Search in sources :

Example 66 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project ranger by apache.

the class RangerKmsAuthorizerTest method testCreateKeys.

@Test
public void testCreateKeys() throws Throwable {
    if (!UNRESTRICTED_POLICIES_INSTALLED) {
        return;
    }
    // bob should have permission to create
    final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi, KMSOp.CREATE_KEY, "newkey1", "127.0.0.1");
            return null;
        }
    });
    // "eve" should not have permission to create
    final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
    ugi2.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try {
                KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi2, KMSOp.CREATE_KEY, "newkey2", "127.0.0.1");
                Assert.fail("Failure expected");
            } catch (AuthorizationException ex) {
                LOG.error("", ex);
            }
            return null;
        }
    });
    // the IT group should not have permission to create
    final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
    ugi3.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try {
                KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi3, KMSOp.CREATE_KEY, "newkey1", "127.0.0.1");
                Assert.fail("Failure expected");
            } catch (AuthorizationException ex) {
                LOG.error("", ex);
            }
            return null;
        }
    });
}
Also used : AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 67 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project ranger by apache.

the class RangerKmsAuthorizerTest method testDeleteKeys.

@Test
public void testDeleteKeys() throws Throwable {
    if (!UNRESTRICTED_POLICIES_INSTALLED) {
        return;
    }
    // bob should have permission to delete
    final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
            return null;
        }
    });
    // "eve" should not have permission to delete
    final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
    ugi2.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try {
                KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi2, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
                Assert.fail("Failure expected");
            } catch (AuthorizationException ex) {
                LOG.error("", ex);
            }
            return null;
        }
    });
    // the IT group should not have permission to delete
    final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
    ugi3.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try {
                KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi3, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
                Assert.fail("Failure expected");
            } catch (AuthorizationException ex) {
                LOG.error("", ex);
            }
            return null;
        }
    });
}
Also used : AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 68 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hbase by apache.

the class ServerRpcConnection method authorizeConnection.

private boolean authorizeConnection() throws IOException {
    try {
        // authentication
        if (ugi != null && ugi.getRealUser() != null && provider.supportsProtocolAuthentication()) {
            ProxyUsers.authorize(ugi, this.getHostAddress(), this.rpcServer.conf);
        }
        this.rpcServer.authorize(ugi, connectionHeader, getHostInetAddress());
        this.rpcServer.metrics.authorizationSuccess();
    } catch (AuthorizationException ae) {
        if (RpcServer.LOG.isDebugEnabled()) {
            RpcServer.LOG.debug("Connection authorization failed: " + ae.getMessage(), ae);
        }
        this.rpcServer.metrics.authorizationFailure();
        doRespond(getErrorResponse(ae.getMessage(), new AccessDeniedException(ae)));
        return false;
    }
    return true;
}
Also used : AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)

Example 69 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hbase by apache.

the class RESTServletContainer method service.

/**
 * This container is used only if authentication and
 * impersonation is enabled. The remote request user is used
 * as a proxy user for impersonation in invoking any REST service.
 */
@Override
public void service(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
    final HttpServletRequest lowerCaseRequest = toLowerCase(request);
    final String doAsUserFromQuery = lowerCaseRequest.getParameter("doas");
    RESTServlet servlet = RESTServlet.getInstance();
    if (doAsUserFromQuery != null) {
        Configuration conf = servlet.getConfiguration();
        if (!servlet.supportsProxyuser()) {
            throw new ServletException("Support for proxyuser is not configured");
        }
        // Authenticated remote user is attempting to do 'doAs' proxy user.
        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
        // create and attempt to authorize a proxy user (the client is attempting
        // to do proxy user)
        ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
        // validate the proxy user authorization
        try {
            ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
        } catch (AuthorizationException e) {
            throw new ServletException(e.getMessage());
        }
        servlet.setEffectiveUser(doAsUserFromQuery);
    } else {
        String effectiveUser = request.getRemoteUser();
        servlet.setEffectiveUser(effectiveUser);
    }
    super.service(request, response);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletException(javax.servlet.ServletException) Configuration(org.apache.hadoop.conf.Configuration) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)69 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)44 IOException (java.io.IOException)23 Test (org.junit.Test)21 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)14 Path (javax.ws.rs.Path)14 Produces (javax.ws.rs.Produces)14 BadRequestException (org.apache.hadoop.yarn.webapp.BadRequestException)12 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)11 UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)8 Consumes (javax.ws.rs.Consumes)8 POST (javax.ws.rs.POST)8 Configuration (org.apache.hadoop.conf.Configuration)6 RemoteException (org.apache.hadoop.ipc.RemoteException)6 NotFoundException (org.apache.hadoop.yarn.webapp.NotFoundException)6 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)4 PUT (javax.ws.rs.PUT)4 InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)4 Token (org.apache.hadoop.security.token.Token)4