Examples with WrappedAuthorizationException org.apache.storm.utils.WrappedAuthorizationException used on opensource projects

Example 6 with WrappedAuthorizationException

use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.

the class Nimbus method checkAuthorization.

@VisibleForTesting
public void checkAuthorization(String topoName, Map<String, Object> topoConf, String operation, ReqContext context) throws AuthorizationException {
    IAuthorizer impersonationAuthorizer = impersonationAuthorizationHandler;
    if (context == null) {
        context = ReqContext.context();
    }
    Map<String, Object> checkConf = new HashMap<>();
    if (topoConf != null) {
        checkConf.putAll(topoConf);
    } else if (topoName != null) {
        checkConf.put(Config.TOPOLOGY_NAME, topoName);
    }
    if (context.isImpersonating()) {
        LOG.info("principal: {} is trying to impersonate principal: {}", context.realPrincipal(), context.principal());
        if (impersonationAuthorizer == null) {
            LOG.warn("impersonation attempt but {} has no authorizer configured. potential security risk, " + "please see SECURITY.MD to learn how to configure impersonation authorizer.", DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER);
        } else {
            if (!impersonationAuthorizer.permit(context, operation, checkConf)) {
                ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
                throw new WrappedAuthorizationException("principal " + context.realPrincipal() + " is not authorized to impersonate principal " + context.principal() + " from host " + context.remoteAddress() + " Please see SECURITY.MD to learn how to configure impersonation acls.");
            }
        }
    }
    IAuthorizer aclHandler = authorizationHandler;
    if (aclHandler != null) {
        if (!aclHandler.permit(context, operation, checkConf)) {
            ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
            throw new WrappedAuthorizationException(operation + (topoName != null ? " on topology " + topoName : "") + " is not authorized");
        } else {
            ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-granted");
        }
    }
}

Example 7 with WrappedAuthorizationException

use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.

the class DRPC method checkAuthorization.

private static void checkAuthorization(ReqContext reqContext, IAuthorizer auth, String operation, String function, boolean log) throws AuthorizationException {
    if (reqContext != null && log) {
        logAccess(reqContext, operation, function);
    }
    if (auth != null) {
        Map<String, Object> map = new HashMap<>();
        map.put(DRPCAuthorizerBase.FUNCTION_NAME, function);
        if (!auth.permit(reqContext, operation, map)) {
            Principal principal = reqContext.principal();
            String user = (principal != null) ? principal.getName() : "unknown";
            throw new WrappedAuthorizationException("DRPC request '" + operation + "' for '" + user + "' user is not authorized");
        }
    }
}

Example 8 with WrappedAuthorizationException

use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.

the class LocalizedResource method fetchUnzipToTemp.

@Override
public long fetchUnzipToTemp(ClientBlobStore store) throws IOException, KeyNotFoundException, AuthorizationException {
    String key = getKey();
    ReadableBlobMeta meta = store.getBlobMeta(key);
    if (!ServerUtils.canUserReadBlob(meta, user, conf)) {
        throw new WrappedAuthorizationException(user + " does not have READ access to " + key);
    }
    DownloadMeta downloadMeta = fetch(store, key, v -> {
        Path path = shouldUncompress ? tmpOutputLocation() : constructBlobWithVersionFileName(baseDir, getKey(), v);
        // we need to download to temp file and then unpack into the one requested
        Path parent = path.getParent();
        if (!Files.exists(parent)) {
            // There is a race here that we can still lose
            try {
                Files.createDirectories(parent);
            } catch (FileAlreadyExistsException e) {
            // Ignored
            } catch (IOException e) {
                LOG.error("Failed to create parent directory {}", parent, e);
                throw e;
            }
        }
        return path;
    }, FileOutputStream::new);
    Path finalLocation = downloadMeta.getDownloadPath();
    if (shouldUncompress) {
        Path downloadFile = finalLocation;
        finalLocation = constructBlobWithVersionFileName(baseDir, getKey(), downloadMeta.getVersion());
        ServerUtils.unpack(downloadFile.toFile(), finalLocation.toFile(), symLinksDisabled);
        LOG.debug("Uncompressed {} to: {}", downloadFile, finalLocation);
    }
    setBlobPermissions(conf, user, finalLocation);
    return downloadMeta.getVersion();
}