use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class Nimbus method checkAuthorization.
@VisibleForTesting
public void checkAuthorization(String topoName, Map<String, Object> topoConf, String operation, ReqContext context) throws AuthorizationException {
IAuthorizer impersonationAuthorizer = impersonationAuthorizationHandler;
if (context == null) {
context = ReqContext.context();
}
Map<String, Object> checkConf = new HashMap<>();
if (topoConf != null) {
checkConf.putAll(topoConf);
} else if (topoName != null) {
checkConf.put(Config.TOPOLOGY_NAME, topoName);
}
if (context.isImpersonating()) {
LOG.info("principal: {} is trying to impersonate principal: {}", context.realPrincipal(), context.principal());
if (impersonationAuthorizer == null) {
LOG.warn("impersonation attempt but {} has no authorizer configured. potential security risk, " + "please see SECURITY.MD to learn how to configure impersonation authorizer.", DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER);
} else {
if (!impersonationAuthorizer.permit(context, operation, checkConf)) {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
throw new WrappedAuthorizationException("principal " + context.realPrincipal() + " is not authorized to impersonate principal " + context.principal() + " from host " + context.remoteAddress() + " Please see SECURITY.MD to learn how to configure impersonation acls.");
}
}
}
IAuthorizer aclHandler = authorizationHandler;
if (aclHandler != null) {
if (!aclHandler.permit(context, operation, checkConf)) {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
throw new WrappedAuthorizationException(operation + (topoName != null ? " on topology " + topoName : "") + " is not authorized");
} else {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-granted");
}
}
}
use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class DRPC method checkAuthorization.
private static void checkAuthorization(ReqContext reqContext, IAuthorizer auth, String operation, String function, boolean log) throws AuthorizationException {
if (reqContext != null && log) {
logAccess(reqContext, operation, function);
}
if (auth != null) {
Map<String, Object> map = new HashMap<>();
map.put(DRPCAuthorizerBase.FUNCTION_NAME, function);
if (!auth.permit(reqContext, operation, map)) {
Principal principal = reqContext.principal();
String user = (principal != null) ? principal.getName() : "unknown";
throw new WrappedAuthorizationException("DRPC request '" + operation + "' for '" + user + "' user is not authorized");
}
}
}
use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.
the class LocalizedResource method fetchUnzipToTemp.
@Override
public long fetchUnzipToTemp(ClientBlobStore store) throws IOException, KeyNotFoundException, AuthorizationException {
String key = getKey();
ReadableBlobMeta meta = store.getBlobMeta(key);
if (!ServerUtils.canUserReadBlob(meta, user, conf)) {
throw new WrappedAuthorizationException(user + " does not have READ access to " + key);
}
DownloadMeta downloadMeta = fetch(store, key, v -> {
Path path = shouldUncompress ? tmpOutputLocation() : constructBlobWithVersionFileName(baseDir, getKey(), v);
// we need to download to temp file and then unpack into the one requested
Path parent = path.getParent();
if (!Files.exists(parent)) {
// There is a race here that we can still lose
try {
Files.createDirectories(parent);
} catch (FileAlreadyExistsException e) {
// Ignored
} catch (IOException e) {
LOG.error("Failed to create parent directory {}", parent, e);
throw e;
}
}
return path;
}, FileOutputStream::new);
Path finalLocation = downloadMeta.getDownloadPath();
if (shouldUncompress) {
Path downloadFile = finalLocation;
finalLocation = constructBlobWithVersionFileName(baseDir, getKey(), downloadMeta.getVersion());
ServerUtils.unpack(downloadFile.toFile(), finalLocation.toFile(), symLinksDisabled);
LOG.debug("Uncompressed {} to: {}", downloadFile, finalLocation);
}
setBlobPermissions(conf, user, finalLocation);
return downloadMeta.getVersion();
}
Aggregations