new ArtifactSummary(appSpec.getName(), null) : ArtifactSummary.from(artifactId); ApplicationRecord record = new ApplicationRecord(artifactSummary, appId, appSpec.getDescription(), ownerAdmin.getOwnerPrincipal(appId)); if (predicate.apply(record)) { appRecords.add(record);
public Map<String, String> getSystemProperties(Id.Program id) throws IOException, NamespaceNotFoundException { Map<String, String> systemArgs = Maps.newHashMap(); systemArgs.put(Constants.CLUSTER_NAME, cConf.get(Constants.CLUSTER_NAME, "")); systemArgs.put(Constants.AppFabric.APP_SCHEDULER_QUEUE, queueResolver.getQueue(id.getNamespace())); if (SecurityUtil.isKerberosEnabled(cConf)) { ImpersonationInfo impersonationInfo = SecurityUtil.createImpersonationInfo(ownerAdmin, cConf, id.toEntityId()); systemArgs.put(ProgramOptionConstants.PRINCIPAL, impersonationInfo.getPrincipal()); systemArgs.put(ProgramOptionConstants.APP_PRINCIPAL_EXISTS, String.valueOf(ownerAdmin.exists(id.toEntityId().getParent()))); } return systemArgs; } }
/** * <p>Verifies the owner principal of an entity is same as the owner specified during entity creation. If an owner * was not specified during entity creation but is being specified later (i.e. during updating properties etc) the * specified owner principal is same as the effective impersonating principal.</p> * <p>Note: This method should not be called for an non-existing entity for example while the entity is being * created.</p> * @param existingEntity the existing entity whose owner principal is being verified * @param specifiedOwnerPrincipal the specified principal * @param ownerAdmin {@link OwnerAdmin} * @throws IOException if failed to query the given ownerAdmin * @throws UnauthorizedException if the specified owner information is not valid with the existing * impersonation principal */ public static void verifyOwnerPrincipal(NamespacedEntityId existingEntity, @Nullable String specifiedOwnerPrincipal, OwnerAdmin ownerAdmin) throws IOException, UnauthorizedException { // if an owner principal was not specified then ensure that a direct owner doesn't exist. Although, if an owner // principal was specified then it must be equal to the effective impersonating principal of this entity if (!((specifiedOwnerPrincipal == null && ownerAdmin.getOwnerPrincipal(existingEntity) == null) || Objects.equals(specifiedOwnerPrincipal, ownerAdmin.getImpersonationPrincipal(existingEntity)))) { // Not giving existing owner information as it might be unacceptable under some security scenarios throw new UnauthorizedException(String.format("%s '%s' already exists and the specified %s '%s' is not the " + "same as the existing one. The %s of an entity cannot be " + "changed.", existingEntity.getEntityType(), existingEntity.getEntityName(), Constants.Security.PRINCIPAL, specifiedOwnerPrincipal, Constants.Security.PRINCIPAL)); } }
/** * Drops a dataset. * * @param spec specification of dataset to be dropped. * @throws Exception on error. */ private void dropDataset(DatasetId instance, DatasetSpecification spec) throws Exception { LOG.info("Deleting dataset {}.{}", instance.getNamespace(), instance.getEntityName()); disableExplore(instance, spec); if (!instanceManager.delete(instance)) { throw new DatasetNotFoundException(instance); } metaCache.invalidate(instance); // by pass the auth check for dataset type when the operation is not creation DatasetTypeMeta typeMeta = getTypeInfo(instance.getParent(), spec.getType(), true); if (typeMeta == null) { throw new DatasetNotFoundException(instance); } opExecutorClient.drop(instance, typeMeta, spec); // Remove metadata for the dataset LOG.trace("Removing metadata for dataset {}", instance); metadataStore.removeMetadata(instance.toMetadataEntity()); LOG.trace("Removed metadata for dataset {}", instance); publishAudit(instance, AuditType.DELETE); // deletes the owner principal for the entity if one was stored during creation ownerAdmin.delete(instance); }
@Test public void testOwner() throws Exception { // deploy modules deployModule("module1", TestModule1.class); // should not be able to create a dataset with invalid kerberos principal format HttpResponse response = createInstance(NamespaceId.DEFAULT.dataset("ownedDataset"), "datasetType1", null, DatasetProperties.EMPTY, "alice/bob/somehost.net@somekdc.net"); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getResponseCode()); // should be able to create a dataset with valid kerberos principal format String alicePrincipal = "alice/somehost.net@somekdc.net"; response = createInstance(NamespaceId.DEFAULT.dataset("ownedDataset"), "datasetType1", null, DatasetProperties.EMPTY, alicePrincipal); Assert.assertEquals(HttpStatus.SC_OK, response.getResponseCode()); // owner information should have stored Assert.assertEquals(alicePrincipal, ownerAdmin.getOwnerPrincipal(NamespaceId.DEFAULT.dataset("ownedDataset"))); // should be able to retrieve owner information back DatasetMeta meta = getInstanceObject("ownedDataset").getResponseObject(); Assert.assertEquals(alicePrincipal, meta.getOwnerPrincipal()); // deleting the dataset should delete the owner information response = deleteInstance(NamespaceId.DEFAULT.dataset("ownedDataset")); Assert.assertEquals(HttpStatus.SC_OK, response.getResponseCode()); Assert.assertNull(ownerAdmin.getOwner(NamespaceId.DEFAULT.dataset("ownedDataset"))); }
private boolean addOwnerIfRequired(ApplicationWithPrograms input, Collection<ApplicationId> allAppVersionsAppIds) throws IOException, AlreadyExistsException { // if allAppVersionsAppIds.isEmpty() is true that means this app is an entirely new app and no other version // exists so we should add the owner information in owner store if one was provided if (allAppVersionsAppIds.isEmpty() && input.getOwnerPrincipal() != null) { ownerAdmin.add(input.getApplicationId(), input.getOwnerPrincipal()); return true; } return false; }
programTerminator, ownerAdmin.getOwner(appId), appRequest.canUpdateSchedules());
/** * Helper function to get the effective owner of an entity. It will check the owner store to get the namespace * owner if the provided owner principal is null. * * Note that this method need not be used after the entity is created, in that case simply * use {@link OwnerAdmin}.getImpersonationPrincipal() * * @param ownerAdmin owner admin to query the owner * @param namespaceId the namespace the entity is in * @param ownerPrincipal the owner principal of the entity, null if not provided * @return the effective owner of the entity, null if no owner is provided for both the enity and the namespace. */ @Nullable public static KerberosPrincipalId getEffectiveOwner(OwnerAdmin ownerAdmin, NamespaceId namespaceId, @Nullable String ownerPrincipal) throws IOException { if (ownerPrincipal != null) { // if entity owner is present, return it return new KerberosPrincipalId(ownerPrincipal); } if (!namespaceId.equals(NamespaceId.SYSTEM)) { // if entity owner is not present, get the namespace impersonation principal String namespacePrincipal = ownerAdmin.getImpersonationPrincipal(namespaceId); return namespacePrincipal == null ? null : new KerberosPrincipalId(namespacePrincipal); } // No owner found return null; } }
/** * This has the logic to construct an impersonation info as follows: * <ul> * <li>If the ownerAdmin has an owner and a keytab URI, return this information</li> * <li>Else the ownerAdmin does not have an owner for this entity. * Return the master impersonation info as found in the cConf</li> * </ul> */ public static ImpersonationInfo createImpersonationInfo(OwnerAdmin ownerAdmin, CConfiguration cConf, NamespacedEntityId entityId) throws IOException { ImpersonationInfo impersonationInfo = ownerAdmin.getImpersonationInfo(entityId); if (impersonationInfo == null) { return new ImpersonationInfo(getMasterPrincipal(cConf), getMasterKeytabURI(cConf)); } return impersonationInfo; }
/** * Drops a dataset. * * @param spec specification of dataset to be dropped. * @throws Exception on error. */ private void dropDataset(DatasetId instance, DatasetSpecification spec) throws Exception { LOG.info("Deleting dataset {}.{}", instance.getNamespace(), instance.getEntityName()); disableExplore(instance, spec); if (!instanceManager.delete(instance)) { throw new DatasetNotFoundException(instance); } metaCache.invalidate(instance); // by pass the auth check for dataset type when the operation is not creation DatasetTypeMeta typeMeta = getTypeInfo(instance.getParent(), spec.getType(), true); if (typeMeta == null) { throw new DatasetNotFoundException(instance); } opExecutorClient.drop(instance, typeMeta, spec); // Remove metadata for the dataset LOG.trace("Removing metadata for dataset {}", instance); metadataPublisher.publish(NamespaceId.SYSTEM, new MetadataOperation.Drop(instance.toMetadataEntity())); LOG.trace("Removed metadata for dataset {}", instance); publishAudit(instance, AuditType.DELETE); // deletes the owner principal for the entity if one was stored during creation ownerAdmin.delete(instance); }
private boolean addOwnerIfRequired(ApplicationWithPrograms input, Collection<ApplicationId> allAppVersionsAppIds) throws IOException, AlreadyExistsException { // if allAppVersionsAppIds.isEmpty() is true that means this app is an entirely new app and no other version // exists so we should add the owner information in owner store if one was provided if (allAppVersionsAppIds.isEmpty() && input.getOwnerPrincipal() != null) { ownerAdmin.add(input.getApplicationId(), input.getOwnerPrincipal()); return true; } return false; }
programTerminator, ownerAdmin.getOwner(appId), appRequest.canUpdateSchedules());
LOG.trace("Adding owner for dataset {}", name); KerberosPrincipalId owner = new KerberosPrincipalId(ownerPrincipal); ownerAdmin.add(datasetId, owner); LOG.trace("Added owner {} for dataset {}", owner, name); } catch (Exception e) { ownerAdmin.delete(datasetId); // safe to call for entities which does not have an owner too throw e;
new ArtifactSummary(appSpec.getName(), null) : ArtifactSummary.from(artifactId); ApplicationRecord record = new ApplicationRecord(artifactSummary, appId, appSpec.getDescription(), ownerAdmin.getOwnerPrincipal(appId)); if (predicate.apply(record)) { appRecords.add(record);
try { ownerAdmin.delete(appId); } catch (Exception e) { LOG.warn("Failed to delete app owner principal for application {} if one existed while deleting the " +
public Map<String, String> getSystemProperties(Id.Program id) throws IOException, NamespaceNotFoundException { Map<String, String> systemArgs = Maps.newHashMap(); systemArgs.put(Constants.CLUSTER_NAME, cConf.get(Constants.CLUSTER_NAME, "")); systemArgs.put(Constants.AppFabric.APP_SCHEDULER_QUEUE, queueResolver.getQueue(id.getNamespace())); if (SecurityUtil.isKerberosEnabled(cConf)) { ImpersonationInfo impersonationInfo = SecurityUtil.createImpersonationInfo(ownerAdmin, cConf, id.toEntityId()); systemArgs.put(ProgramOptionConstants.PRINCIPAL, impersonationInfo.getPrincipal()); systemArgs.put(ProgramOptionConstants.APP_PRINCIPAL_EXISTS, String.valueOf(ownerAdmin.exists(id.toEntityId().getParent()))); } return systemArgs; } }
LOG.trace("Adding owner for dataset {}", name); KerberosPrincipalId owner = new KerberosPrincipalId(ownerPrincipal); ownerAdmin.add(datasetId, owner); LOG.trace("Added owner {} for dataset {}", owner, name); } catch (Exception e) { ownerAdmin.delete(datasetId); // safe to call for entities which does not have an owner too throw e;
@Override public StreamProperties getProperties(StreamId streamId) throws Exception { // get the principal which will be used for impersonation to display as owner String ownerPrincipal = ownerAdmin.getOwnerPrincipal(streamId); StreamConfig config = getConfig(streamId); StreamSpecification spec = streamMetaStore.getStream(streamId); return new StreamProperties(config.getTTL(), config.getFormat(), config.getNotificationThresholdMB(), spec.getDescription(), ownerPrincipal); }
@Override public void process(ApplicationWithPrograms input) throws Exception { ApplicationSpecification applicationSpecification = input.getSpecification(); Collection<ApplicationId> allAppVersionsAppIds = store.getAllAppVersionsAppIds(input.getApplicationId()); boolean ownerAdded = addOwnerIfRequired(input, allAppVersionsAppIds); try { store.addApplication(input.getApplicationId(), applicationSpecification); } catch (Exception e) { // if we failed to store the app spec cleanup the owner if it was added in this call if (ownerAdded) { ownerAdmin.delete(input.getApplicationId()); } // propagate the exception throw e; } registerDatasets(input); emit(input); }