Example 6 with AccessDeniedException
use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.
the class JdkLdapAuthenticatorClient method createUserDirContext.
private CloseableContext createUserDirContext(String userDistinguishedName, String password) throws NamingException {
Map<String, String> environment = createEnvironment(userDistinguishedName, password);
try {
// This is the actual Authentication piece. Will throw javax.naming.AuthenticationException
// if the users password is not correct. Other exceptions may include IO (server not found) etc.
DirContext context = createDirContext(environment);
log.debug("Password validation successful for user DN [%s]", userDistinguishedName);
return new CloseableContext(context);
} catch (AuthenticationException e) {
log.debug("Password validation failed for user DN [%s]: %s", userDistinguishedName, e.getMessage());
throw new AccessDeniedException("Invalid credentials");
}
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
AuthenticationException(javax.naming.AuthenticationException)
DirContext(javax.naming.directory.DirContext)
JndiUtils.createDirContext(io.trino.plugin.password.jndi.JndiUtils.createDirContext)
Example 7 with AccessDeniedException
use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.
the class LdapAuthenticator method authenticateWithUserBind.
private Principal authenticateWithUserBind(Credential credential) {
String user = credential.getUser();
if (containsSpecialCharacters(user)) {
throw new AccessDeniedException("Username contains a special LDAP character");
}
Exception lastException = new RuntimeException();
for (String userBindSearchPattern : userBindSearchPatterns) {
try {
String userDistinguishedName = replaceUser(userBindSearchPattern, user);
if (groupAuthorizationSearchPattern.isPresent()) {
// user password is also validated as user DN and password is used for querying LDAP
String searchBase = userBaseDistinguishedName.orElseThrow();
String groupSearch = replaceUser(groupAuthorizationSearchPattern.get(), user);
if (!client.isGroupMember(searchBase, groupSearch, userDistinguishedName, credential.getPassword())) {
String message = format("User [%s] not a member of an authorized group", user);
log.debug("%s", message);
throw new AccessDeniedException(message);
}
} else {
client.validatePassword(userDistinguishedName, credential.getPassword());
}
log.debug("Authentication successful for user [%s]", user);
return new BasicPrincipal(user);
} catch (NamingException | AccessDeniedException e) {
lastException = e;
}
}
log.debug(lastException, "Authentication failed for user [%s], %s", user, lastException.getMessage());
if (lastException instanceof AccessDeniedException) {
throw (AccessDeniedException) lastException;
}
throw new RuntimeException("Authentication error");
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
BasicPrincipal(io.trino.spi.security.BasicPrincipal)
NamingException(javax.naming.NamingException)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
NamingException(javax.naming.NamingException)
UncheckedExecutionException(com.google.common.util.concurrent.UncheckedExecutionException)
Example 8 with AccessDeniedException
use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testCanSetUserOperations.
@Test
public void testCanSetUserOperations() {
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog_principal.json");
try {
accessControlManager.checkCanSetUser(Optional.empty(), alice.getUser());
throw new AssertionError("expected AccessDeniedExeption");
} catch (AccessDeniedException expected) {
}
accessControlManager.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
accessControlManager.checkCanSetUser(kerberosValidNonAsciiUser.getPrincipal(), kerberosValidNonAsciiUser.getUser());
try {
accessControlManager.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser());
throw new AssertionError("expected AccessDeniedExeption");
} catch (AccessDeniedException expected) {
}
accessControlManager.checkCanSetUser(kerberosValidShare.getPrincipal(), kerberosValidShare.getUser());
try {
accessControlManager.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser());
throw new AssertionError("expected AccessDeniedExeption");
} catch (AccessDeniedException expected) {
}
accessControlManager.checkCanSetUser(validSpecialRegexWildDot.getPrincipal(), validSpecialRegexWildDot.getUser());
accessControlManager.checkCanSetUser(validSpecialRegexEndQuote.getPrincipal(), validSpecialRegexEndQuote.getUser());
try {
accessControlManager.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser());
throw new AssertionError("expected AccessDeniedExeption");
} catch (AccessDeniedException expected) {
}
AccessControlManager accessControlManagerNoPatterns = newAccessControlManager(transactionManager, "catalog.json");
accessControlManagerNoPatterns.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
TransactionManager(io.trino.transaction.TransactionManager)
InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager)
Test(org.testng.annotations.Test)
Example 9 with AccessDeniedException
use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testCanImpersonateUserOperations.
@Test
public void testCanImpersonateUserOperations() {
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog_impersonation.json");
accessControlManager.checkCanImpersonateUser(Identity.ofUser("alice"), "bob");
accessControlManager.checkCanImpersonateUser(Identity.ofUser("alice"), "charlie");
try {
accessControlManager.checkCanImpersonateUser(Identity.ofUser("alice"), "admin");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
accessControlManager.checkCanImpersonateUser(Identity.ofUser("admin"), "alice");
accessControlManager.checkCanImpersonateUser(Identity.ofUser("admin"), "bob");
accessControlManager.checkCanImpersonateUser(Identity.ofUser("admin"), "anything");
accessControlManager.checkCanImpersonateUser(Identity.ofUser("admin-other"), "anything");
try {
accessControlManager.checkCanImpersonateUser(Identity.ofUser("admin-test"), "alice");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
try {
accessControlManager.checkCanImpersonateUser(Identity.ofUser("invalid"), "alice");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
accessControlManager.checkCanImpersonateUser(Identity.ofUser("anything"), "test");
try {
accessControlManager.checkCanImpersonateUser(Identity.ofUser("invalid-other"), "test");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
accessControlManager = newAccessControlManager(transactionManager, "catalog_principal.json");
accessControlManager.checkCanImpersonateUser(Identity.ofUser("anything"), "anythingElse");
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
TransactionManager(io.trino.transaction.TransactionManager)
InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager)
Test(org.testng.annotations.Test)
Example 10 with AccessDeniedException
use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.
the class QueryResource method failQuery.
private Response failQuery(QueryId queryId, TrinoException queryException, HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders) {
requireNonNull(queryId, "queryId is null");
try {
BasicQueryInfo queryInfo = dispatchManager.getQueryInfo(queryId);
checkCanKillQueryOwnedBy(sessionContextFactory.extractAuthorizedIdentity(servletRequest, httpHeaders, alternateHeaderName), queryInfo.getSession().toIdentity(), accessControl);
// check before killing to provide the proper error code (this is racy)
if (queryInfo.getState().isDone()) {
return Response.status(Status.CONFLICT).build();
}
dispatchManager.failQuery(queryId, queryException);
return Response.status(Status.ACCEPTED).build();
} catch (AccessDeniedException e) {
throw new ForbiddenException();
} catch (NoSuchElementException e) {
return Response.status(Status.GONE).build();
}
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
ForbiddenException(javax.ws.rs.ForbiddenException)
NoSuchElementException(java.util.NoSuchElementException)
Aggregations
AccessDeniedException (io.trino.spi.security.AccessDeniedException)19
ForbiddenException (javax.ws.rs.ForbiddenException)7
ResourceSecurity (io.trino.server.security.ResourceSecurity)5
Path (javax.ws.rs.Path)5
QueryInfo (io.trino.execution.QueryInfo)3
NoSuchElementException (java.util.NoSuchElementException)3
GET (javax.ws.rs.GET)3
Test (org.testng.annotations.Test)3
ImmutableList (com.google.common.collect.ImmutableList)2
ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2
ImmutableMap (com.google.common.collect.ImmutableMap)2
BasicQueryInfo (io.trino.server.BasicQueryInfo)2
QueryId (io.trino.spi.QueryId)2
InMemoryTransactionManager.createTestTransactionManager (io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager)2
TransactionManager (io.trino.transaction.TransactionManager)2
Principal (java.security.Principal)2
List (java.util.List)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
Preconditions.checkArgument (com.google.common.base.Preconditions.checkArgument)1
Verify.verify (com.google.common.base.Verify.verify)1
