Example 1 with AuthNimbusOp
use of org.apache.storm.daemon.ui.resources.AuthNimbusOp in project storm by apache.
the class AuthorizedUserFilter method filter.
@Override
public void filter(ContainerRequestContext containerRequestContext) {
AuthNimbusOp annotation = resourceInfo.getResourceMethod().getAnnotation(AuthNimbusOp.class);
if (annotation == null) {
return;
}
String op = annotation.value();
if (op == null) {
return;
}
Map topoConf = null;
if (annotation.needsTopoId()) {
final String topoId = containerRequestContext.getUriInfo().getPathParameters().get("id").get(0);
try (NimbusClient nimbusClient = NimbusClient.getConfiguredClient(conf)) {
topoConf = (Map) JSONValue.parse(nimbusClient.getClient().getTopologyConf(topoId));
} catch (AuthorizationException ae) {
LOG.error("Nimbus isn't allowing {} to access the topology conf of {}. {}", ReqContext.context(), topoId, ae.get_msg());
containerRequestContext.abortWith(makeResponse(ae, containerRequestContext, 403));
return;
} catch (TException e) {
LOG.error("Unable to fetch topo conf for {} due to ", topoId, e);
containerRequestContext.abortWith(makeResponse(new IOException("Unable to fetch topo conf for topo id " + topoId, e), containerRequestContext, 500));
return;
}
}
ReqContext reqContext = ReqContext.context();
if (reqContext.isImpersonating()) {
if (uiImpersonationHandler != null) {
if (!uiImpersonationHandler.permit(reqContext, op, topoConf)) {
Principal realPrincipal = reqContext.realPrincipal();
Principal principal = reqContext.principal();
String user = "unknown";
if (principal != null) {
user = principal.getName();
}
String realUser = "unknown";
if (realPrincipal != null) {
realUser = realPrincipal.getName();
}
InetAddress remoteAddress = reqContext.remoteAddress();
containerRequestContext.abortWith(makeResponse(new AuthorizationException("user '" + realUser + "' is not authorized to impersonate user '" + user + "' from host '" + remoteAddress.toString() + "'. Please" + "see SECURITY.MD to learn how to configure impersonation ACL."), containerRequestContext, 401));
return;
}
LOG.warn(" principal {} is trying to impersonate {} but {} has no authorizer configured. " + "This is a potential security hole. Please see SECURITY.MD to learn how to " + "configure an impersonation authorizer.", reqContext.realPrincipal().toString(), reqContext.principal().toString(), conf.get(DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER));
}
}
if (uiAclHandler != null) {
if (!uiAclHandler.permit(reqContext, op, topoConf)) {
Principal principal = reqContext.principal();
String user = "unknown";
if (principal != null) {
user = principal.getName();
}
containerRequestContext.abortWith(makeResponse(new AuthorizationException("UI request '" + op + "' for '" + user + "' user is not authorized"), containerRequestContext, 403));
return;
}
}
}
Also used :
TException(org.apache.storm.thrift.TException)
AuthorizationException(org.apache.storm.generated.AuthorizationException)
NimbusClient(org.apache.storm.utils.NimbusClient)
IOException(java.io.IOException)
ReqContext(org.apache.storm.security.auth.ReqContext)
AuthNimbusOp(org.apache.storm.daemon.ui.resources.AuthNimbusOp)
Map(java.util.Map)
InetAddress(java.net.InetAddress)
Principal(java.security.Principal)
Aggregations
IOException (java.io.IOException)1
InetAddress (java.net.InetAddress)1
Principal (java.security.Principal)1
Map (java.util.Map)1
AuthNimbusOp (org.apache.storm.daemon.ui.resources.AuthNimbusOp)1
AuthorizationException (org.apache.storm.generated.AuthorizationException)1
ReqContext (org.apache.storm.security.auth.ReqContext)1
TException (org.apache.storm.thrift.TException)1
NimbusClient (org.apache.storm.utils.NimbusClient)1
