use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class FeaturegroupService method deleteFeaturegroupContents.
/**
* Endpoint for deleting the contents of the featuregroup.
* As HopsHive do not support ACID transactions the way to delete the contents of a table is to drop the table and
* re-create it, which also will drop the featuregroup metadata due to ON DELETE CASCADE foreign key rule.
* This method stores the metadata of the featuregroup before deleting it and then re-creates the featuregroup with
* the same metadata.
* <p>
* This endpoint is typically used when the user wants to insert data into a featuregroup with the write-mode
* 'overwrite' instead of default mode 'append'
*
* @param featuregroupId the id of the featuregroup
* @throws FeaturestoreException
* @throws HopsSecurityException
*/
@POST
@Path("/{featuregroupId}/clear")
@Produces(MediaType.APPLICATION_JSON)
@AllowedProjectRoles({ AllowedProjectRoles.DATA_OWNER, AllowedProjectRoles.DATA_SCIENTIST })
@JWTRequired(acceptedTokens = { Audience.API, Audience.JOB }, allowedUserRoles = { "HOPS_ADMIN", "HOPS_USER" })
@ApiKeyRequired(acceptedScopes = { ApiScope.FEATURESTORE }, allowedUserRoles = { "HOPS_ADMIN", "HOPS_USER" })
@ApiOperation(value = "Delete featuregroup contents")
public Response deleteFeaturegroupContents(@Context SecurityContext sc, @ApiParam(value = "Id of the featuregroup", required = true) @PathParam("featuregroupId") Integer featuregroupId) throws FeaturestoreException, ServiceException, KafkaException, SchemaException, ProjectException, UserException {
verifyIdProvided(featuregroupId);
Users user = jWTHelper.getUserPrincipal(sc);
// Verify that the user has the data-owner role or is the creator of the featuregroup
Featuregroup featuregroup = featuregroupController.getFeaturegroupById(featurestore, featuregroupId);
try {
FeaturegroupDTO newFeatureGroup = featuregroupController.clearFeaturegroup(featuregroup, project, user);
return Response.ok().entity(newFeatureGroup).build();
} catch (SQLException | IOException | ProvenanceException | HopsSecurityException e) {
throw new FeaturestoreException(RESTCodes.FeaturestoreErrorCode.COULD_NOT_CLEAR_FEATUREGROUP, Level.SEVERE, "project: " + project.getName() + ", featurestoreId: " + featurestore.getId() + ", featuregroupId: " + featuregroupId, e.getMessage(), e);
}
}
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class FeaturegroupService method createFeaturegroup.
/**
* Endpoint for creating a new featuregroup in a featurestore
*
* @param featuregroupDTO JSON payload for the new featuregroup
* @return JSON information about the created featuregroup
* @throws HopsSecurityException
*/
@POST
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@AllowedProjectRoles({ AllowedProjectRoles.DATA_OWNER, AllowedProjectRoles.DATA_SCIENTIST })
@JWTRequired(acceptedTokens = { Audience.API, Audience.JOB }, allowedUserRoles = { "HOPS_ADMIN", "HOPS_USER" })
@ApiKeyRequired(acceptedScopes = { ApiScope.FEATURESTORE }, allowedUserRoles = { "HOPS_ADMIN", "HOPS_USER" })
@ApiOperation(value = "Create feature group in a featurestore", response = FeaturegroupDTO.class)
public Response createFeaturegroup(@Context SecurityContext sc, FeaturegroupDTO featuregroupDTO) throws FeaturestoreException, ServiceException, KafkaException, SchemaException, ProjectException, UserException {
Users user = jWTHelper.getUserPrincipal(sc);
if (featuregroupDTO == null) {
throw new IllegalArgumentException("Input JSON for creating a new Feature Group cannot be null");
}
try {
if (featuregroupController.featuregroupExists(featurestore, featuregroupDTO)) {
throw new FeaturestoreException(RESTCodes.FeaturestoreErrorCode.FEATUREGROUP_EXISTS, Level.INFO, "project: " + project.getName() + ", featurestoreId: " + featurestore.getId());
}
FeaturegroupDTO createdFeaturegroup = featuregroupController.createFeaturegroup(featurestore, featuregroupDTO, project, user);
GenericEntity<FeaturegroupDTO> featuregroupGeneric = new GenericEntity<FeaturegroupDTO>(createdFeaturegroup) {
};
return noCacheResponse.getNoCacheResponseBuilder(Response.Status.CREATED).entity(featuregroupGeneric).build();
} catch (SQLException | ProvenanceException | IOException | HopsSecurityException e) {
throw new FeaturestoreException(RESTCodes.FeaturestoreErrorCode.COULD_NOT_CREATE_FEATUREGROUP, Level.SEVERE, "project: " + project.getName() + ", featurestoreId: " + featurestore.getId(), e.getMessage(), e);
}
}
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class CachedFeaturegroupController method executeReadHiveQuery.
/**
* Opens a JDBC connection to HS2 using the given database and project-user and then executes a regular
* SQL query
*
* @param query the read query
* @param databaseName the name of the Hive database
* @param project the project that owns the Hive database
* @param user the user making the request
* @return parsed resultset
* @throws SQLException
* @throws HopsSecurityException
* @throws FeaturestoreException
*/
private FeaturegroupPreview executeReadHiveQuery(String query, String databaseName, Project project, Users user) throws SQLException, FeaturestoreException, HopsSecurityException {
Connection conn = null;
Statement stmt = null;
try {
// Re-create the connection every time since the connection is database and user-specific
conn = initConnection(databaseName, project, user);
stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);
return parseResultset(rs);
} catch (SQLException e) {
// Hive throws a generic HiveSQLException not a specific AuthorizationException
if (e.getMessage().toLowerCase().contains("permission denied")) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.HDFS_ACCESS_CONTROL, Level.FINE, "project: " + project.getName() + ", hive database: " + databaseName + " hive query: " + query, e.getMessage(), e);
} else {
throw new FeaturestoreException(RESTCodes.FeaturestoreErrorCode.HIVE_READ_QUERY_ERROR, Level.SEVERE, "project: " + project.getName() + ", hive database: " + databaseName + " hive query: " + query, e.getMessage(), e);
}
} finally {
if (stmt != null) {
stmt.close();
}
closeConnection(conn, user, project);
}
}
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class ProjectController method addMember.
public boolean addMember(ProjectTeam projectTeam, Project project, Users newMember, Users owner, DistributedFileSystemOps dfso) throws UserException, KafkaException, ProjectException, FeaturestoreException, IOException {
if (projectTeam.getTeamRole() == null || (!projectTeam.getTeamRole().equals(ProjectRoleTypes.DATA_SCIENTIST.getRole()) && !projectTeam.getTeamRole().equals(ProjectRoleTypes.DATA_OWNER.getRole()))) {
projectTeam.setTeamRole(ProjectRoleTypes.DATA_SCIENTIST.getRole());
}
projectTeam.setTimestamp(new Date());
if (newMember != null && !projectTeamFacade.isUserMemberOfProject(project, newMember)) {
// this makes sure that the member is added to the project sent as the
// first param b/c the security check was made on the parameter sent as path.
projectTeam.getProjectTeamPK().setProjectId(project.getId());
projectTeam.setProject(project);
projectTeam.setUser(newMember);
project.getProjectTeamCollection().add(projectTeam);
projectFacade.update(project);
hdfsUsersController.addNewProjectMember(projectTeam, dfso);
// Add user to kafka topics ACLs by default
if (projectServicesFacade.isServiceEnabledForProject(project, ProjectServiceEnum.KAFKA)) {
kafkaController.addProjectMemberToTopics(project, newMember.getEmail());
}
// if online-featurestore service is enabled in the project, give new member access to it
if (projectServiceFacade.isServiceEnabledForProject(project, ProjectServiceEnum.FEATURESTORE) && settings.isOnlineFeaturestore()) {
Featurestore featurestore = featurestoreController.getProjectFeaturestore(project);
onlineFeaturestoreController.createDatabaseUser(projectTeam.getUser(), featurestore, projectTeam.getTeamRole());
}
// TODO: This should now be a REST call
Future<CertificatesController.CertsResult> certsResultFuture = null;
try {
certsResultFuture = certificatesController.generateCertificates(project, newMember);
certsResultFuture.get();
} catch (Exception ex) {
try {
if (certsResultFuture != null) {
certsResultFuture.get();
}
certificatesController.revokeUserSpecificCertificates(project, newMember);
} catch (IOException | InterruptedException | ExecutionException | HopsSecurityException | GenericException e) {
String failedUser = project.getName() + HdfsUsersController.USER_NAME_DELIMITER + newMember.getUsername();
LOGGER.log(Level.SEVERE, "Could not delete user certificates for user " + failedUser + ". Manual cleanup is needed!!! ", e);
}
LOGGER.log(Level.SEVERE, "error while creating certificates, jupyter kernel: " + ex.getMessage(), ex);
hdfsUsersController.removeMember(projectTeam);
projectTeamFacade.removeProjectTeam(project, newMember);
throw new EJBException("Could not create certificates for user");
}
// trigger project team role update handlers
ProjectTeamRoleHandler.runProjectTeamRoleAddMembersHandlers(projectTeamRoleHandlers, project, Collections.singletonList(newMember), ProjectRoleTypes.fromString(projectTeam.getTeamRole()), false);
String message = "You have been added to project " + project.getName() + " with a role " + projectTeam.getTeamRole() + ".";
messageController.send(newMember, owner, "You have been added to a project.", message, message, "");
LOGGER.log(Level.FINE, "{0} - member added to project : {1}.", new Object[] { newMember.getEmail(), project.getName() });
logActivity(ActivityFacade.NEW_MEMBER + projectTeam.getProjectTeamPK().getTeamMember(), owner, project, ActivityFlag.MEMBER);
return true;
} else {
return false;
}
}
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class CAProxy method revokeX509.
private void revokeX509(String parameterName, String parameterValue, String path) throws HopsSecurityException, GenericException {
if (Strings.isNullOrEmpty(parameterValue)) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.CERTIFICATE_NOT_FOUND, Level.SEVERE, null, "Certificate parameter value cannot be null or empty");
}
try {
URI revokeURI = new URIBuilder(path).addParameter(parameterName, parameterValue).build();
HttpDelete httpRequest = new HttpDelete(revokeURI);
client.setAuthorizationHeader(httpRequest);
HttpRetryableAction<Void> retryableAction = new HttpRetryableAction<Void>() {
@Override
public Void performAction() throws ClientProtocolException, IOException {
return client.execute(httpRequest, CA_REVOKE_RESPONSE_HANDLER);
}
};
retryableAction.tryAction();
} catch (URISyntaxException ex) {
throw new GenericException(RESTCodes.GenericErrorCode.UNKNOWN_ERROR, Level.SEVERE, null, null, ex);
} catch (ClientProtocolException ex) {
LOG.log(Level.WARNING, "Could not revoke X.509 " + parameterValue, ex);
if (ex.getCause() instanceof HopsSecurityException) {
throw (HopsSecurityException) ex.getCause();
}
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.CERTIFICATE_REVOKATION_ERROR, Level.WARNING, null, null, ex);
} catch (IOException ex) {
LOG.log(Level.SEVERE, "Could not revoke X.509 " + parameterValue, ex);
throw new GenericException(RESTCodes.GenericErrorCode.UNKNOWN_ERROR, Level.SEVERE, "Generic error while revoking X.509", null, ex);
}
}
Aggregations