Examples with AuthorizationException org.apache.hadoop.security.authorize.AuthorizationException used on opensource projects

Example 36 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class RMWebServices method replaceLabelsOnNode.

private Response replaceLabelsOnNode(Map<NodeId, Set<String>> newLabelsForNode, HttpServletRequest hsr, String operation) throws IOException {
    init();
    NodeLabelsUtils.verifyCentralizedNodeLabelConfEnabled("replaceLabelsOnNode", isCentralizedNodeLabelConfiguration);
    UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
    if (callerUGI == null) {
        String msg = "Unable to obtain user name, user not authenticated for" + " post to ..." + operation;
        throw new AuthorizationException(msg);
    }
    if (!rm.getRMContext().getNodeLabelManager().checkAccess(callerUGI)) {
        String msg = "User " + callerUGI.getShortUserName() + " not authorized" + " for post to ..." + operation;
        throw new AuthorizationException(msg);
    }
    try {
        rm.getRMContext().getNodeLabelManager().replaceLabelsOnNode(newLabelsForNode);
    } catch (IOException e) {
        throw new BadRequestException(e);
    }
    return Response.status(Status.OK).build();
}

Example 37 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class RMWebServices method addToClusterNodeLabels.

@POST
@Path("/add-node-labels")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
public Response addToClusterNodeLabels(final NodeLabelsInfo newNodeLabels, @Context HttpServletRequest hsr) throws Exception {
    init();
    UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
    if (callerUGI == null) {
        String msg = "Unable to obtain user name, user not authenticated for" + " post to .../add-node-labels";
        throw new AuthorizationException(msg);
    }
    if (!rm.getRMContext().getNodeLabelManager().checkAccess(callerUGI)) {
        String msg = "User " + callerUGI.getShortUserName() + " not authorized" + " for post to .../add-node-labels ";
        throw new AuthorizationException(msg);
    }
    try {
        rm.getRMContext().getNodeLabelManager().addToCluserNodeLabels(newNodeLabels.getNodeLabels());
    } catch (IOException e) {
        throw new BadRequestException(e);
    }
    return Response.status(Status.OK).build();
}

Example 38 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class RMWebServices method createNewApplication.

/**
   * Generates a new ApplicationId which is then sent to the client
   * 
   * @param hsr
   *          the servlet request
   * @return Response containing the app id and the maximum resource
   *         capabilities
   * @throws AuthorizationException
   * @throws IOException
   * @throws InterruptedException
   */
@POST
@Path("/apps/new-application")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
public Response createNewApplication(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException {
    init();
    UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
    if (callerUGI == null) {
        throw new AuthorizationException("Unable to obtain user name, " + "user not authenticated");
    }
    if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
        String msg = "The default static user cannot carry out this operation.";
        return Response.status(Status.FORBIDDEN).entity(msg).build();
    }
    NewApplication appId = createNewApplication();
    return Response.status(Status.OK).entity(appId).build();
}

Example 39 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class RMWebServices method cancelDelegationToken.

// For cancelling tokens, the encoded token is passed as a header
// There are two reasons for this -
// 1. Passing a request body as part of a DELETE request is not
// allowed by Jetty
// 2. Passing the encoded token as part of the url is not ideal
// since urls tend to get logged and anyone with access to
// the logs can extract tokens which are meant to be secret
@DELETE
@Path("/delegation-token")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
public Response cancelDelegationToken(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception {
    init();
    UserGroupInformation callerUGI;
    try {
        callerUGI = createKerberosUserGroupInformation(hsr);
    } catch (YarnException ye) {
        return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
    }
    Token<RMDelegationTokenIdentifier> token = extractToken(hsr);
    org.apache.hadoop.yarn.api.records.Token dToken = BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString());
    final CancelDelegationTokenRequest req = CancelDelegationTokenRequest.newInstance(dToken);
    try {
        callerUGI.doAs(new PrivilegedExceptionAction<CancelDelegationTokenResponse>() {

            @Override
            public CancelDelegationTokenResponse run() throws IOException, YarnException {
                return rm.getClientRMService().cancelDelegationToken(req);
            }
        });
    } catch (UndeclaredThrowableException ue) {
        if (ue.getCause() instanceof YarnException) {
            if (ue.getCause().getCause() instanceof InvalidToken) {
                throw new BadRequestException(ue.getCause().getCause().getMessage());
            } else if (ue.getCause().getCause() instanceof org.apache.hadoop.security.AccessControlException) {
                return Response.status(Status.FORBIDDEN).entity(ue.getCause().getCause().getMessage()).build();
            }
            LOG.info("Renew delegation token request failed", ue);
            throw ue;
        }
        LOG.info("Renew delegation token request failed", ue);
        throw ue;
    } catch (Exception e) {
        LOG.info("Renew delegation token request failed", e);
        throw e;
    }
    return Response.status(Status.OK).build();
}

Example 40 with AuthorizationException

use of org.apache.hadoop.security.authorize.AuthorizationException in project hadoop by apache.

the class TestRMProxyUsersConf method testProxyUserConfiguration.

@Test
public void testProxyUserConfiguration() throws Exception {
    MockRM rm = null;
    try {
        rm = new MockRM(conf);
        rm.start();
        // wait for web server starting
        Thread.sleep(10000);
        UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(BAR_USER.getShortUserName(), FOO_USER);
        try {
            ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser, ipAddress);
        } catch (AuthorizationException e) {
            // Exception is not expected
            Assert.fail();
        }
    } finally {
        if (rm != null) {
            rm.stop();
            rm.close();
        }
    }
}