use of org.zalando.nakadi.exceptions.runtime.AccessDeniedException in project nakadi by zalando.
the class EventStreamController method streamEvents.
@RequestMapping(value = "/event-types/{name}/events", method = RequestMethod.GET)
public StreamingResponseBody streamEvents(@PathVariable("name") final String eventTypeName, @Nullable @RequestParam(value = "batch_limit", required = false) final Integer batchLimit, @Nullable @RequestParam(value = "stream_limit", required = false) final Integer streamLimit, @Nullable @RequestParam(value = "batch_flush_timeout", required = false) final Integer batchTimeout, @Nullable @RequestParam(value = "stream_timeout", required = false) final Integer streamTimeout, @Nullable @RequestParam(value = "stream_keep_alive_limit", required = false) final Integer streamKeepAliveLimit, @Nullable @RequestHeader(name = "X-nakadi-cursors", required = false) final String cursorsStr, final HttpServletRequest request, final HttpServletResponse response, final Client client) {
final String flowId = FlowIdUtils.peek();
return outputStream -> {
FlowIdUtils.push(flowId);
if (blacklistService.isConsumptionBlocked(eventTypeName, client.getClientId())) {
writeProblemResponse(response, outputStream, Problem.valueOf(Response.Status.FORBIDDEN, "Application or event type is blocked"));
return;
}
final AtomicBoolean connectionReady = closedConnectionsCrutch.listenForConnectionClose(request);
Counter consumerCounter = null;
EventStream eventStream = null;
List<ConnectionSlot> connectionSlots = ImmutableList.of();
final AtomicBoolean needCheckAuthorization = new AtomicBoolean(false);
LOG.info("[X-NAKADI-CURSORS] \"{}\" {}", eventTypeName, Optional.ofNullable(cursorsStr).orElse("-"));
try (Closeable ignore = eventTypeChangeListener.registerListener(et -> needCheckAuthorization.set(true), Collections.singletonList(eventTypeName))) {
final EventType eventType = eventTypeRepository.findByName(eventTypeName);
authorizeStreamRead(eventTypeName);
// validate parameters
final EventStreamConfig streamConfig = EventStreamConfig.builder().withBatchLimit(batchLimit).withStreamLimit(streamLimit).withBatchTimeout(batchTimeout).withStreamTimeout(streamTimeout).withStreamKeepAliveLimit(streamKeepAliveLimit).withEtName(eventTypeName).withConsumingClient(client).withCursors(getStreamingStart(eventType, cursorsStr)).withMaxMemoryUsageBytes(maxMemoryUsageBytes).build();
// acquire connection slots to limit the number of simultaneous connections from one client
if (featureToggleService.isFeatureEnabled(LIMIT_CONSUMERS_NUMBER)) {
final List<String> partitions = streamConfig.getCursors().stream().map(NakadiCursor::getPartition).collect(Collectors.toList());
connectionSlots = consumerLimitingService.acquireConnectionSlots(client.getClientId(), eventTypeName, partitions);
}
consumerCounter = metricRegistry.counter(metricNameFor(eventTypeName, CONSUMERS_COUNT_METRIC_NAME));
consumerCounter.inc();
final String kafkaQuotaClientId = getKafkaQuotaClientId(eventTypeName, client);
response.setStatus(HttpStatus.OK.value());
response.setHeader("Warning", "299 - nakadi - the Low-level API is deprecated and will " + "be removed from a future release. Please consider migrating to the Subscriptions API.");
response.setContentType("application/x-json-stream");
final EventConsumer eventConsumer = timelineService.createEventConsumer(kafkaQuotaClientId, streamConfig.getCursors());
final String bytesFlushedMetricName = MetricUtils.metricNameForLoLAStream(client.getClientId(), eventTypeName);
final Meter bytesFlushedMeter = this.streamMetrics.meter(bytesFlushedMetricName);
eventStream = eventStreamFactory.createEventStream(outputStream, eventConsumer, streamConfig, bytesFlushedMeter);
// Flush status code to client
outputStream.flush();
eventStream.streamEvents(connectionReady, () -> {
if (needCheckAuthorization.getAndSet(false)) {
authorizeStreamRead(eventTypeName);
}
});
} catch (final UnparseableCursorException e) {
LOG.debug("Incorrect syntax of X-nakadi-cursors header: {}. Respond with BAD_REQUEST.", e.getCursors(), e);
writeProblemResponse(response, outputStream, BAD_REQUEST, e.getMessage());
} catch (final NoSuchEventTypeException e) {
writeProblemResponse(response, outputStream, NOT_FOUND, "topic not found");
} catch (final NoConnectionSlotsException e) {
LOG.debug("Connection creation failed due to exceeding max connection count");
writeProblemResponse(response, outputStream, e.asProblem());
} catch (final NakadiException e) {
LOG.error("Error while trying to stream events.", e);
writeProblemResponse(response, outputStream, e.asProblem());
} catch (final InvalidCursorException e) {
writeProblemResponse(response, outputStream, PRECONDITION_FAILED, e.getMessage());
} catch (final AccessDeniedException e) {
writeProblemResponse(response, outputStream, FORBIDDEN, e.explain());
} catch (final Exception e) {
LOG.error("Error while trying to stream events. Respond with INTERNAL_SERVER_ERROR.", e);
writeProblemResponse(response, outputStream, INTERNAL_SERVER_ERROR, e.getMessage());
} finally {
connectionReady.set(false);
consumerLimitingService.releaseConnectionSlots(connectionSlots);
if (consumerCounter != null) {
consumerCounter.dec();
}
if (eventStream != null) {
eventStream.close();
}
try {
outputStream.flush();
} finally {
outputStream.close();
}
}
};
}
use of org.zalando.nakadi.exceptions.runtime.AccessDeniedException in project nakadi by zalando.
the class EventTypeAuthorizationTest method whenPUTNotAuthorizedThen403.
@Test
public void whenPUTNotAuthorizedThen403() throws Exception {
final EventType eventType = EventTypeTestBuilder.builder().build();
final Resource resource = new EventTypeResource(eventType.getName(), eventType.getAuthorization());
doReturn(eventType).when(eventTypeRepository).findByName(any());
doThrow(new AccessDeniedException(AuthorizationService.Operation.ADMIN, resource)).when(authorizationValidator).authorizeEventTypeAdmin(eventType);
putEventType(eventType, eventType.getName()).andExpect(status().isForbidden()).andExpect(content().string(matchesProblem(Problem.valueOf(Response.Status.FORBIDDEN, "Access on ADMIN event-type:" + eventType.getName() + " denied"))));
}
use of org.zalando.nakadi.exceptions.runtime.AccessDeniedException in project nakadi by zalando.
the class TimelineService method createTimeline.
public void createTimeline(final String eventTypeName, final String storageId) throws AccessDeniedException, TimelineException, TopicRepositoryException, InconsistentStateException, RepositoryProblemException, DbWriteOperationsBlockedException {
if (featureToggleService.isFeatureEnabled(FeatureToggleService.Feature.DISABLE_DB_WRITE_OPERATIONS)) {
throw new DbWriteOperationsBlockedException("Cannot create timeline: write operations on DB " + "are blocked by feature flag.");
}
try {
final EventType eventType = eventTypeCache.getEventType(eventTypeName);
if (!adminService.isAdmin(AuthorizationService.Operation.WRITE)) {
final Resource resource = new EventTypeResource(eventTypeName, eventType.getAuthorization());
throw new AccessDeniedException(AuthorizationService.Operation.ADMIN, resource);
}
final Storage storage = storageDbRepository.getStorage(storageId).orElseThrow(() -> new UnableProcessException("No storage with id: " + storageId));
final Timeline activeTimeline = getActiveTimeline(eventType);
final TopicRepository currentTopicRepo = topicRepositoryHolder.getTopicRepository(activeTimeline.getStorage());
final TopicRepository nextTopicRepo = topicRepositoryHolder.getTopicRepository(storage);
final List<PartitionStatistics> partitionStatistics = currentTopicRepo.loadTopicStatistics(Collections.singleton(activeTimeline));
final String newTopic = nextTopicRepo.createTopic(partitionStatistics.size(), eventType.getOptions().getRetentionTime());
final Timeline nextTimeline = Timeline.createTimeline(activeTimeline.getEventType(), activeTimeline.getOrder() + 1, storage, newTopic, new Date());
switchTimelines(activeTimeline, nextTimeline);
} catch (final TopicCreationException | ServiceUnavailableException | InternalNakadiException e) {
throw new TimelineException("Internal service error", e);
} catch (final NoSuchEventTypeException e) {
throw new NotFoundException("EventType \"" + eventTypeName + "\" does not exist", e);
}
}
use of org.zalando.nakadi.exceptions.runtime.AccessDeniedException in project nakadi by zalando.
the class EventTypeService method delete.
public void delete(final String eventTypeName) throws EventTypeDeletionException, AccessDeniedException, NoEventTypeException, ConflictException, ServiceTemporarilyUnavailableException, DbWriteOperationsBlockedException {
if (featureToggleService.isFeatureEnabled(FeatureToggleService.Feature.DISABLE_DB_WRITE_OPERATIONS)) {
throw new DbWriteOperationsBlockedException("Cannot delete event type: write operations on DB " + "are blocked by feature flag.");
}
Closeable deletionCloser = null;
final EventType eventType;
Multimap<TopicRepository, String> topicsToDelete = null;
try {
deletionCloser = timelineSync.workWithEventType(eventTypeName, nakadiSettings.getTimelineWaitTimeoutMs());
final Optional<EventType> eventTypeOpt = eventTypeRepository.findByNameO(eventTypeName);
if (!eventTypeOpt.isPresent()) {
throw new NoEventTypeException("EventType \"" + eventTypeName + "\" does not exist.");
}
eventType = eventTypeOpt.get();
authorizationValidator.authorizeEventTypeAdmin(eventType);
final List<Subscription> subscriptions = subscriptionRepository.listSubscriptions(ImmutableSet.of(eventTypeName), Optional.empty(), 0, 1);
if (!subscriptions.isEmpty()) {
throw new ConflictException("Can't remove event type " + eventTypeName + ", as it has subscriptions");
}
topicsToDelete = transactionTemplate.execute(action -> deleteEventType(eventTypeName));
} catch (final InterruptedException e) {
Thread.currentThread().interrupt();
LOG.error("Failed to wait for timeline switch", e);
throw new EventTypeUnavailableException("Event type " + eventTypeName + " is currently in maintenance, please repeat request");
} catch (final TimeoutException e) {
LOG.error("Failed to wait for timeline switch", e);
throw new EventTypeUnavailableException("Event type " + eventTypeName + " is currently in maintenance, please repeat request");
} catch (final NakadiException e) {
LOG.error("Error deleting event type " + eventTypeName, e);
throw new EventTypeDeletionException("Failed to delete event type " + eventTypeName);
} finally {
try {
if (deletionCloser != null) {
deletionCloser.close();
}
} catch (final IOException e) {
LOG.error("Exception occurred when releasing usage of event-type", e);
}
}
if (topicsToDelete != null) {
for (final TopicRepository topicRepository : topicsToDelete.keySet()) {
for (final String topic : topicsToDelete.get(topicRepository)) {
try {
topicRepository.deleteTopic(topic);
} catch (TopicDeletionException e) {
// If a timeline was marked as deleted, then the topic does not exist, and we should proceed.
LOG.info("Could not delete topic " + topic, e);
}
}
}
}
nakadiKpiPublisher.publish(etLogEventType, () -> new JSONObject().put("event_type", eventTypeName).put("status", "deleted").put("category", eventType.getCategory()).put("authz", identifyAuthzState(eventType)).put("compatibility_mode", eventType.getCompatibilityMode()));
}
Aggregations