StreamQueueReader(StreamId streamId, Supplier<StreamConsumer> consumerSupplier, int batchSize, Function<StreamEvent, T> eventTransform, AuthenticationContext authenticationContext, AuthorizationEnforcer authorizationEnforcer) { this.streamId = streamId; this.consumerSupplier = consumerSupplier; this.batchSize = batchSize; this.eventTransform = eventTransform; this.authorizationEnforcer = authorizationEnforcer; this.principal = authenticationContext.getPrincipal(); }
@Override protected Map<String, String> addAdditionalSecurityHeaders() { return Collections.singletonMap(Constants.Security.Headers.USER_PRINCIPAL, authenticationContext.getPrincipal().getKerberosPrincipal()); } }
@Override protected Map<String, String> addAdditionalSecurityHeaders() { return Collections.singletonMap(Constants.Security.Headers.USER_PRINCIPAL, authenticationContext.getPrincipal().getKerberosPrincipal()); } }
/** * Returns the {@link ProgramSpecification} for the specified {@link ProgramId program}. * * @param programId the {@link ProgramId program} for which the {@link ProgramSpecification} is requested * @return the {@link ProgramSpecification} for the specified {@link ProgramId program} */ @Nullable public ProgramSpecification getProgramSpecification(ProgramId programId) throws Exception { AuthorizationUtil.ensureOnePrivilege(programId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); return getProgramSpecificationWithoutAuthz(programId); }
/** * Returns the {@link ProgramSpecification} for the specified {@link ProgramId program}. * * @param programId the {@link ProgramId program} for which the {@link ProgramSpecification} is requested * @return the {@link ProgramSpecification} for the specified {@link ProgramId program} */ @Nullable public ProgramSpecification getProgramSpecification(ProgramId programId) throws Exception { AuthorizationUtil.ensureOnePrivilege(programId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); return getProgramSpecificationWithoutAuthz(programId); }
@Override public UGIWithPrincipal getConfiguredUGI(ImpersonationRequest impersonationRequest) throws IOException { return new UGIWithPrincipal(authenticationContext.getPrincipal().getKerberosPrincipal(), UserGroupInformation.getCurrentUser()); } }
@Override public StreamProperties getProperties(StreamId streamId) throws Exception { // User should have at least one privilege to read stream properties AuthorizationUtil.ensureOnePrivilege(streamId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); return delegate.getProperties(streamId); }
@Override public BodyConsumer addModule(DatasetModuleId datasetModuleId, String className, boolean forceUpdate) throws Exception { final Principal principal = authenticationContext.getPrincipal(); // enforce that the principal has ADMIN access on the dataset module authorizationEnforcer.enforce(datasetModuleId, principal, Action.ADMIN); return delegate.addModule(datasetModuleId, className, forceUpdate); }
@Override public List<DatasetModuleMeta> listModules(final NamespaceId namespaceId) throws Exception { List<DatasetModuleMeta> modules = delegate.listModules(namespaceId); return AuthorizationUtil.isVisible(modules, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<DatasetModuleMeta, EntityId>() { @Override public EntityId apply(DatasetModuleMeta input) { return namespaceId.datasetModule(input.getName()); } }, null); }
@Override public List<StreamSpecification> listStreams(final NamespaceId namespaceId) throws Exception { return AuthorizationUtil.isVisible(delegate.listStreams(namespaceId), authorizationEnforcer, authenticationContext.getPrincipal(), new Function<StreamSpecification, EntityId>() { @Override public EntityId apply(StreamSpecification input) { return namespaceId.stream(input.getName()); } }, null); }
@Override public List<StreamViewId> listViews(StreamId streamId) throws Exception { AuthorizationUtil.ensureAccess(streamId, authorizationEnforcer, authenticationContext.getPrincipal()); return delegate.listViews(streamId); }
@Override public void addSystemArtifacts() throws Exception { // to add system artifacts, users should have admin privileges on the system namespace Principal principal = authenticationContext.getPrincipal(); authorizationEnforcer.enforce(NamespaceId.SYSTEM, principal, Action.ADMIN); delegate.addSystemArtifacts(); }
@Override public List<DatasetTypeMeta> listTypes(final NamespaceId namespaceId) throws Exception { List<DatasetTypeMeta> types = delegate.listTypes(namespaceId); return AuthorizationUtil.isVisible(types, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<DatasetTypeMeta, EntityId>() { @Override public EntityId apply(DatasetTypeMeta input) { return namespaceId.datasetType(input.getName()); } }, null); }
@Override public void addSystemArtifacts() throws Exception { // to add system artifacts, users should have admin privileges on the system namespace Principal principal = authenticationContext.getPrincipal(); authorizationEnforcer.enforce(NamespaceId.SYSTEM, principal, Action.ADMIN); delegate.addSystemArtifacts(); }
/** * Returns the program run count of the given program. * * @param programId the id of the program for which the count call is made * @return the run count of the program * @throws NotFoundException if the application to which this program belongs was not found or the program is not * found in the app */ public long getProgramRunCount(ProgramId programId) throws Exception { AuthorizationUtil.ensureAccess(programId, authorizationEnforcer, authenticationContext.getPrincipal()); return store.getProgramRunCount(programId); }
@Override public List<DatasetModuleMeta> listModules(final NamespaceId namespaceId) throws Exception { List<DatasetModuleMeta> modules = delegate.listModules(namespaceId); return AuthorizationUtil.isVisible(modules, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<DatasetModuleMeta, EntityId>() { @Override public EntityId apply(DatasetModuleMeta input) { return namespaceId.datasetModule(input.getName()); } }, null); }
@Override public void delete(DatasetModuleId datasetModuleId) throws Exception { Principal principal = authenticationContext.getPrincipal(); authorizationEnforcer.enforce(datasetModuleId, principal, Action.ADMIN); delegate.delete(datasetModuleId); }
@Override public boolean exists(StreamId streamId) throws Exception { AuthorizationUtil.ensureAccess(streamId, authorizationEnforcer, authenticationContext.getPrincipal()); return delegate.exists(streamId); }
@Override public List<DatasetTypeMeta> listTypes(final NamespaceId namespaceId) throws Exception { List<DatasetTypeMeta> types = delegate.listTypes(namespaceId); return AuthorizationUtil.isVisible(types, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<DatasetTypeMeta, EntityId>() { @Override public EntityId apply(DatasetTypeMeta input) { return namespaceId.datasetType(input.getName()); } }, null); }
@Override public BodyConsumer addModule(DatasetModuleId datasetModuleId, String className, boolean forceUpdate) throws Exception { final Principal principal = authenticationContext.getPrincipal(); // enforce that the principal has ADMIN access on the dataset module authorizationEnforcer.enforce(datasetModuleId, principal, Action.ADMIN); return delegate.addModule(datasetModuleId, className, forceUpdate); }