Examples with AuthorizationException org.apache.hadoop.security.authorize.AuthorizationException used on opensource projects

Example 1 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hive by apache.

the class TestHadoopAuthBridge23 method testMetastoreProxyUser.

@Test
public void testMetastoreProxyUser() throws Exception {
    setup();
    final String proxyUserName = "proxyUser";
    //set the configuration up such that proxyUser can act on
    //behalf of all users belonging to the group foo_bar_group (
    //a dummy group)
    String[] groupNames = new String[] { "foo_bar_group" };
    setGroupsInConf(groupNames, proxyUserName);
    final UserGroupInformation delegationTokenUser = UserGroupInformation.getCurrentUser();
    final UserGroupInformation proxyUserUgi = UserGroupInformation.createRemoteUser(proxyUserName);
    String tokenStrForm = proxyUserUgi.doAs(new PrivilegedExceptionAction<String>() {

        public String run() throws Exception {
            try {
                //foo_bar_group, the call to getDelegationTokenStr will fail
                return getDelegationTokenStr(delegationTokenUser, proxyUserUgi);
            } catch (AuthorizationException ae) {
                return null;
            }
        }
    });
    Assert.assertTrue("Expected the getDelegationToken call to fail", tokenStrForm == null);
    //set the configuration up such that proxyUser can act on
    //behalf of all users belonging to the real group(s) that the
    //user running the test belongs to
    setGroupsInConf(UserGroupInformation.getCurrentUser().getGroupNames(), proxyUserName);
    tokenStrForm = proxyUserUgi.doAs(new PrivilegedExceptionAction<String>() {

        public String run() throws Exception {
            try {
                //obtained above the call to getDelegationTokenStr will succeed
                return getDelegationTokenStr(delegationTokenUser, proxyUserUgi);
            } catch (AuthorizationException ae) {
                return null;
            }
        }
    });
    Assert.assertTrue("Expected the getDelegationToken call to not fail", tokenStrForm != null);
    Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>();
    t.decodeFromUrlString(tokenStrForm);
    //check whether the username in the token is what we expect
    DelegationTokenIdentifier d = new DelegationTokenIdentifier();
    d.readFields(new DataInputStream(new ByteArrayInputStream(t.getIdentifier())));
    Assert.assertTrue("Usernames don't match", delegationTokenUser.getShortUserName().equals(d.getUser().getShortUserName()));
}

Example 2 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class TestClientServiceDelegate method testNoRetryOnAMAuthorizationException.

@Test
public void testNoRetryOnAMAuthorizationException() throws Exception {
    if (!isAMReachableFromClient) {
        return;
    }
    ResourceMgrDelegate rm = mock(ResourceMgrDelegate.class);
    when(rm.getApplicationReport(TypeConverter.toYarn(oldJobId).getAppId())).thenReturn(getRunningApplicationReport("am1", 78));
    // throw authorization exception on first invocation
    final MRClientProtocol amProxy = mock(MRClientProtocol.class);
    when(amProxy.getJobReport(any(GetJobReportRequest.class))).thenThrow(new AuthorizationException("Denied"));
    Configuration conf = new YarnConfiguration();
    conf.set(MRConfig.FRAMEWORK_NAME, MRConfig.YARN_FRAMEWORK_NAME);
    conf.setBoolean(MRJobConfig.JOB_AM_ACCESS_DISABLED, !isAMReachableFromClient);
    ClientServiceDelegate clientServiceDelegate = new ClientServiceDelegate(conf, rm, oldJobId, null) {

        @Override
        MRClientProtocol instantiateAMProxy(final InetSocketAddress serviceAddr) throws IOException {
            super.instantiateAMProxy(serviceAddr);
            return amProxy;
        }
    };
    try {
        clientServiceDelegate.getJobStatus(oldJobId);
        Assert.fail("Exception should be thrown upon AuthorizationException");
    } catch (IOException e) {
        Assert.assertEquals(AuthorizationException.class.getName() + ": Denied", e.getMessage());
    }
    // assert maxClientRetry is not decremented.
    Assert.assertEquals(conf.getInt(MRJobConfig.MR_CLIENT_MAX_RETRIES, MRJobConfig.DEFAULT_MR_CLIENT_MAX_RETRIES), clientServiceDelegate.getMaxClientRetry());
    verify(amProxy, times(1)).getJobReport(any(GetJobReportRequest.class));
}

Example 3 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class RMWebServices method listReservation.

/**
   * Function to retrieve a list of all the reservations.
   */
@GET
@Path("/reservation/list")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
public Response listReservation(@QueryParam("queue") @DefaultValue("default") String queue, @QueryParam("reservation-id") @DefaultValue("") String reservationId, @QueryParam("start-time") @DefaultValue("0") long startTime, @QueryParam("end-time") @DefaultValue("-1") long endTime, @QueryParam("include-resource-allocations") @DefaultValue("false") boolean includeResourceAllocations, @Context HttpServletRequest hsr) throws Exception {
    init();
    final ReservationListRequest request = ReservationListRequest.newInstance(queue, reservationId, startTime, endTime, includeResourceAllocations);
    UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
    if (callerUGI == null) {
        throw new AuthorizationException("Unable to obtain user name, " + "user not authenticated");
    }
    if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
        String msg = "The default static user cannot carry out this operation.";
        return Response.status(Status.FORBIDDEN).entity(msg).build();
    }
    ReservationListResponse resRespInfo;
    try {
        resRespInfo = callerUGI.doAs(new PrivilegedExceptionAction<ReservationListResponse>() {

            @Override
            public ReservationListResponse run() throws IOException, YarnException {
                return rm.getClientRMService().listReservations(request);
            }
        });
    } catch (UndeclaredThrowableException ue) {
        if (ue.getCause() instanceof YarnException) {
            throw new BadRequestException(ue.getCause().getMessage());
        }
        LOG.info("List reservation request failed", ue);
        throw ue;
    }
    ReservationListInfo resResponse = new ReservationListInfo(resRespInfo, includeResourceAllocations);
    return Response.status(Status.OK).entity(resResponse).build();
}

Example 4 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class RMWebServices method submitApplication.

// reuse the code in ClientRMService to create new app
// get the new app id and submit app
// set location header with new app location
/**
   * Function to submit an app to the RM
   * 
   * @param newApp
   *          structure containing information to construct the
   *          ApplicationSubmissionContext
   * @param hsr
   *          the servlet request
   * @return Response containing the status code
   * @throws AuthorizationException
   * @throws IOException
   * @throws InterruptedException
   */
@POST
@Path("/apps")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response submitApplication(ApplicationSubmissionContextInfo newApp, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException {
    init();
    UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
    if (callerUGI == null) {
        throw new AuthorizationException("Unable to obtain user name, " + "user not authenticated");
    }
    if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
        String msg = "The default static user cannot carry out this operation.";
        return Response.status(Status.FORBIDDEN).entity(msg).build();
    }
    ApplicationSubmissionContext appContext = createAppSubmissionContext(newApp);
    final SubmitApplicationRequest req = SubmitApplicationRequest.newInstance(appContext);
    try {
        callerUGI.doAs(new PrivilegedExceptionAction<SubmitApplicationResponse>() {

            @Override
            public SubmitApplicationResponse run() throws IOException, YarnException {
                return rm.getClientRMService().submitApplication(req);
            }
        });
    } catch (UndeclaredThrowableException ue) {
        if (ue.getCause() instanceof YarnException) {
            throw new BadRequestException(ue.getCause().getMessage());
        }
        LOG.info("Submit app request failed", ue);
        throw ue;
    }
    String url = hsr.getRequestURL() + "/" + newApp.getApplicationId();
    return Response.status(Status.ACCEPTED).header(HttpHeaders.LOCATION, url).build();
}

Example 5 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class RMWebServices method updateAppState.

// can't return POJO because we can't control the status code
// it's always set to 200 when we need to allow it to be set
// to 202
@PUT
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response updateAppState(AppState targetState, @Context HttpServletRequest hsr, @PathParam("appid") String appId) throws AuthorizationException, YarnException, InterruptedException, IOException {
    init();
    UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
    if (callerUGI == null) {
        String msg = "Unable to obtain user name, user not authenticated";
        throw new AuthorizationException(msg);
    }
    if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
        String msg = "The default static user cannot carry out this operation.";
        return Response.status(Status.FORBIDDEN).entity(msg).build();
    }
    String userName = callerUGI.getUserName();
    RMApp app = null;
    try {
        app = getRMAppForAppId(appId);
    } catch (NotFoundException e) {
        RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST, "UNKNOWN", "RMWebService", "Trying to kill an absent application " + appId);
        throw e;
    }
    if (!app.getState().toString().equals(targetState.getState())) {
        if (targetState.getState().equals(YarnApplicationState.KILLED.toString())) {
            return killApp(app, callerUGI, hsr, targetState.getDiagnostics());
        }
        throw new BadRequestException("Only '" + YarnApplicationState.KILLED.toString() + "' is allowed as a target state.");
    }
    AppState ret = new AppState();
    ret.setState(app.getState().toString());
    return Response.status(Status.OK).entity(ret).build();
}