Search in sources :

Example 1 with AuthNimbusOp

use of org.apache.storm.daemon.ui.resources.AuthNimbusOp in project storm by apache.

the class AuthorizedUserFilter method filter.

@Override
public void filter(ContainerRequestContext containerRequestContext) {
    AuthNimbusOp annotation = resourceInfo.getResourceMethod().getAnnotation(AuthNimbusOp.class);
    if (annotation == null) {
        return;
    }
    String op = annotation.value();
    if (op == null) {
        return;
    }
    Map topoConf = null;
    if (annotation.needsTopoId()) {
        final String topoId = containerRequestContext.getUriInfo().getPathParameters().get("id").get(0);
        try (NimbusClient nimbusClient = NimbusClient.getConfiguredClient(conf)) {
            topoConf = (Map) JSONValue.parse(nimbusClient.getClient().getTopologyConf(topoId));
        } catch (AuthorizationException ae) {
            LOG.error("Nimbus isn't allowing {} to access the topology conf of {}. {}", ReqContext.context(), topoId, ae.get_msg());
            containerRequestContext.abortWith(makeResponse(ae, containerRequestContext, 403));
            return;
        } catch (TException e) {
            LOG.error("Unable to fetch topo conf for {} due to ", topoId, e);
            containerRequestContext.abortWith(makeResponse(new IOException("Unable to fetch topo conf for topo id " + topoId, e), containerRequestContext, 500));
            return;
        }
    }
    ReqContext reqContext = ReqContext.context();
    if (reqContext.isImpersonating()) {
        if (uiImpersonationHandler != null) {
            if (!uiImpersonationHandler.permit(reqContext, op, topoConf)) {
                Principal realPrincipal = reqContext.realPrincipal();
                Principal principal = reqContext.principal();
                String user = "unknown";
                if (principal != null) {
                    user = principal.getName();
                }
                String realUser = "unknown";
                if (realPrincipal != null) {
                    realUser = realPrincipal.getName();
                }
                InetAddress remoteAddress = reqContext.remoteAddress();
                containerRequestContext.abortWith(makeResponse(new AuthorizationException("user '" + realUser + "' is not authorized to impersonate user '" + user + "' from host '" + remoteAddress.toString() + "'. Please" + "see SECURITY.MD to learn how to configure impersonation ACL."), containerRequestContext, 401));
                return;
            }
            LOG.warn(" principal {} is trying to impersonate {} but {} has no authorizer configured. " + "This is a potential security hole. Please see SECURITY.MD to learn how to " + "configure an impersonation authorizer.", reqContext.realPrincipal().toString(), reqContext.principal().toString(), conf.get(DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER));
        }
    }
    if (uiAclHandler != null) {
        if (!uiAclHandler.permit(reqContext, op, topoConf)) {
            Principal principal = reqContext.principal();
            String user = "unknown";
            if (principal != null) {
                user = principal.getName();
            }
            containerRequestContext.abortWith(makeResponse(new AuthorizationException("UI request '" + op + "' for '" + user + "' user is not authorized"), containerRequestContext, 403));
            return;
        }
    }
}
Also used : TException(org.apache.storm.thrift.TException) AuthorizationException(org.apache.storm.generated.AuthorizationException) NimbusClient(org.apache.storm.utils.NimbusClient) IOException(java.io.IOException) ReqContext(org.apache.storm.security.auth.ReqContext) AuthNimbusOp(org.apache.storm.daemon.ui.resources.AuthNimbusOp) Map(java.util.Map) InetAddress(java.net.InetAddress) Principal(java.security.Principal)

Aggregations

IOException (java.io.IOException)1 InetAddress (java.net.InetAddress)1 Principal (java.security.Principal)1 Map (java.util.Map)1 AuthNimbusOp (org.apache.storm.daemon.ui.resources.AuthNimbusOp)1 AuthorizationException (org.apache.storm.generated.AuthorizationException)1 ReqContext (org.apache.storm.security.auth.ReqContext)1 TException (org.apache.storm.thrift.TException)1 NimbusClient (org.apache.storm.utils.NimbusClient)1