Examples with AccessIOException io.cdap.cdap.security.spi.AccessIOException used on opensource projects

Example 1 with AccessIOException

use of io.cdap.cdap.security.spi.AccessIOException in project cdap by caskdata.

the class AuthorizationClient method listRolesHelper.

private Set<Role> listRolesHelper(@Nullable Principal principal) throws AccessException {
    URL url = principal == null ? resolveURL(AUTHORIZATION_BASE + "roles") : resolveURL(String.format(AUTHORIZATION_BASE + "%s/%s/roles", principal.getType(), principal.getName()));
    HttpRequest request = HttpRequest.get(url).build();
    HttpResponse response = doExecuteRequest(request);
    if (response.getResponseCode() == HttpURLConnection.HTTP_OK) {
        return ObjectResponse.fromJsonBody(response, TYPE_OF_ROLE_SET).getResponseObject();
    }
    throw new AccessIOException(String.format("Cannot list roles. Reason: %s", response.getResponseBodyAsString()));
}

Example 2 with AccessIOException

use of io.cdap.cdap.security.spi.AccessIOException in project cdap by caskdata.

the class DefaultUGIProvider method createUGI.

/**
 * Resolves the {@link UserGroupInformation} for a given user, performing any keytab localization, if necessary.
 *
 * @return a {@link UserGroupInformation}, based upon the information configured for a particular user
 * @throws IOException if there was any IOException during localization of the keytab
 */
@Override
protected UGIWithPrincipal createUGI(ImpersonationRequest impersonationRequest) throws AccessException {
    try {
        // Get impersonation keytab and principal from runtime arguments if present
        Map<String, String> properties = getRuntimeProperties(impersonationRequest.getEntityId());
        if ((properties != null) && (properties.containsKey(SystemArguments.RUNTIME_KEYTAB_PATH)) && (properties.containsKey(SystemArguments.RUNTIME_PRINCIPAL_NAME))) {
            String keytab = properties.get(SystemArguments.RUNTIME_KEYTAB_PATH);
            String principal = properties.get(SystemArguments.RUNTIME_PRINCIPAL_NAME);
            LOG.debug("Using runtime config principal: {}, keytab: {}", principal, keytab);
            UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
            return new UGIWithPrincipal(principal, ugi);
        }
        // no need to get a UGI if the current UGI is the one we're requesting; simply return it
        String configuredPrincipalShortName = new KerberosName(impersonationRequest.getPrincipal()).getShortName();
        if (UserGroupInformation.getCurrentUser().getShortUserName().equals(configuredPrincipalShortName)) {
            return new UGIWithPrincipal(impersonationRequest.getPrincipal(), UserGroupInformation.getCurrentUser());
        }
        String keytab = impersonationRequest.getKeytabURI();
        if (keytab == null) {
            throw new AccessIOException("Missing keytab file from the impersonation request " + impersonationRequest);
        }
        URI keytabURI = URI.create(keytab);
        boolean isKeytabLocal = keytabURI.getScheme() == null || "file".equals(keytabURI.getScheme());
        File localKeytabFile = isKeytabLocal ? new File(keytabURI.getPath()) : localizeKeytab(locationFactory.create(keytabURI));
        try {
            String expandedPrincipal = SecurityUtil.expandPrincipal(impersonationRequest.getPrincipal());
            LOG.debug("Logging in as: principal={}, keytab={}", expandedPrincipal, localKeytabFile);
            // if the local keytab file is not readable to ensure that the client gets the same exception in both the modes.
            if (!Files.isReadable(localKeytabFile.toPath())) {
                throw new AccessIOException(String.format("Keytab file is not a readable file: %s", localKeytabFile));
            }
            UserGroupInformation loggedInUGI;
            try {
                loggedInUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(expandedPrincipal, localKeytabFile.getAbsolutePath());
            } catch (Exception e) {
                // not working
                throw new AccessException(String.format("Failed to login for principal=%s, keytab=%s. Check that " + "the principal was not deleted and that the keytab is still valid.", expandedPrincipal, keytabURI), e);
            }
            return new UGIWithPrincipal(impersonationRequest.getPrincipal(), loggedInUGI);
        } finally {
            if (!isKeytabLocal && !localKeytabFile.delete()) {
                LOG.warn("Failed to delete file: {}", localKeytabFile);
            }
        }
    } catch (IOException e) {
        throw new AccessIOException(e);
    }
}

Example 3 with AccessIOException

use of io.cdap.cdap.security.spi.AccessIOException in project cdap by caskdata.

the class SecurityUtil method getKeytabURIforPrincipal.

/**
 * @param principal The principal whose KeytabURI is being looked up
 * @param cConf To lookup the configured path for the keytabs
 * @return The location of the keytab
 * @throws IOException If the principal is not a valid kerberos principal
 */
static String getKeytabURIforPrincipal(String principal, CConfiguration cConf) throws AccessException {
    try {
        String confPath = cConf.getRaw(Constants.Security.KEYTAB_PATH);
        if (confPath == null) {
            throw new IllegalArgumentException(String.format("Failed to get a valid keytab path. " + "Please ensure that you have specified %s in cdap-site.xml", Constants.Security.KEYTAB_PATH));
        }
        String name = new KerberosName(principal).getShortName();
        return confPath.replace(Constants.USER_NAME_SPECIFIER, name);
    } catch (IOException e) {
        throw new AccessIOException(e);
    }
}

Example 4 with AccessIOException

use of io.cdap.cdap.security.spi.AccessIOException in project cdap by caskdata.

the class AuthorizationClient method doExecuteRequest.

private HttpResponse doExecuteRequest(HttpRequest request, int... additionalAllowedErrorCodes) throws AccessException {
    try {
        int[] allowedErrorCodes = new int[additionalAllowedErrorCodes.length + 2];
        System.arraycopy(additionalAllowedErrorCodes, 0, allowedErrorCodes, 0, additionalAllowedErrorCodes.length);
        allowedErrorCodes[additionalAllowedErrorCodes.length] = HttpURLConnection.HTTP_NOT_IMPLEMENTED;
        HttpResponse response = restClient.execute(request, config.getAccessToken(), allowedErrorCodes);
        if (HttpURLConnection.HTTP_NOT_IMPLEMENTED == response.getResponseCode()) {
            FeatureDisabledException.Feature feature = FeatureDisabledException.Feature.AUTHORIZATION;
            String enableConfig = Constants.Security.Authorization.ENABLED;
            if (response.getResponseBodyAsString().toLowerCase().contains("authentication")) {
                feature = FeatureDisabledException.Feature.AUTHENTICATION;
                enableConfig = Constants.Security.ENABLED;
            }
            throw new FeatureDisabledException(feature, FeatureDisabledException.CDAP_SITE, enableConfig, "true");
        }
        return response;
    } catch (IOException e) {
        throw new AccessIOException(e);
    }
}

Example 5 with AccessIOException

use of io.cdap.cdap.security.spi.AccessIOException in project cdap by caskdata.

the class AuthorizationClient method listGrants.

@Override
public Set<GrantedPermission> listGrants(Principal principal) throws AccessException {
    String urlStr = String.format(AUTHORIZATION_BASE + "%s/%s/privileges", principal.getType(), principal.getName());
    URL url = resolveURL(urlStr);
    HttpRequest request = HttpRequest.get(url).build();
    HttpResponse response = doExecuteRequest(request);
    if (response.getResponseCode() == HttpURLConnection.HTTP_OK) {
        return ObjectResponse.fromJsonBody(response, TYPE_OF_PRIVILEGE_SET, GSON).getResponseObject();
    }
    throw new AccessIOException(String.format("Cannot list privileges. Reason: %s", response.getResponseBodyAsString()));
}