Search in sources :

Example 6 with AuthException

use of io.pravega.auth.AuthException in project pravega by pravega.

the class StreamMetadataResourceImpl method listStreams.

/**
 * Implementation of listStreams REST API.
 *
 * @param scopeName           The scope name of stream.
 * @param securityContext     The security for API access.
 * @param asyncResponse       AsyncResponse provides means for asynchronous server side response processing.
 */
@Override
public void listStreams(final String scopeName, final String filterType, final String filterValue, final SecurityContext securityContext, final AsyncResponse asyncResponse) {
    long traceId = LoggerHelpers.traceEnter(log, "listStreams");
    long requestId = requestIdGenerator.nextLong();
    final Principal principal;
    final List<String> authHeader = getAuthorizationHeader();
    try {
        principal = restAuthHelper.authenticate(authHeader);
        restAuthHelper.authorize(authHeader, authorizationResource.ofStreamsInScope(scopeName), principal, READ);
    } catch (AuthException e) {
        log.warn(requestId, "List streams for {} failed due to authentication failure.", scopeName);
        asyncResponse.resume(Response.status(Status.fromStatusCode(e.getResponseCode())).build());
        LoggerHelpers.traceLeave(log, "listStreams", traceId);
        return;
    }
    boolean showOnlyInternalStreams = filterType != null && filterType.equals("showInternalStreams");
    boolean showStreamsWithTag = filterType != null && filterType.equals("tag");
    String tag;
    if (showStreamsWithTag && filterValue != null) {
        tag = filterValue;
        List<Stream> streams = new ArrayList<>();
        String finalTag = tag;
        localController.listStreamsForTag(scopeName, tag).collectRemaining(streams::add).thenCompose(v -> {
            List<CompletableFuture<ImmutablePair<Stream, StreamConfiguration>>> streamConfigFutureList = streams.stream().filter(stream -> {
                boolean isAuthorized = false;
                try {
                    isAuthorized = restAuthHelper.isAuthorized(authHeader, authorizationResource.ofStreamInScope(scopeName, stream.getStreamName()), principal, READ);
                } catch (AuthException e) {
                    log.warn(requestId, "List Streams with tag {} for scope {} failed due to authentication failure.", finalTag, scopeName);
                // Ignore. This exception occurs under abnormal circumstances and not to determine
                // whether the user is authorized. In case it does occur, we assume that the user
                // is unauthorized.
                }
                return isAuthorized;
            }).map(stream -> localController.getStreamConfiguration(scopeName, stream.getStreamName()).thenApply(config -> new ImmutablePair<>(stream, config))).collect(Collectors.toList());
            return Futures.allOfWithResults(streamConfigFutureList);
        }).thenApply(streamConfigPairs -> {
            StreamsList responseStreams = new StreamsList();
            responseStreams.setStreams(new ArrayList<>());
            streamConfigPairs.forEach(pair -> responseStreams.addStreamsItem(ModelHelper.encodeStreamResponse(pair.left.getScope(), pair.left.getStreamName(), pair.right)));
            log.info(requestId, "Successfully fetched streams for scope: {} with tag: {}", scopeName, finalTag);
            return Response.status(Status.OK).entity(responseStreams).build();
        }).exceptionally(exception -> {
            if (exception.getCause() instanceof StoreException.DataNotFoundException || exception instanceof StoreException.DataNotFoundException) {
                log.warn(requestId, "Scope name: {} not found", scopeName);
                return Response.status(Status.NOT_FOUND).build();
            } else {
                log.warn(requestId, "listStreams for {} with tag {} failed with exception: {}", scopeName, finalTag, exception);
                return Response.status(Status.INTERNAL_SERVER_ERROR).build();
            }
        }).thenApply(asyncResponse::resume).thenAccept(x -> LoggerHelpers.traceLeave(log, "listStreams", traceId));
    } else {
        controllerService.listStreamsInScope(scopeName, requestId).thenApply(streamsList -> {
            StreamsList streams = new StreamsList();
            streams.setStreams(new ArrayList<>());
            streamsList.forEach((stream, config) -> {
                try {
                    if (restAuthHelper.isAuthorized(authHeader, authorizationResource.ofStreamInScope(scopeName, stream), principal, READ)) {
                        // otherwise display the regular user created streams.
                        if (!showOnlyInternalStreams ^ stream.startsWith(INTERNAL_NAME_PREFIX)) {
                            streams.addStreamsItem(ModelHelper.encodeStreamResponse(scopeName, stream, config));
                        }
                    }
                } catch (AuthException e) {
                    log.warn(requestId, "Read internal streams for scope {} failed due to authentication failure.", scopeName);
                // Ignore. This exception occurs under abnormal circumstances and not to determine
                // whether the user is authorized. In case it does occur, we assume that the user
                // is unauthorized.
                }
            });
            log.info(requestId, "Successfully fetched streams for scope: {}", scopeName);
            return Response.status(Status.OK).entity(streams).build();
        }).exceptionally(exception -> {
            if (exception.getCause() instanceof StoreException.DataNotFoundException || exception instanceof StoreException.DataNotFoundException) {
                log.warn(requestId, "Scope name: {} not found", scopeName);
                return Response.status(Status.NOT_FOUND).build();
            } else {
                log.warn(requestId, "listStreams for {} failed with exception: {}", scopeName, exception);
                return Response.status(Status.INTERNAL_SERVER_ERROR).build();
            }
        }).thenApply(asyncResponse::resume).thenAccept(x -> LoggerHelpers.traceLeave(log, "listStreams", traceId));
    }
}
Also used : ApiV1(io.pravega.controller.server.rest.v1.ApiV1) READ(io.pravega.auth.AuthHandler.Permissions.READ) StreamsList(io.pravega.controller.server.rest.generated.model.StreamsList) SecurityContext(javax.ws.rs.core.SecurityContext) LoggerFactory(org.slf4j.LoggerFactory) ReaderGroupManagerImpl(io.pravega.client.admin.impl.ReaderGroupManagerImpl) Random(java.util.Random) ReaderGroup(io.pravega.client.stream.ReaderGroup) StreamConfiguration(io.pravega.client.stream.StreamConfiguration) ReaderGroupNotFoundException(io.pravega.client.stream.ReaderGroupNotFoundException) TagLogger(io.pravega.common.tracing.TagLogger) RESTAuthHelper(io.pravega.shared.rest.security.RESTAuthHelper) LocalController(io.pravega.controller.server.eventProcessor.LocalController) StoreException(io.pravega.controller.store.stream.StoreException) ClientFactoryImpl(io.pravega.client.stream.impl.ClientFactoryImpl) ReaderGroupManager(io.pravega.client.admin.ReaderGroupManager) Stream(io.pravega.client.stream.Stream) ReaderGroupProperty(io.pravega.controller.server.rest.generated.model.ReaderGroupProperty) INTERNAL_NAME_PREFIX(io.pravega.shared.NameUtils.INTERNAL_NAME_PREFIX) DeleteScopeStatus(io.pravega.controller.stream.api.grpc.v1.Controller.DeleteScopeStatus) CreateStreamStatus(io.pravega.controller.stream.api.grpc.v1.Controller.CreateStreamStatus) AuthorizationResource(io.pravega.shared.security.auth.AuthorizationResource) Context(javax.ws.rs.core.Context) AsyncResponse(javax.ws.rs.container.AsyncResponse) CreateScopeRequest(io.pravega.controller.server.rest.generated.model.CreateScopeRequest) Collectors(java.util.stream.Collectors) CreateStreamRequest(io.pravega.controller.server.rest.generated.model.CreateStreamRequest) READER_GROUP_STREAM_PREFIX(io.pravega.shared.NameUtils.READER_GROUP_STREAM_PREFIX) List(java.util.List) Principal(java.security.Principal) HttpHeaders(javax.ws.rs.core.HttpHeaders) StreamState(io.pravega.controller.server.rest.generated.model.StreamState) Response(javax.ws.rs.core.Response) ScopesList(io.pravega.controller.server.rest.generated.model.ScopesList) Futures(io.pravega.common.concurrent.Futures) AuthException(io.pravega.auth.AuthException) CreateScopeStatus(io.pravega.controller.stream.api.grpc.v1.Controller.CreateScopeStatus) ConnectionFactory(io.pravega.client.connection.impl.ConnectionFactory) CompletableFuture(java.util.concurrent.CompletableFuture) UpdateStreamRequest(io.pravega.controller.server.rest.generated.model.UpdateStreamRequest) ArrayList(java.util.ArrayList) READ_UPDATE(io.pravega.auth.AuthHandler.Permissions.READ_UPDATE) ScaleMetadata(io.pravega.controller.store.stream.ScaleMetadata) DeleteStreamStatus(io.pravega.controller.stream.api.grpc.v1.Controller.DeleteStreamStatus) Status(javax.ws.rs.core.Response.Status) AuthorizationResourceImpl(io.pravega.shared.security.auth.AuthorizationResourceImpl) LoggerHelpers(io.pravega.common.LoggerHelpers) ControllerService(io.pravega.controller.server.ControllerService) NameUtils(io.pravega.shared.NameUtils) Iterator(java.util.Iterator) ScopeProperty(io.pravega.controller.server.rest.generated.model.ScopeProperty) ImmutablePair(org.apache.commons.lang3.tuple.ImmutablePair) ModelHelper(io.pravega.controller.server.rest.ModelHelper) ReaderGroupsList(io.pravega.controller.server.rest.generated.model.ReaderGroupsList) AuthHandlerManager(io.pravega.shared.rest.security.AuthHandlerManager) ReaderGroupsListReaderGroups(io.pravega.controller.server.rest.generated.model.ReaderGroupsListReaderGroups) UpdateStreamStatus(io.pravega.controller.stream.api.grpc.v1.Controller.UpdateStreamStatus) ClientConfig(io.pravega.client.ClientConfig) StreamsList(io.pravega.controller.server.rest.generated.model.StreamsList) ArrayList(java.util.ArrayList) AuthException(io.pravega.auth.AuthException) StoreException(io.pravega.controller.store.stream.StoreException) CompletableFuture(java.util.concurrent.CompletableFuture) StreamConfiguration(io.pravega.client.stream.StreamConfiguration) Stream(io.pravega.client.stream.Stream) Principal(java.security.Principal)

Example 7 with AuthException

use of io.pravega.auth.AuthException in project pravega by pravega.

the class StreamMetadataResourceImpl method listReaderGroups.

@Override
public void listReaderGroups(final String scopeName, final SecurityContext securityContext, final AsyncResponse asyncResponse) {
    long traceId = LoggerHelpers.traceEnter(log, "listReaderGroups");
    long requestId = requestIdGenerator.nextLong();
    try {
        restAuthHelper.authenticateAuthorize(getAuthorizationHeader(), authorizationResource.ofReaderGroupsInScope(scopeName), READ);
    } catch (AuthException e) {
        log.warn(requestId, "Get reader groups for {} failed due to authentication failure.", scopeName);
        asyncResponse.resume(Response.status(Status.fromStatusCode(e.getResponseCode())).build());
        LoggerHelpers.traceLeave(log, "listReaderGroups", traceId);
        return;
    }
    // Each reader group is represented by a stream within the mentioned scope.
    controllerService.listStreamsInScope(scopeName, requestId).thenApply(streamsList -> {
        ReaderGroupsList readerGroups = new ReaderGroupsList();
        streamsList.forEach((stream, config) -> {
            if (stream.startsWith(READER_GROUP_STREAM_PREFIX)) {
                ReaderGroupsListReaderGroups readerGroup = new ReaderGroupsListReaderGroups();
                readerGroup.setReaderGroupName(stream.substring(READER_GROUP_STREAM_PREFIX.length()));
                readerGroups.addReaderGroupsItem(readerGroup);
            }
        });
        log.info(requestId, "Successfully fetched readerGroups for scope: {}", scopeName);
        return Response.status(Status.OK).entity(readerGroups).build();
    }).exceptionally(exception -> {
        if (exception.getCause() instanceof StoreException.DataNotFoundException || exception instanceof StoreException.DataNotFoundException) {
            log.warn(requestId, "Scope name: {} not found", scopeName);
            return Response.status(Status.NOT_FOUND).build();
        } else {
            log.warn(requestId, "listReaderGroups for {} failed with exception: ", scopeName, exception);
            return Response.status(Status.INTERNAL_SERVER_ERROR).build();
        }
    }).thenApply(asyncResponse::resume).thenAccept(x -> LoggerHelpers.traceLeave(log, "listReaderGroups", traceId));
}
Also used : ApiV1(io.pravega.controller.server.rest.v1.ApiV1) READ(io.pravega.auth.AuthHandler.Permissions.READ) StreamsList(io.pravega.controller.server.rest.generated.model.StreamsList) SecurityContext(javax.ws.rs.core.SecurityContext) LoggerFactory(org.slf4j.LoggerFactory) ReaderGroupManagerImpl(io.pravega.client.admin.impl.ReaderGroupManagerImpl) Random(java.util.Random) ReaderGroup(io.pravega.client.stream.ReaderGroup) StreamConfiguration(io.pravega.client.stream.StreamConfiguration) ReaderGroupNotFoundException(io.pravega.client.stream.ReaderGroupNotFoundException) TagLogger(io.pravega.common.tracing.TagLogger) RESTAuthHelper(io.pravega.shared.rest.security.RESTAuthHelper) LocalController(io.pravega.controller.server.eventProcessor.LocalController) StoreException(io.pravega.controller.store.stream.StoreException) ClientFactoryImpl(io.pravega.client.stream.impl.ClientFactoryImpl) ReaderGroupManager(io.pravega.client.admin.ReaderGroupManager) Stream(io.pravega.client.stream.Stream) ReaderGroupProperty(io.pravega.controller.server.rest.generated.model.ReaderGroupProperty) INTERNAL_NAME_PREFIX(io.pravega.shared.NameUtils.INTERNAL_NAME_PREFIX) DeleteScopeStatus(io.pravega.controller.stream.api.grpc.v1.Controller.DeleteScopeStatus) CreateStreamStatus(io.pravega.controller.stream.api.grpc.v1.Controller.CreateStreamStatus) AuthorizationResource(io.pravega.shared.security.auth.AuthorizationResource) Context(javax.ws.rs.core.Context) AsyncResponse(javax.ws.rs.container.AsyncResponse) CreateScopeRequest(io.pravega.controller.server.rest.generated.model.CreateScopeRequest) Collectors(java.util.stream.Collectors) CreateStreamRequest(io.pravega.controller.server.rest.generated.model.CreateStreamRequest) READER_GROUP_STREAM_PREFIX(io.pravega.shared.NameUtils.READER_GROUP_STREAM_PREFIX) List(java.util.List) Principal(java.security.Principal) HttpHeaders(javax.ws.rs.core.HttpHeaders) StreamState(io.pravega.controller.server.rest.generated.model.StreamState) Response(javax.ws.rs.core.Response) ScopesList(io.pravega.controller.server.rest.generated.model.ScopesList) Futures(io.pravega.common.concurrent.Futures) AuthException(io.pravega.auth.AuthException) CreateScopeStatus(io.pravega.controller.stream.api.grpc.v1.Controller.CreateScopeStatus) ConnectionFactory(io.pravega.client.connection.impl.ConnectionFactory) CompletableFuture(java.util.concurrent.CompletableFuture) UpdateStreamRequest(io.pravega.controller.server.rest.generated.model.UpdateStreamRequest) ArrayList(java.util.ArrayList) READ_UPDATE(io.pravega.auth.AuthHandler.Permissions.READ_UPDATE) ScaleMetadata(io.pravega.controller.store.stream.ScaleMetadata) DeleteStreamStatus(io.pravega.controller.stream.api.grpc.v1.Controller.DeleteStreamStatus) Status(javax.ws.rs.core.Response.Status) AuthorizationResourceImpl(io.pravega.shared.security.auth.AuthorizationResourceImpl) LoggerHelpers(io.pravega.common.LoggerHelpers) ControllerService(io.pravega.controller.server.ControllerService) NameUtils(io.pravega.shared.NameUtils) Iterator(java.util.Iterator) ScopeProperty(io.pravega.controller.server.rest.generated.model.ScopeProperty) ImmutablePair(org.apache.commons.lang3.tuple.ImmutablePair) ModelHelper(io.pravega.controller.server.rest.ModelHelper) ReaderGroupsList(io.pravega.controller.server.rest.generated.model.ReaderGroupsList) AuthHandlerManager(io.pravega.shared.rest.security.AuthHandlerManager) ReaderGroupsListReaderGroups(io.pravega.controller.server.rest.generated.model.ReaderGroupsListReaderGroups) UpdateStreamStatus(io.pravega.controller.stream.api.grpc.v1.Controller.UpdateStreamStatus) ClientConfig(io.pravega.client.ClientConfig) ReaderGroupsListReaderGroups(io.pravega.controller.server.rest.generated.model.ReaderGroupsListReaderGroups) AuthException(io.pravega.auth.AuthException) ReaderGroupsList(io.pravega.controller.server.rest.generated.model.ReaderGroupsList) StoreException(io.pravega.controller.store.stream.StoreException)

Example 8 with AuthException

use of io.pravega.auth.AuthException in project pravega by pravega.

the class AuthInterceptor method interceptCall.

@Override
public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
    Context context = Context.current();
    // The authorization header has the credentials (e.g., username and password for Basic Authentication).
    // The form of the header is: <Method> <Token> (CustomMethod static-token, or Basic XYZ...., for example)
    String credentials = headers.get(Metadata.Key.of(AuthConstants.AUTHORIZATION, Metadata.ASCII_STRING_MARSHALLER));
    if (!Strings.isNullOrEmpty(credentials)) {
        String[] parts = credentials.split("\\s+", 2);
        if (parts.length == 2) {
            String method = parts[0];
            String token = parts[1];
            if (!Strings.isNullOrEmpty(method)) {
                if (method.equals(handler.getHandlerName())) {
                    log.debug("Handler [{}] successfully matched auth method [{}]", handler, method);
                    Principal principal;
                    try {
                        if ((principal = handler.authenticate(token)) == null) {
                            log.warn("Handler for method [{}] returned a null Principal upon authentication for the" + "given token", method);
                            call.close(Status.fromCode(Status.Code.UNAUTHENTICATED), headers);
                            return null;
                        }
                    } catch (AuthException e) {
                        log.warn("Authentication failed", e);
                        call.close(Status.fromCode(Status.Code.UNAUTHENTICATED), headers);
                        return null;
                    }
                    // Creates a new Context with the given key/value pairs.
                    context = context.withValues(PRINCIPAL_OBJECT_KEY, principal, AUTH_INTERCEPTOR_OBJECT_KEY, this);
                }
            } else {
                log.debug("Credentials are present, but method [{}] is null or empty", method);
            }
        }
    }
    // reaching this point means that the handler wasn't applicable to this request.
    return Contexts.interceptCall(context, call, headers, next);
}
Also used : Context(io.grpc.Context) AuthException(io.pravega.auth.AuthException) Principal(java.security.Principal)

Aggregations

AuthException (io.pravega.auth.AuthException)8 Principal (java.security.Principal)8 READ (io.pravega.auth.AuthHandler.Permissions.READ)6 READ_UPDATE (io.pravega.auth.AuthHandler.Permissions.READ_UPDATE)6 ClientConfig (io.pravega.client.ClientConfig)6 ReaderGroupManager (io.pravega.client.admin.ReaderGroupManager)6 ReaderGroupManagerImpl (io.pravega.client.admin.impl.ReaderGroupManagerImpl)6 ConnectionFactory (io.pravega.client.connection.impl.ConnectionFactory)6 ReaderGroup (io.pravega.client.stream.ReaderGroup)6 ReaderGroupNotFoundException (io.pravega.client.stream.ReaderGroupNotFoundException)6 Stream (io.pravega.client.stream.Stream)6 StreamConfiguration (io.pravega.client.stream.StreamConfiguration)6 ClientFactoryImpl (io.pravega.client.stream.impl.ClientFactoryImpl)6 LoggerHelpers (io.pravega.common.LoggerHelpers)6 Futures (io.pravega.common.concurrent.Futures)6 TagLogger (io.pravega.common.tracing.TagLogger)6 ControllerService (io.pravega.controller.server.ControllerService)6 LocalController (io.pravega.controller.server.eventProcessor.LocalController)6 ModelHelper (io.pravega.controller.server.rest.ModelHelper)6 CreateScopeRequest (io.pravega.controller.server.rest.generated.model.CreateScopeRequest)6