Example 1 with WrappedAuthorizationException
use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class Nimbus method submitTopologyWithOpts.
@Override
public void submitTopologyWithOpts(String topoName, String uploadedJarLocation, String jsonConf, StormTopology topology, SubmitOptions options) throws AlreadyAliveException, InvalidTopologyException, AuthorizationException, TException {
try {
submitTopologyWithOptsCalls.mark();
assertIsLeader();
assert (options != null);
validateTopologyName(topoName);
checkAuthorization(topoName, null, "submitTopology");
assertTopoActive(topoName, false);
@SuppressWarnings("unchecked") Map<String, Object> topoConf = (Map<String, Object>) JSONValue.parse(jsonConf);
try {
ConfigValidation.validateTopoConf(topoConf);
} catch (IllegalArgumentException ex) {
throw new WrappedInvalidTopologyException(ex.getMessage());
}
validator.validate(topoName, topoConf, topology);
if ((boolean) conf.getOrDefault(Config.DISABLE_SYMLINKS, false)) {
@SuppressWarnings("unchecked") Map<String, Object> blobMap = (Map<String, Object>) topoConf.get(Config.TOPOLOGY_BLOBSTORE_MAP);
if (blobMap != null && !blobMap.isEmpty()) {
throw new WrappedInvalidTopologyException("symlinks are disabled so blobs are not supported but " + Config.TOPOLOGY_BLOBSTORE_MAP + " = " + blobMap);
}
}
ServerUtils.validateTopologyWorkerMaxHeapSizeConfigs(topoConf, topology, ObjectReader.getDouble(conf.get(Config.TOPOLOGY_WORKER_MAX_HEAP_SIZE_MB)));
Utils.validateTopologyBlobStoreMap(topoConf, blobStore);
long uniqueNum = submittedCount.incrementAndGet();
String topoId = topoName + "-" + uniqueNum + "-" + Time.currentTimeSecs();
Map<String, String> creds = null;
if (options.is_set_creds()) {
creds = options.get_creds().get_creds();
}
topoConf.put(Config.STORM_ID, topoId);
topoConf.put(Config.TOPOLOGY_NAME, topoName);
topoConf = normalizeConf(conf, topoConf, topology);
OciUtils.adjustImageConfigForTopo(conf, topoConf, topoId);
ReqContext req = ReqContext.context();
Principal principal = req.principal();
String submitterPrincipal = principal == null ? null : principal.toString();
Set<String> topoAcl = new HashSet<>(ObjectReader.getStrings(topoConf.get(Config.TOPOLOGY_USERS)));
topoAcl.add(submitterPrincipal);
String submitterUser = principalToLocal.toLocal(principal);
topoAcl.add(submitterUser);
String topologyPrincipal = Utils.OR(submitterPrincipal, "");
topoConf.put(Config.TOPOLOGY_SUBMITTER_PRINCIPAL, topologyPrincipal);
String systemUser = System.getProperty("user.name");
String topologyOwner = Utils.OR(submitterUser, systemUser);
// Don't let the user set who we launch as
topoConf.put(Config.TOPOLOGY_SUBMITTER_USER, topologyOwner);
topoConf.put(Config.TOPOLOGY_USERS, new ArrayList<>(topoAcl));
topoConf.put(Config.STORM_ZOOKEEPER_SUPERACL, conf.get(Config.STORM_ZOOKEEPER_SUPERACL));
if (!Utils.isZkAuthenticationConfiguredStormServer(conf)) {
topoConf.remove(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_SCHEME);
topoConf.remove(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
}
if (!(Boolean) conf.getOrDefault(DaemonConfig.STORM_TOPOLOGY_CLASSPATH_BEGINNING_ENABLED, false)) {
topoConf.remove(Config.TOPOLOGY_CLASSPATH_BEGINNING);
}
String topoVersionString = topology.get_storm_version();
if (topoVersionString == null) {
topoVersionString = (String) conf.getOrDefault(Config.SUPERVISOR_WORKER_DEFAULT_VERSION, VersionInfo.getVersion());
}
// Check if we can run a topology with that version of storm.
SimpleVersion topoVersion = new SimpleVersion(topoVersionString);
List<String> cp = Utils.getCompatibleVersion(supervisorClasspaths, topoVersion, "classpath", null);
if (cp == null) {
throw new WrappedInvalidTopologyException("Topology submitted with storm version " + topoVersionString + " but could not find a configured compatible version to use " + supervisorClasspaths.keySet());
}
Map<String, Object> otherConf = Utils.getConfigFromClasspath(cp, conf);
Map<String, Object> totalConfToSave = Utils.merge(otherConf, topoConf);
Map<String, Object> totalConf = Utils.merge(conf, totalConfToSave);
// When reading the conf in nimbus we want to fall back to our own settings
// if the other config does not have it set.
topology = normalizeTopology(totalConf, topology);
// we might need to set the number of acker executors and eventlogger executors to be the estimated number of workers.
if (ServerUtils.isRas(conf)) {
int estimatedNumWorker = ServerUtils.getEstimatedWorkerCountForRasTopo(totalConf, topology);
setUpAckerExecutorConfigs(topoName, totalConfToSave, totalConf, estimatedNumWorker);
ServerUtils.validateTopologyAckerBundleResource(totalConfToSave, topology, topoName);
int numEventLoggerExecs = ObjectReader.getInt(totalConf.get(Config.TOPOLOGY_EVENTLOGGER_EXECUTORS), estimatedNumWorker);
totalConfToSave.put(Config.TOPOLOGY_EVENTLOGGER_EXECUTORS, numEventLoggerExecs);
LOG.debug("Config {} set to: {} for topology: {}", Config.TOPOLOGY_EVENTLOGGER_EXECUTORS, numEventLoggerExecs, topoName);
}
// Remove any configs that are specific to a host that might mess with the running topology.
// Don't override the host name, or everything looks like it is on nimbus
totalConfToSave.remove(Config.STORM_LOCAL_HOSTNAME);
IStormClusterState state = stormClusterState;
if (creds == null && workerTokenManager != null) {
// Make sure we can store the worker tokens even if no creds are provided.
creds = new HashMap<>();
}
if (creds != null) {
Map<String, Object> finalConf = Collections.unmodifiableMap(topoConf);
for (INimbusCredentialPlugin autocred : nimbusAutocredPlugins) {
autocred.populateCredentials(creds, finalConf);
}
upsertWorkerTokensInCreds(creds, topologyPrincipal, topoId);
}
if (ObjectReader.getBoolean(conf.get(Config.SUPERVISOR_RUN_WORKER_AS_USER), false) && (submitterUser == null || submitterUser.isEmpty())) {
throw new WrappedAuthorizationException("Could not determine the user to run this topology as.");
}
// this validates the structure of the topology
StormCommon.systemTopology(totalConf, topology);
validateTopologySize(topoConf, conf, topology);
if (Utils.isZkAuthenticationConfiguredStormServer(conf) && !Utils.isZkAuthenticationConfiguredTopology(topoConf)) {
throw new IllegalArgumentException("The cluster is configured for zookeeper authentication, but no payload was provided.");
}
LOG.info("Received topology submission for {} (storm-{} JDK-{}) with conf {}", topoName, topoVersionString, topology.get_jdk_version(), ConfigUtils.maskPasswords(topoConf));
// cleanup thread killing topology in b/w assignment and starting the topology
synchronized (submitLock) {
assertTopoActive(topoName, false);
// cred-update-lock is not needed here because creds are being added for the first time.
if (creds != null) {
state.setCredentials(topoId, new Credentials(creds), topoConf);
}
LOG.info("uploadedJar {} for {}", uploadedJarLocation, topoName);
setupStormCode(conf, topoId, uploadedJarLocation, totalConfToSave, topology);
waitForDesiredCodeReplication(totalConf, topoId);
state.setupHeatbeats(topoId, topoConf);
state.setupErrors(topoId, topoConf);
if (ObjectReader.getBoolean(totalConf.get(Config.TOPOLOGY_BACKPRESSURE_ENABLE), false)) {
state.setupBackpressure(topoId, topoConf);
}
notifyTopologyActionListener(topoName, "submitTopology");
TopologyStatus status = null;
switch(options.get_initial_status()) {
case INACTIVE:
status = TopologyStatus.INACTIVE;
break;
case ACTIVE:
status = TopologyStatus.ACTIVE;
break;
default:
throw new IllegalArgumentException("Inital Status of " + options.get_initial_status() + " is not allowed.");
}
startTopology(topoName, topoId, status, topologyOwner, topologyPrincipal, totalConfToSave, topology);
}
} catch (Exception e) {
LOG.warn("Topology submission exception. (topology name='{}')", topoName, e);
if (e instanceof TException) {
throw (TException) e;
}
throw new RuntimeException(e);
}
}
Also used :
INimbusCredentialPlugin(org.apache.storm.security.INimbusCredentialPlugin)
TException(org.apache.storm.thrift.TException)
WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException)
ReqContext(org.apache.storm.security.auth.ReqContext)
WrappedInvalidTopologyException(org.apache.storm.utils.WrappedInvalidTopologyException)
SimpleVersion(org.apache.storm.utils.SimpleVersion)
IStormClusterState(org.apache.storm.cluster.IStormClusterState)
TopologyStatus(org.apache.storm.generated.TopologyStatus)
HashSet(java.util.HashSet)
WorkerMetricPoint(org.apache.storm.generated.WorkerMetricPoint)
DataPoint(org.apache.storm.metric.api.DataPoint)
WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException)
IOException(java.io.IOException)
IllegalStateException(org.apache.storm.generated.IllegalStateException)
AlreadyAliveException(org.apache.storm.generated.AlreadyAliveException)
WrappedNotAliveException(org.apache.storm.utils.WrappedNotAliveException)
WrappedInvalidTopologyException(org.apache.storm.utils.WrappedInvalidTopologyException)
AuthorizationException(org.apache.storm.generated.AuthorizationException)
NotAliveException(org.apache.storm.generated.NotAliveException)
WrappedAlreadyAliveException(org.apache.storm.utils.WrappedAlreadyAliveException)
InterruptedIOException(java.io.InterruptedIOException)
KeyAlreadyExistsException(org.apache.storm.generated.KeyAlreadyExistsException)
TException(org.apache.storm.thrift.TException)
WrappedIllegalStateException(org.apache.storm.utils.WrappedIllegalStateException)
KeyNotFoundException(org.apache.storm.generated.KeyNotFoundException)
InvalidTopologyException(org.apache.storm.generated.InvalidTopologyException)
BindException(java.net.BindException)
Map(java.util.Map)
NavigableMap(java.util.NavigableMap)
RotatingMap(org.apache.storm.utils.RotatingMap)
ImmutableMap(org.apache.storm.shade.com.google.common.collect.ImmutableMap)
TimeCacheMap(org.apache.storm.utils.TimeCacheMap)
HashMap(java.util.HashMap)
NimbusPrincipal(org.apache.storm.security.auth.NimbusPrincipal)
Principal(java.security.Principal)
Credentials(org.apache.storm.generated.Credentials)
Example 2 with WrappedAuthorizationException
use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class Supervisor method checkAuthorization.
@VisibleForTesting
public void checkAuthorization(String topoName, Map<String, Object> topoConf, String operation, ReqContext context) throws AuthorizationException {
if (context == null) {
context = ReqContext.context();
}
Map<String, Object> checkConf = new HashMap<>();
if (topoConf != null) {
checkConf.putAll(topoConf);
} else if (topoName != null) {
checkConf.put(Config.TOPOLOGY_NAME, topoName);
}
if (context.isImpersonating()) {
LOG.info("principal: {} is trying to impersonate principal: {}", context.realPrincipal(), context.principal());
throw new WrappedAuthorizationException("Supervisor does not support impersonation");
}
IAuthorizer aclHandler = authorizationHandler;
if (aclHandler != null) {
if (!aclHandler.permit(context, operation, checkConf)) {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
throw new WrappedAuthorizationException(operation + (topoName != null ? " on topology " + topoName : "") + " is not authorized");
} else {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-granted");
}
}
}
Also used :
WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException)
HashMap(java.util.HashMap)
IAuthorizer(org.apache.storm.security.auth.IAuthorizer)
VisibleForTesting(org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)
Example 3 with WrappedAuthorizationException
use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class BlobStoreAclHandler method hasAnyPermissions.
/**
* Validates if the user has any of the permissions mentioned in the mask.
*
* @param acl ACL for the key.
* @param mask mask holds the cumulative value of READ = 1, WRITE = 2 or ADMIN = 4 permissions. mask = 1 implies READ privilege. mask =
* 5 implies READ and ADMIN privileges.
* @param who Is the user against whom the permissions are validated for a key using the ACL and the mask.
* @param key Key used to identify the blob.
*/
public void hasAnyPermissions(List<AccessControl> acl, int mask, Subject who, String key) throws AuthorizationException {
if (!doAclValidation) {
return;
}
Set<String> user = constructUserFromPrincipals(who);
LOG.debug("user {}", user);
if (checkForValidUsers(who, mask)) {
return;
}
for (AccessControl ac : acl) {
int allowed = getAllowed(ac, user);
LOG.debug(" user: {} allowed: {} key: {}", user, allowed, key);
if ((allowed & mask) > 0) {
return;
}
}
throw new WrappedAuthorizationException(user + " does not have access to " + key);
}
Also used :
WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException)
AccessControl(org.apache.storm.generated.AccessControl)
Example 4 with WrappedAuthorizationException
use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class BlobStoreAclHandler method validateSettableACLs.
@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
public static void validateSettableACLs(String key, List<AccessControl> acls) throws AuthorizationException {
Set<String> aclUsers = new HashSet<>();
List<String> duplicateUsers = new ArrayList<>();
for (AccessControl acl : acls) {
String aclUser = acl.get_name();
if (!StringUtils.isEmpty(aclUser) && !aclUsers.add(aclUser)) {
LOG.error("'{}' user can't appear more than once in the ACLs", aclUser);
duplicateUsers.add(aclUser);
}
}
if (duplicateUsers.size() > 0) {
String errorMessage = "user " + Arrays.toString(duplicateUsers.toArray()) + " can't appear more than once in the ACLs for key [" + key + "].";
throw new WrappedAuthorizationException(errorMessage);
}
}
Also used :
WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException)
ArrayList(java.util.ArrayList)
AccessControl(org.apache.storm.generated.AccessControl)
HashSet(java.util.HashSet)
Example 5 with WrappedAuthorizationException
use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class BlobStoreAclHandler method hasPermissions.
/**
* Validates if the user has at least the set of permissions mentioned in the mask.
*
* @param acl ACL for the key.
* @param mask mask holds the cumulative value of READ = 1, WRITE = 2 or ADMIN = 4 permissions. mask = 1 implies READ privilege. mask =
* 5 implies READ and ADMIN privileges.
* @param who Is the user against whom the permissions are validated for a key using the ACL and the mask.
* @param key Key used to identify the blob.
*/
public void hasPermissions(List<AccessControl> acl, int mask, Subject who, String key) throws AuthorizationException {
if (!doAclValidation) {
return;
}
Set<String> user = constructUserFromPrincipals(who);
LOG.debug("user {}", user);
if (checkForValidUsers(who, mask)) {
return;
}
for (AccessControl ac : acl) {
int allowed = getAllowed(ac, user);
mask = ~allowed & mask;
LOG.debug(" user: {} allowed: {} disallowed: {} key: {}", user, allowed, mask, key);
}
if (mask == 0) {
return;
}
throw new WrappedAuthorizationException(user + " does not have " + namedPerms(mask) + " access to " + key);
}
Also used :
WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException)
AccessControl(org.apache.storm.generated.AccessControl)
Aggregations
WrappedAuthorizationException (org.apache.storm.utils.WrappedAuthorizationException)8
HashMap (java.util.HashMap)4
AccessControl (org.apache.storm.generated.AccessControl)3
IOException (java.io.IOException)2
Principal (java.security.Principal)2
HashSet (java.util.HashSet)2
IAuthorizer (org.apache.storm.security.auth.IAuthorizer)2
VisibleForTesting (org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)2
FileOutputStream (java.io.FileOutputStream)1
InterruptedIOException (java.io.InterruptedIOException)1
BindException (java.net.BindException)1
FileAlreadyExistsException (java.nio.file.FileAlreadyExistsException)1
Path (java.nio.file.Path)1
ArrayList (java.util.ArrayList)1
Map (java.util.Map)1
NavigableMap (java.util.NavigableMap)1
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1
IStormClusterState (org.apache.storm.cluster.IStormClusterState)1
AlreadyAliveException (org.apache.storm.generated.AlreadyAliveException)1
AuthorizationException (org.apache.storm.generated.AuthorizationException)1
