@Override public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { if (!hasAccess) { throw new AccessDeniedException("Insufficient permissions to stop master"); } }
authenticatedWithFallback = true; } else { AccessDeniedException ae = new AccessDeniedException("Authentication is required"); doRespond(getErrorResponse(ae.getMessage(), ae)); return false;
logResult(false, "setAuths", e.getMessage(), user, labelAuths, null); LOG.error("User is not having required permissions to set authorization", e); setExceptionResults(auths.size(), e, response);
logResult(false, "addLabels", e.getMessage(), null, labels, null); LOG.error("User is not having required permissions to add labels", e); setExceptionResults(visLabels.size(), e, response);
@Override public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException { if (!hasAccess) { throw new AccessDeniedException("Insufficient permissions to stop region server."); } }
throw new AccessDeniedException("User '" + (requestingUser != null ? requestingUser.getShortName() : "null") + "' is not authorized to perform this action."); logResult(false, "listLabels", "Listing labels allowed", null, null, regex); } catch (AccessDeniedException e) { logResult(false, "listLabels", e.getMessage(), null, null, regex); CoprocessorRpcUtils.setControllerException(controller, e); } catch (IOException e) {
void validateAccessDeniedException(AccessDeniedException ade) { String msg = ade.getMessage(); assertTrue("Exception contained unexpected message: '" + msg + "'", !msg.contains("is not the scanner owner")); } }
@Override public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException { if (!hasAccess) { throw new AccessDeniedException("Insufficient permissions to shut down cluster."); } }
throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null") + " is not authorized to perform this action."); logResult(false, "clearAuths", e.getMessage(), requestUser, labelAuths, null); LOG.error("User is not having required permissions to clear authorization", e); setExceptionResults(auths.size(), e, response);
/** * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that * access control is correctly enforced based on the checks performed in preScannerOpen() */ private void requireScannerOwner(InternalScanner s) throws AccessDeniedException { if (!RpcServer.isInRpcCallContext()) return; String requestUName = RpcServer.getRequestUserName().orElse(null); String owner = scannerOwners.get(s); if (authorizationEnabled && owner != null && !owner.equals(requestUName)) { throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!"); } }
throw new AccessDeniedException("User '" + (requestingUser != null ? requestingUser.getShortName() : "null") + "' is not authorized to perform this action."); logResult(false, "getAuths", e.getMessage(), user, null, null); CoprocessorRpcUtils.setControllerException(controller, e); } catch (IOException e) {
/** * Verify, when servicing an RPC, that the caller is the scanner owner. * If so, we assume that access control is correctly enforced based on * the checks performed in preScannerOpen() */ private void requireScannerOwner(InternalScanner s) throws AccessDeniedException { if (!RpcServer.isInRpcCallContext()) { return; } String requestUserName = RpcServer.getRequestUserName().orElse(null); String owner = scannerOwners.get(s); if (authorizationEnabled && owner != null && !owner.equals(requestUserName)) { throw new AccessDeniedException("User '"+ requestUserName +"' is not the scanner owner!"); } }
private static void checkAuths(Set<Integer> auths, int labelOrdinal, String identifier, boolean checkAuths) throws IOException { if (checkAuths) { if (auths == null || (!auths.contains(labelOrdinal))) { throw new AccessDeniedException("Visibility label " + identifier + " not authorized for the user " + VisibilityUtils.getActiveUser().getShortName()); } } } }
private void checkSystemOrSuperUser(User activeUser) throws IOException { // No need to check if we're not going to throw if (!authorizationEnabled) { return; } if (!Superusers.isSuperUser(activeUser)) { throw new AccessDeniedException("User '" + (activeUser != null ? activeUser.getShortName() : "null") + "' is not system or super user."); } }
private void checkCallingUserAuth() throws IOException { if (!authorizationEnabled) { // Redundant, but just in case return; } if (!accessControllerAvailable) { User user = VisibilityUtils.getActiveUser(); if (user == null) { throw new IOException("Unable to retrieve calling user"); } if (!(this.visibilityLabelService.havingSystemAuth(user))) { throw new AccessDeniedException("User '" + user.getShortName() + "' is not authorized to perform this action."); } } }
case DIGEST: if (secretManager == null) { throw new AccessDeniedException("Server is not configured to do DIGEST authentication."); throw new AccessDeniedException( "Kerberos principal name does NOT have the expected " + "hostname part: " + fullName);
@Override public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName) throws IOException { if (Bytes.equals(tableName.getName(), AccessControlLists.ACL_GLOBAL_NAME)) { // We have to unconditionally disallow disable of the ACL table when we are installed, // even if not enforcing authorizations. We are still allowing grants and revocations, // checking permissions and logging audit messages, etc. If the ACL table is not // available we will fail random actions all over the place. throw new AccessDeniedException("Not allowed to disable " + AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed"); } requirePermission(c, "disableTable", tableName, null, null, Action.ADMIN, Action.CREATE); }
@Override public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> env, TableDescriptor desc, RegionInfo[] regions) throws IOException { if (desc.getTableName().equals(TABLE)) { throw new AccessDeniedException("Don't allow creation of table"); } }
@Override public void preCreateTableAction( final ObserverContext<MasterCoprocessorEnvironment> ctx, final TableDescriptor desc, final RegionInfo[] regions) throws IOException { if (desc.getTableName().equals(TABLE)) { throw new AccessDeniedException("Don't allow creation of table"); } }
public void processOneRpc(ByteBuff buf) throws IOException, InterruptedException { if (connectionHeaderRead) { processRequest(buf); } else { processConnectionHeader(buf); this.connectionHeaderRead = true; if (!authorizeConnection()) { // Throw FatalConnectionException wrapping ACE so client does right thing and closes // down the connection instead of trying to read non-existent retun. throw new AccessDeniedException("Connection from " + this + " for service " + connectionHeader.getServiceName() + " is unauthorized for user: " + ugi); } this.user = this.rpcServer.userProvider.create(this.ugi); } }