Example 26 with PrivilegedAction
use of java.security.PrivilegedAction in project robovm by robovm.
the class LogFactory method getProperties.
/**
* Given a URL that refers to a .properties file, load that file.
* This is done under an AccessController so that this method will
* succeed when this jarfile is privileged but the caller is not.
* This method must therefore remain private to avoid security issues.
* <p>
* Null is returned if the URL cannot be opened.
*/
private static Properties getProperties(final URL url) {
PrivilegedAction action = new PrivilegedAction() {
public Object run() {
try {
InputStream stream = url.openStream();
if (stream != null) {
Properties props = new Properties();
props.load(stream);
stream.close();
return props;
}
} catch (IOException e) {
if (isDiagnosticsEnabled()) {
logDiagnostic("Unable to read URL " + url);
}
}
return null;
}
};
return (Properties) AccessController.doPrivileged(action);
}
Also used :
PrivilegedAction(java.security.PrivilegedAction)
InputStream(java.io.InputStream)
IOException(java.io.IOException)
Properties(java.util.Properties)
Example 27 with PrivilegedAction
use of java.security.PrivilegedAction in project robovm by robovm.
the class AccessControllerTest method testDoPrivilegedWithCombiner.
public void testDoPrivilegedWithCombiner() {
final Permission permission = new RuntimePermission("do stuff");
final DomainCombiner union = new DomainCombiner() {
public ProtectionDomain[] combine(ProtectionDomain[] a, ProtectionDomain[] b) {
throw new AssertionFailedError("Expected combiner to be unused");
}
};
ProtectionDomain protectionDomain = new ProtectionDomain(null, new Permissions());
AccessControlContext accessControlContext = new AccessControlContext(new AccessControlContext(new ProtectionDomain[] { protectionDomain }), union);
final AtomicInteger actionCount = new AtomicInteger();
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
assertEquals(null, AccessController.getContext().getDomainCombiner());
AccessController.getContext().checkPermission(permission);
// Calling doPrivileged again would have exercised the combiner
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
actionCount.incrementAndGet();
assertEquals(null, AccessController.getContext().getDomainCombiner());
AccessController.getContext().checkPermission(permission);
return null;
}
});
return null;
}
}, accessControlContext);
assertEquals(1, actionCount.get());
}
Also used :
ProtectionDomain(java.security.ProtectionDomain)
DomainCombiner(java.security.DomainCombiner)
AccessControlContext(java.security.AccessControlContext)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
PrivilegedAction(java.security.PrivilegedAction)
Permission(java.security.Permission)
Permissions(java.security.Permissions)
AssertionFailedError(junit.framework.AssertionFailedError)
Example 28 with PrivilegedAction
use of java.security.PrivilegedAction in project ranger by apache.
the class LdapPolicyMgrUserGroupBuilder method addOrUpdateGroup.
@Override
public void addOrUpdateGroup(String groupName, List<String> users) throws Throwable {
// First get the existing group user mappings from Ranger admin.
// Then compute the delta and send the updated group user mappings to ranger admin.
LOG.debug("addOrUpdateGroup for " + groupName + " with users: " + users);
GroupUserInfo groupUserInfo = null;
if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
try {
LOG.info("Using principal = " + principal + " and keytab = " + keytab);
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final String gName = groupName;
groupUserInfo = Subject.doAs(sub, new PrivilegedAction<GroupUserInfo>() {
@Override
public GroupUserInfo run() {
try {
return getGroupUserInfo(gName);
} catch (Exception e) {
LOG.error("Failed to build Group List : ", e);
}
return null;
}
});
} catch (Exception e) {
LOG.error("Failed to Authenticate Using given Principal and Keytab : ", e);
}
} else {
groupUserInfo = getGroupUserInfo(groupName);
}
List<String> oldUsers = new ArrayList<String>();
Map<String, List<String>> oldUserMap = new HashMap<String, List<String>>();
if (groupUserInfo != null && groupUserInfo.getXuserInfo() != null) {
for (XUserInfo xUserInfo : groupUserInfo.getXuserInfo()) {
oldUsers.add(xUserInfo.getName());
oldUserMap.put(xUserInfo.getName(), xUserInfo.getUserRoleList());
}
LOG.debug("Returned users for group " + groupUserInfo.getXgroupInfo().getName() + " are: " + oldUsers);
}
List<String> addUsers = new ArrayList<String>();
List<String> delUsers = new ArrayList<String>();
for (String user : oldUsers) {
if (!users.contains(user)) {
delUsers.add(user);
}
}
if (oldUsers.isEmpty()) {
addUsers = users;
} else {
for (String user : users) {
if (!oldUsers.contains(user) || !(oldUserMap.get(user).contains(groupMap.get(groupName)))) {
addUsers.add(user);
}
}
}
LOG.debug("addUsers = " + addUsers);
delXGroupUserInfo(groupName, delUsers);
// * Here the assumption is that the user already exists in x_portal_user table.
if (!isMockRun) {
// propagate the failure to the caller for retry in next sync cycle.
if (addGroupUserInfo(groupName, addUsers) == null) {
String msg = "Failed to add addorUpdate group user info";
LOG.error(msg);
throw new Exception(msg);
}
}
}
Also used :
PrivilegedAction(java.security.PrivilegedAction)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
ArrayList(java.util.ArrayList)
ArrayList(java.util.ArrayList)
List(java.util.List)
Subject(javax.security.auth.Subject)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
FileNotFoundException(java.io.FileNotFoundException)
Example 29 with PrivilegedAction
use of java.security.PrivilegedAction in project ranger by apache.
the class PolicyMgrUserGroupBuilder method addUserGroupInfo.
private UserGroupInfo addUserGroupInfo(String userName, List<String> groups) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo " + userName + " and groups");
}
UserGroupInfo ret = null;
XUserInfo user = null;
LOG.debug("INFO: addPMXAUser(" + userName + ")");
if (!isMockRun) {
user = addXUserInfo(userName);
if (!groups.isEmpty() && user != null) {
for (String group : groups) {
String value = groupMap.get(group);
if (value != null) {
List<String> userRoleList = new ArrayList<String>();
userRoleList.add(value);
if (userMap.containsKey(user.getName())) {
List<String> userRole = new ArrayList<String>();
userRole.add(userMap.get(user.getName()));
user.setUserRoleList(userRole);
} else {
user.setUserRoleList(userRoleList);
}
}
}
}
usergroupInfo.setXuserInfo(user);
}
for (String g : groups) {
LOG.debug("INFO: addPMXAGroupToUser(" + userName + "," + g + ")");
}
if (!isMockRun) {
addXUserGroupInfo(user, groups);
}
if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final UserGroupInfo result = ret;
ret = Subject.doAs(sub, new PrivilegedAction<UserGroupInfo>() {
@Override
public UserGroupInfo run() {
try {
return getUsergroupInfo(result);
} catch (Exception e) {
LOG.error("Failed to add User Group Info : ", e);
}
return null;
}
});
return ret;
} catch (Exception e) {
LOG.error("Failed to Authenticate Using given Principal and Keytab : ", e);
}
return null;
} else {
return getUsergroupInfo(ret);
}
}
Also used :
PrivilegedAction(java.security.PrivilegedAction)
Subject(javax.security.auth.Subject)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
FileNotFoundException(java.io.FileNotFoundException)
Example 30 with PrivilegedAction
use of java.security.PrivilegedAction in project ranger by apache.
the class PolicyMgrUserGroupBuilder method addGroupInfo.
private XGroupInfo addGroupInfo(final String groupName) {
XGroupInfo ret = null;
XGroupInfo group = null;
LOG.debug("INFO: addPMXAGroup(" + groupName + ")");
if (!isMockRun) {
group = addXGroupInfo(groupName);
}
if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
try {
LOG.info("Using principal = " + principal + " and keytab = " + keytab);
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final XGroupInfo groupInfo = group;
ret = Subject.doAs(sub, new PrivilegedAction<XGroupInfo>() {
@Override
public XGroupInfo run() {
try {
return getAddedGroupInfo(groupInfo);
} catch (Exception e) {
LOG.error("Failed to build Group List : ", e);
}
return null;
}
});
return ret;
} catch (Exception e) {
LOG.error("Failed to Authenticate Using given Principal and Keytab : ", e);
}
return null;
} else {
return getAddedGroupInfo(group);
}
}
Also used :
PrivilegedAction(java.security.PrivilegedAction)
Subject(javax.security.auth.Subject)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
FileNotFoundException(java.io.FileNotFoundException)
Aggregations
PrivilegedAction (java.security.PrivilegedAction)359
IOException (java.io.IOException)85
Subject (javax.security.auth.Subject)61
AccessControlContext (java.security.AccessControlContext)31
File (java.io.File)29
HashMap (java.util.HashMap)29
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)29
Method (java.lang.reflect.Method)24
ArrayList (java.util.ArrayList)23
ClientResponse (com.sun.jersey.api.client.ClientResponse)21
InputStream (java.io.InputStream)21
URL (java.net.URL)21
FileNotFoundException (java.io.FileNotFoundException)18
UnsupportedEncodingException (java.io.UnsupportedEncodingException)18
Iterator (java.util.Iterator)18
MalformedURLException (java.net.MalformedURLException)17
List (java.util.List)17
UnknownHostException (java.net.UnknownHostException)16
Principal (java.security.Principal)15
PrivilegedActionException (java.security.PrivilegedActionException)15
