use of org.apache.hadoop.security.authorize.AuthorizationException in project ranger by apache.
the class RangerKmsAuthorizerTest method testCreateKeys.
@Test
public void testCreateKeys() throws Throwable {
if (!UNRESTRICTED_POLICIES_INSTALLED) {
return;
}
// bob should have permission to create
final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
ugi.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi, KMSOp.CREATE_KEY, "newkey1", "127.0.0.1");
return null;
}
});
// "eve" should not have permission to create
final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
ugi2.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi2, KMSOp.CREATE_KEY, "newkey2", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
LOG.error("", ex);
}
return null;
}
});
// the IT group should not have permission to create
final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
ugi3.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi3, KMSOp.CREATE_KEY, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
LOG.error("", ex);
}
return null;
}
});
}
use of org.apache.hadoop.security.authorize.AuthorizationException in project ranger by apache.
the class RangerKmsAuthorizerTest method testDeleteKeys.
@Test
public void testDeleteKeys() throws Throwable {
if (!UNRESTRICTED_POLICIES_INSTALLED) {
return;
}
// bob should have permission to delete
final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
ugi.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
return null;
}
});
// "eve" should not have permission to delete
final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
ugi2.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi2, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
LOG.error("", ex);
}
return null;
}
});
// the IT group should not have permission to delete
final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
ugi3.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi3, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
LOG.error("", ex);
}
return null;
}
});
}
use of org.apache.hadoop.security.authorize.AuthorizationException in project hbase by apache.
the class ServerRpcConnection method authorizeConnection.
private boolean authorizeConnection() throws IOException {
try {
// authentication
if (ugi != null && ugi.getRealUser() != null && provider.supportsProtocolAuthentication()) {
ProxyUsers.authorize(ugi, this.getHostAddress(), this.rpcServer.conf);
}
this.rpcServer.authorize(ugi, connectionHeader, getHostInetAddress());
this.rpcServer.metrics.authorizationSuccess();
} catch (AuthorizationException ae) {
if (RpcServer.LOG.isDebugEnabled()) {
RpcServer.LOG.debug("Connection authorization failed: " + ae.getMessage(), ae);
}
this.rpcServer.metrics.authorizationFailure();
doRespond(getErrorResponse(ae.getMessage(), new AccessDeniedException(ae)));
return false;
}
return true;
}
use of org.apache.hadoop.security.authorize.AuthorizationException in project hbase by apache.
the class RESTServletContainer method service.
/**
* This container is used only if authentication and
* impersonation is enabled. The remote request user is used
* as a proxy user for impersonation in invoking any REST service.
*/
@Override
public void service(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
final HttpServletRequest lowerCaseRequest = toLowerCase(request);
final String doAsUserFromQuery = lowerCaseRequest.getParameter("doas");
RESTServlet servlet = RESTServlet.getInstance();
if (doAsUserFromQuery != null) {
Configuration conf = servlet.getConfiguration();
if (!servlet.supportsProxyuser()) {
throw new ServletException("Support for proxyuser is not configured");
}
// Authenticated remote user is attempting to do 'doAs' proxy user.
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
// create and attempt to authorize a proxy user (the client is attempting
// to do proxy user)
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
// validate the proxy user authorization
try {
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
} catch (AuthorizationException e) {
throw new ServletException(e.getMessage());
}
servlet.setEffectiveUser(doAsUserFromQuery);
} else {
String effectiveUser = request.getRemoteUser();
servlet.setEffectiveUser(effectiveUser);
}
super.service(request, response);
}
Aggregations