isDirectory()) {
// the getTempFile() doesn't create the file within the directory that you call it on. It simply appends the path
// without a separator, which is why we manually append the "tmp"
// example: hdfs:///cdap/credentials/tmp.5960fe60-6fd8-4f3e-8e92-3fb6d4726006.credentials
Location credentialsFile = credentialsDir.append("tmp").getTempFile(".credentials");
// 600 is owner-only READ_WRITE
try (DataOutputStream os = new DataOutputStream(new BufferedOutputStream(credentialsFile.getOutputStream("600")))) {
credentials.writeTokenStorageToStream(os);
}
LOG.debug("Wrote credentials for user {} to {}", ugiWithPrincipal.getPrincipal(), credentialsFile);
PrincipalCredentials principalCredentials = new PrincipalCredentials(ugiWithPrincipal.getPrincipal(), credentialsFile.toURI().toString());
responder.sendJson(HttpResponseStatus.OK, GSON.toJson(principalCredentials));
} else {
throw new IllegalStateException("Unable to create credentials directory.");
}
}
Also used :
PrincipalCredentials(io.cdap.cdap.security.impersonation.PrincipalCredentials)
UGIWithPrincipal(io.cdap.cdap.security.impersonation.UGIWithPrincipal)
DataOutputStream(java.io.DataOutputStream)
AccessException(io.cdap.cdap.api.security.AccessException)
ServiceException(io.cdap.cdap.common.ServiceException)
IOException(java.io.IOException)
BadRequestException(io.cdap.cdap.common.BadRequestException)
AccessException(io.cdap.cdap.api.security.AccessException)
ServiceException(io.cdap.cdap.common.ServiceException)
ImpersonationRequest(io.cdap.cdap.security.impersonation.ImpersonationRequest)
BadRequestException(io.cdap.cdap.common.BadRequestException)
BufferedOutputStream(java.io.BufferedOutputStream)
Credentials(org.apache.hadoop.security.Credentials)
PrincipalCredentials(io.cdap.cdap.security.impersonation.PrincipalCredentials)
Location(org.apache.twill.filesystem.Location)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Aggregations
AccessException (io.cdap.cdap.api.security.AccessException)1
BadRequestException (io.cdap.cdap.common.BadRequestException)1
ServiceException (io.cdap.cdap.common.ServiceException)1
ImpersonationRequest (io.cdap.cdap.security.impersonation.ImpersonationRequest)1
PrincipalCredentials (io.cdap.cdap.security.impersonation.PrincipalCredentials)1
UGIWithPrincipal (io.cdap.cdap.security.impersonation.UGIWithPrincipal)1
BufferedOutputStream (java.io.BufferedOutputStream)1
DataOutputStream (java.io.DataOutputStream)1
IOException (java.io.IOException)1
POST (javax.ws.rs.POST)1
Path (javax.ws.rs.Path)1
Credentials (org.apache.hadoop.security.Credentials)1
Location (org.apache.twill.filesystem.Location)1
