@Inject DefaultNamespaceAdmin(NamespaceStore nsStore, Store store, DatasetFramework dsFramework, Provider<NamespaceResourceDeleter> resourceDeleter, Provider<StorageProviderNamespaceAdmin> storageProviderNamespaceAdmin, CConfiguration cConf, Impersonator impersonator, AuthorizationEnforcer authorizationEnforcer, AuthenticationContext authenticationContext) { this.resourceDeleter = resourceDeleter; this.nsStore = nsStore; this.store = store; this.dsFramework = dsFramework; this.authenticationContext = authenticationContext; this.authorizationEnforcer = authorizationEnforcer; this.storageProviderNamespaceAdmin = storageProviderNamespaceAdmin; this.impersonator = impersonator; this.namespaceMetaCache = CacheBuilder.newBuilder().build(new CacheLoader<NamespaceId, NamespaceMeta>() { @Override public NamespaceMeta load(NamespaceId namespaceId) throws Exception { return fetchNamespaceMeta(namespaceId); } }); this.masterShortUserName = AuthorizationUtil.getEffectiveMasterUser(cConf); }
/** * Filter a list of {@link ArtifactSummary} that ensures the logged-in user has a {@link Action privilege} on * * @param artifacts the {@link List<ArtifactSummary>} to filter with * @param namespace namespace of the artifacts * @return filtered list of {@link ArtifactSummary} */ private List<ArtifactSummary> filterAuthorizedArtifacts(List<ArtifactSummary> artifacts, final NamespaceId namespace) throws Exception { return AuthorizationUtil.isVisible(artifacts, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<ArtifactSummary, EntityId>() { @Override public EntityId apply(ArtifactSummary input) { return namespace.artifact(input.getName(), input.getVersion()); } }, new Predicate<ArtifactSummary>() { @Override public boolean apply(ArtifactSummary input) { return ArtifactScope.SYSTEM.equals(input.getScope()); } }); } }
/** * List the schedules for the given workflow that match the given predicate * * @param workflowId the workflow to get schedules for * @param predicate return schedules that match this predicate * @return schedules for the given program that match the given predicate * @throws UnauthorizedException if the principal is not authorized to access the application * @throws Exception if any other errors occurred while performing the authorization enforcement check */ public Collection<ProgramScheduleRecord> list(WorkflowId workflowId, Predicate<ProgramScheduleRecord> predicate) throws Exception { AuthorizationUtil.ensureAccess(workflowId, authorizationEnforcer, authenticationContext.getPrincipal()); return scheduler.listScheduleRecords(workflowId).stream().filter(predicate).collect(Collectors.toList()); }
/** * Returns the {@link ProgramSpecification} for the specified {@link ProgramId program}. * * @param programId the {@link ProgramId program} for which the {@link ProgramSpecification} is requested * @return the {@link ProgramSpecification} for the specified {@link ProgramId program} */ @Nullable public ProgramSpecification getProgramSpecification(ProgramId programId) throws Exception { AuthorizationUtil.ensureOnePrivilege(programId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); return getProgramSpecificationWithoutAuthz(programId); }
/** * Receives an input containing application specification and location * and verifies both. * * @param input An instance of {@link ApplicationDeployable} */ @Override public void process(ApplicationDeployable input) throws Exception { // create stream instances ApplicationSpecification specification = input.getSpecification(); NamespaceId namespaceId = input.getApplicationId().getParent(); KerberosPrincipalId ownerPrincipal = input.getOwnerPrincipal(); // get the authorizing user String authorizingUser = AuthorizationUtil.getAppAuthorizingUser(ownerAdmin, authenticationContext, input.getApplicationId(), ownerPrincipal); streamCreator.createStreams(namespaceId, specification.getStreams().values(), ownerPrincipal, authorizingUser); // Emit the input to next stage. emit(input); } }
AuthorizationUtil.getAppAuthorizingUser(ownerAdmin, authenticationContext, appId, ownerPrincipal); DatasetSpecification existingSpec = AuthorizationUtil.authorizeAs(authorizingUser, new Callable<DatasetSpecification>() { @Override public DatasetSpecification call() throws Exception {
boolean hasType = AuthorizationUtil.authorizeAs(authorizingUser, new Callable<Boolean>() { @Override public Boolean call() throws Exception { AuthorizationUtil.authorizeAs(authorizingUser, new Callable<Void>() { @Override public Void call() throws Exception {
AbstractAuthorizationEnforcer(CConfiguration cConf) { this.securityAuthorizationEnabled = AuthorizationUtil.isSecurityAuthorizationEnabled(cConf); }
/** * Returns the {@link ProgramSpecification} for the specified {@link ProgramId program}. * * @param programId the {@link ProgramId program} for which the {@link ProgramSpecification} is requested * @return the {@link ProgramSpecification} for the specified {@link ProgramId program} */ @Nullable public ProgramSpecification getProgramSpecification(ProgramId programId) throws Exception { AuthorizationUtil.ensureOnePrivilege(programId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); return getProgramSpecificationWithoutAuthz(programId); }
/** * Receives an input containing application specification and location * and verifies both. * * @param input An instance of {@link ApplicationDeployable} */ @Override public void process(ApplicationDeployable input) throws Exception { // create dataset instances ApplicationSpecification specification = input.getSpecification(); NamespaceId namespaceId = input.getApplicationId().getParent(); KerberosPrincipalId ownerPrincipal = input.getOwnerPrincipal(); // get the authorizing user String authorizingUser = AuthorizationUtil.getAppAuthorizingUser(ownerAdmin, authenticationContext, input.getApplicationId(), ownerPrincipal); datasetInstanceCreator.createInstances(namespaceId, specification.getDatasets(), ownerPrincipal, authorizingUser); // Emit the input to next stage. emit(input); } }
AuthorizationUtil.getAppAuthorizingUser(ownerAdmin, authenticationContext, appId, ownerPrincipal); DatasetSpecification existingSpec = AuthorizationUtil.authorizeAs(authorizingUser, new Callable<DatasetSpecification>() { @Override public DatasetSpecification call() throws Exception {
props.put(Constants.Security.PRINCIPAL, ownerPrincipal.getPrincipal()); AuthorizationUtil.authorizeAs(authorizingUser, new Callable<Void>() { @Override public Void call() throws Exception {
/** * Get the effective master user, if it is specified in the {@link CConfiguration}, use it. Otherwise, use the * current login user. If security is not enabled, null is returned. */ @Nullable public static String getEffectiveMasterUser(CConfiguration cConf) { String masterPrincipal = cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL); try { if (isSecurityAuthorizationEnabled(cConf)) { masterPrincipal = masterPrincipal == null ? UserGroupInformation.getLoginUser().getShortUserName() : new KerberosName(masterPrincipal).getShortName(); } else { masterPrincipal = null; } } catch (IOException e) { throw new RuntimeException(String.format("Failed to translate the principal name %s to an operating system " + "user name.", masterPrincipal), e); } return masterPrincipal; } }
/** * Filter a list of {@link ArtifactSummary} that ensures the logged-in user has a {@link Action privilege} on * * @param artifacts the {@link List<ArtifactSummary>} to filter with * @param namespace namespace of the artifacts * @return filtered list of {@link ArtifactSummary} */ private List<ArtifactSummary> filterAuthorizedArtifacts(List<ArtifactSummary> artifacts, final NamespaceId namespace) throws Exception { return AuthorizationUtil.isVisible(artifacts, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<ArtifactSummary, EntityId>() { @Override public EntityId apply(ArtifactSummary input) { return namespace.artifact(input.getName(), input.getVersion()); } }, new Predicate<ArtifactSummary>() { @Override public boolean apply(ArtifactSummary input) { return ArtifactScope.SYSTEM.equals(input.getScope()); } }); } }
/** * List the schedules for the given workflow that match the given predicate * * @param workflowId the workflow to get schedules for * @param predicate return schedules that match this predicate * @return schedules for the given program that match the given predicate * @throws UnauthorizedException if the principal is not authorized to access the application * @throws Exception if any other errors occurred while performing the authorization enforcement check */ public Collection<ProgramScheduleRecord> list(WorkflowId workflowId, Predicate<ProgramScheduleRecord> predicate) throws Exception { AuthorizationUtil.ensureAccess(workflowId, authorizationEnforcer, authenticationContext.getPrincipal()); return scheduler.listScheduleRecords(workflowId).stream().filter(predicate).collect(Collectors.toList()); }
@Inject DefaultNamespaceAdmin(NamespaceStore nsStore, Store store, DatasetFramework dsFramework, Provider<NamespaceResourceDeleter> resourceDeleter, Provider<StorageProviderNamespaceAdmin> storageProviderNamespaceAdmin, CConfiguration cConf, Impersonator impersonator, AuthorizationEnforcer authorizationEnforcer, AuthenticationContext authenticationContext) { this.resourceDeleter = resourceDeleter; this.nsStore = nsStore; this.store = store; this.dsFramework = dsFramework; this.authenticationContext = authenticationContext; this.authorizationEnforcer = authorizationEnforcer; this.storageProviderNamespaceAdmin = storageProviderNamespaceAdmin; this.impersonator = impersonator; this.namespaceMetaCache = CacheBuilder.newBuilder().build(new CacheLoader<NamespaceId, NamespaceMeta>() { @Override public NamespaceMeta load(NamespaceId namespaceId) throws Exception { return fetchNamespaceMeta(namespaceId); } }); this.masterShortUserName = AuthorizationUtil.getEffectiveMasterUser(cConf); }
@Override public StreamProperties getProperties(StreamId streamId) throws Exception { // User should have at least one privilege to read stream properties AuthorizationUtil.ensureOnePrivilege(streamId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); return delegate.getProperties(streamId); }
/** * Receives an input containing application specification and location * and verifies both. * * @param input An instance of {@link ApplicationDeployable} */ @Override public void process(ApplicationDeployable input) throws Exception { // create dataset instances ApplicationSpecification specification = input.getSpecification(); NamespaceId namespaceId = input.getApplicationId().getParent(); KerberosPrincipalId ownerPrincipal = input.getOwnerPrincipal(); // get the authorizing user String authorizingUser = AuthorizationUtil.getAppAuthorizingUser(ownerAdmin, authenticationContext, input.getApplicationId(), ownerPrincipal); datasetInstanceCreator.createInstances(namespaceId, specification.getDatasets(), ownerPrincipal, authorizingUser); // Emit the input to next stage. emit(input); } }
boolean hasType = AuthorizationUtil.authorizeAs(authorizingUser, new Callable<Boolean>() { @Override public Boolean call() throws Exception { AuthorizationUtil.authorizeAs(authorizingUser, new Callable<Void>() { @Override public Void call() throws Exception {
@Override public List<DatasetModuleMeta> listModules(final NamespaceId namespaceId) throws Exception { List<DatasetModuleMeta> modules = delegate.listModules(namespaceId); return AuthorizationUtil.isVisible(modules, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<DatasetModuleMeta, EntityId>() { @Override public EntityId apply(DatasetModuleMeta input) { return namespaceId.datasetModule(input.getName()); } }, null); }