Search in sources :

Example 6 with WrappedAuthorizationException

use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.

the class Nimbus method checkAuthorization.

@VisibleForTesting
public void checkAuthorization(String topoName, Map<String, Object> topoConf, String operation, ReqContext context) throws AuthorizationException {
    IAuthorizer impersonationAuthorizer = impersonationAuthorizationHandler;
    if (context == null) {
        context = ReqContext.context();
    }
    Map<String, Object> checkConf = new HashMap<>();
    if (topoConf != null) {
        checkConf.putAll(topoConf);
    } else if (topoName != null) {
        checkConf.put(Config.TOPOLOGY_NAME, topoName);
    }
    if (context.isImpersonating()) {
        LOG.info("principal: {} is trying to impersonate principal: {}", context.realPrincipal(), context.principal());
        if (impersonationAuthorizer == null) {
            LOG.warn("impersonation attempt but {} has no authorizer configured. potential security risk, " + "please see SECURITY.MD to learn how to configure impersonation authorizer.", DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER);
        } else {
            if (!impersonationAuthorizer.permit(context, operation, checkConf)) {
                ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
                throw new WrappedAuthorizationException("principal " + context.realPrincipal() + " is not authorized to impersonate principal " + context.principal() + " from host " + context.remoteAddress() + " Please see SECURITY.MD to learn how to configure impersonation acls.");
            }
        }
    }
    IAuthorizer aclHandler = authorizationHandler;
    if (aclHandler != null) {
        if (!aclHandler.permit(context, operation, checkConf)) {
            ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
            throw new WrappedAuthorizationException(operation + (topoName != null ? " on topology " + topoName : "") + " is not authorized");
        } else {
            ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-granted");
        }
    }
}
Also used : WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException) HashMap(java.util.HashMap) IAuthorizer(org.apache.storm.security.auth.IAuthorizer) VisibleForTesting(org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)

Example 7 with WrappedAuthorizationException

use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.

the class DRPC method checkAuthorization.

private static void checkAuthorization(ReqContext reqContext, IAuthorizer auth, String operation, String function, boolean log) throws AuthorizationException {
    if (reqContext != null && log) {
        logAccess(reqContext, operation, function);
    }
    if (auth != null) {
        Map<String, Object> map = new HashMap<>();
        map.put(DRPCAuthorizerBase.FUNCTION_NAME, function);
        if (!auth.permit(reqContext, operation, map)) {
            Principal principal = reqContext.principal();
            String user = (principal != null) ? principal.getName() : "unknown";
            throw new WrappedAuthorizationException("DRPC request '" + operation + "' for '" + user + "' user is not authorized");
        }
    }
}
Also used : WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException) HashMap(java.util.HashMap) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Principal(java.security.Principal)

Example 8 with WrappedAuthorizationException

use of org.apache.storm.utils.WrappedAuthorizationException in project storm by apache.

the class LocalizedResource method fetchUnzipToTemp.

@Override
public long fetchUnzipToTemp(ClientBlobStore store) throws IOException, KeyNotFoundException, AuthorizationException {
    String key = getKey();
    ReadableBlobMeta meta = store.getBlobMeta(key);
    if (!ServerUtils.canUserReadBlob(meta, user, conf)) {
        throw new WrappedAuthorizationException(user + " does not have READ access to " + key);
    }
    DownloadMeta downloadMeta = fetch(store, key, v -> {
        Path path = shouldUncompress ? tmpOutputLocation() : constructBlobWithVersionFileName(baseDir, getKey(), v);
        // we need to download to temp file and then unpack into the one requested
        Path parent = path.getParent();
        if (!Files.exists(parent)) {
            // There is a race here that we can still lose
            try {
                Files.createDirectories(parent);
            } catch (FileAlreadyExistsException e) {
            // Ignored
            } catch (IOException e) {
                LOG.error("Failed to create parent directory {}", parent, e);
                throw e;
            }
        }
        return path;
    }, FileOutputStream::new);
    Path finalLocation = downloadMeta.getDownloadPath();
    if (shouldUncompress) {
        Path downloadFile = finalLocation;
        finalLocation = constructBlobWithVersionFileName(baseDir, getKey(), downloadMeta.getVersion());
        ServerUtils.unpack(downloadFile.toFile(), finalLocation.toFile(), symLinksDisabled);
        LOG.debug("Uncompressed {} to: {}", downloadFile, finalLocation);
    }
    setBlobPermissions(conf, user, finalLocation);
    return downloadMeta.getVersion();
}
Also used : Path(java.nio.file.Path) WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException) FileAlreadyExistsException(java.nio.file.FileAlreadyExistsException) FileOutputStream(java.io.FileOutputStream) ReadableBlobMeta(org.apache.storm.generated.ReadableBlobMeta) IOException(java.io.IOException)

Aggregations

WrappedAuthorizationException (org.apache.storm.utils.WrappedAuthorizationException)8 HashMap (java.util.HashMap)4 AccessControl (org.apache.storm.generated.AccessControl)3 IOException (java.io.IOException)2 Principal (java.security.Principal)2 HashSet (java.util.HashSet)2 IAuthorizer (org.apache.storm.security.auth.IAuthorizer)2 VisibleForTesting (org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)2 FileOutputStream (java.io.FileOutputStream)1 InterruptedIOException (java.io.InterruptedIOException)1 BindException (java.net.BindException)1 FileAlreadyExistsException (java.nio.file.FileAlreadyExistsException)1 Path (java.nio.file.Path)1 ArrayList (java.util.ArrayList)1 Map (java.util.Map)1 NavigableMap (java.util.NavigableMap)1 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1 IStormClusterState (org.apache.storm.cluster.IStormClusterState)1 AlreadyAliveException (org.apache.storm.generated.AlreadyAliveException)1 AuthorizationException (org.apache.storm.generated.AuthorizationException)1