private void fixACLsForUser(List<AccessControl> acls, String user, int mask) { boolean foundUserACL = false; List<AccessControl> emptyUserACLs = new ArrayList<>(); for (AccessControl control : acls) { if (control.get_type() == AccessControlType.USER) { if (!control.is_set_name()) { emptyUserACLs.add(control); } else if (control.get_name().equals(user)) { int currentAccess = control.get_access(); if ((currentAccess & mask) != mask) { control.set_access(currentAccess | mask); } foundUserACL = true; } } } // if ACLs have two user ACLs for empty user and principal, discard empty user ACL if (!emptyUserACLs.isEmpty() && foundUserACL) { acls.removeAll(emptyUserACLs); } // add default user ACL when only empty user ACL is not present if (emptyUserACLs.isEmpty() && !foundUserACL) { AccessControl userACL = new AccessControl(); userACL.set_type(AccessControlType.USER); userACL.set_name(user); userACL.set_access(mask); acls.add(userACL); } }
@Override public boolean equals(java.lang.Object that) { if (that == null) return false; if (that instanceof AccessControl) return this.equals((AccessControl)that); return false; }
/** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */ public boolean isSet(_Fields field) { if (field == null) { throw new java.lang.IllegalArgumentException(); } switch (field) { case TYPE: return is_set_type(); case NAME: return is_set_name(); case ACCESS: return is_set_access(); } throw new java.lang.IllegalStateException(); }
private boolean worldEverything(List<AccessControl> acls) { boolean isWorldEverything = false; for (AccessControl acl : acls) { if (acl.get_type() == AccessControlType.OTHER && acl.get_access() == (READ | WRITE | ADMIN)) { isWorldEverything = true; break; } } return isWorldEverything; }
/** * Performs a deep copy on <i>other</i>. */ public AccessControl(AccessControl other) { __isset_bitfield = other.__isset_bitfield; if (other.is_set_type()) { this.type = other.type; } if (other.is_set_name()) { this.name = other.name; } this.access = other.access; }
public java.lang.Object getFieldValue(_Fields field) { switch (field) { case TYPE: return get_type(); case NAME: return get_name(); case ACCESS: return get_access(); } throw new java.lang.IllegalStateException(); }
private void fixEmptyNameACLForUsers(List<AccessControl> acls, Set<String> users, int mask) { List<AccessControl> aclsToAdd = new ArrayList<>(); List<AccessControl> aclsToRemove = new ArrayList<>(); for (AccessControl control : acls) { if (control.get_type() == AccessControlType.USER && !control.is_set_name()) { aclsToRemove.add(control); int currentAccess = control.get_access(); if ((currentAccess & mask) != mask) { control.set_access(currentAccess | mask); } for (String user : users) { AccessControl copiedControl = new AccessControl(control); copiedControl.set_name(user); aclsToAdd.add(copiedControl); } } } acls.removeAll(aclsToRemove); acls.addAll(aclsToAdd); }
public void setFieldValue(_Fields field, java.lang.Object value) { switch (field) { case TYPE: if (value == null) { unset_type(); } else { set_type((AccessControlType)value); } break; case NAME: if (value == null) { unset_name(); } else { set_name((java.lang.String)value); } break; case ACCESS: if (value == null) { unset_access(); } else { set_access((java.lang.Integer)value); } break; } }
public static AccessControl parseAccessControl(String str) { String[] parts = str.split(":"); String type = "other"; String name = ""; String access = "-"; if (parts.length > 3) { throw new IllegalArgumentException("Don't know how to parse " + str + " into an ACL value"); } else if (parts.length == 1) { type = "other"; name = ""; access = parts[0]; } else if (parts.length == 2) { type = "user"; name = parts[0]; access = parts[1]; } else if (parts.length == 3) { type = parts[0]; name = parts[1]; access = parts[2]; } AccessControl ret = new AccessControl(); ret.set_type(parseACLType(type)); ret.set_name(name); ret.set_access(parseAccess(access)); return ret; }
public static String accessControlToString(AccessControl ac) { StringBuilder ret = new StringBuilder(); switch (ac.get_type()) { case OTHER: ret.append("o"); break; case USER: ret.append("u"); break; default: throw new IllegalArgumentException("Don't know what a type of " + ac.get_type() + " means "); } ret.append(":"); if (ac.is_set_name()) { ret.append(ac.get_name()); } ret.append(":"); ret.append(accessToString(ac.get_access())); return ret.toString(); }
@Override public void read(org.apache.storm.thrift.protocol.TProtocol prot, SettableBlobMeta struct) throws org.apache.storm.thrift.TException { org.apache.storm.thrift.protocol.TTupleProtocol iprot = (org.apache.storm.thrift.protocol.TTupleProtocol) prot; { org.apache.storm.thrift.protocol.TList _list611 = new org.apache.storm.thrift.protocol.TList(org.apache.storm.thrift.protocol.TType.STRUCT, iprot.readI32()); struct.acl = new java.util.ArrayList<AccessControl>(_list611.size); AccessControl _elem612; for (int _i613 = 0; _i613 < _list611.size; ++_i613) { _elem612 = new AccessControl(); _elem612.read(iprot); struct.acl.add(_elem612); } } struct.set_acl_isSet(true); java.util.BitSet incoming = iprot.readBitSet(1); if (incoming.get(0)) { struct.replication_factor = iprot.readI32(); struct.set_replication_factor_isSet(true); } } }
public AccessControl deepCopy() { return new AccessControl(this); }
@Test(expected = AuthorizationException.class) public void testFailAcls() throws Exception { Map<String, Object> conf = new HashMap(); // set clean time really high so doesn't kick in conf.put(DaemonConfig.SUPERVISOR_LOCALIZER_CACHE_CLEANUP_INTERVAL_MS, 60 * 60 * 1000); // enable blobstore acl validation conf.put(Config.STORM_BLOBSTORE_ACL_VALIDATION_ENABLED, true); String topo1 = "topo1"; String key1 = "key1"; TestLocalizer localizer = new TestLocalizer(conf, baseDir.toString()); ReadableBlobMeta rbm = new ReadableBlobMeta(); // set acl so user doesn't have read access AccessControl acl = new AccessControl(AccessControlType.USER, BlobStoreAclHandler.ADMIN); acl.set_name(user1); rbm.set_settable(new SettableBlobMeta(Arrays.asList(acl))); when(mockblobstore.getBlobMeta(anyString())).thenReturn(rbm); when(mockblobstore.getBlob(key1)).thenReturn(new TestInputStreamWithMeta(1)); File user1Dir = localizer.getLocalUserFileCacheDir(user1); assertTrue("failed to create user dir", user1Dir.mkdirs()); LocalAssignment topo1Assignment = new LocalAssignment(topo1, Collections.emptyList()); topo1Assignment.set_owner(user1); PortAndAssignment topo1Pna = new PortAndAssignmentImpl(1, topo1Assignment); // This should throw AuthorizationException because auth failed localizer.getBlob(new LocalResource(key1, false, false), topo1Pna, null); }
public void validate() throws org.apache.storm.thrift.TException { // check for required fields if (!is_set_type()) { throw new org.apache.storm.thrift.protocol.TProtocolException("Required field 'type' is unset! Struct:" + toString()); } if (!is_set_access()) { throw new org.apache.storm.thrift.protocol.TProtocolException("Required field 'access' is unset! Struct:" + toString()); } // check for sub-struct validity }
public void write(org.apache.storm.thrift.protocol.TProtocol oprot, AccessControl struct) throws org.apache.storm.thrift.TException { struct.validate(); oprot.writeStructBegin(STRUCT_DESC); if (struct.type != null) { oprot.writeFieldBegin(TYPE_FIELD_DESC); oprot.writeI32(struct.type.getValue()); oprot.writeFieldEnd(); } if (struct.name != null) { if (struct.is_set_name()) { oprot.writeFieldBegin(NAME_FIELD_DESC); oprot.writeString(struct.name); oprot.writeFieldEnd(); } } oprot.writeFieldBegin(ACCESS_FIELD_DESC); oprot.writeI32(struct.access); oprot.writeFieldEnd(); oprot.writeFieldStop(); oprot.writeStructEnd(); }
public static void validateSettableACLs(String key, List<AccessControl> acls) throws AuthorizationException { Set<String> aclUsers = new HashSet<>(); List<String> duplicateUsers = new ArrayList<>(); for (AccessControl acl : acls) { String aclUser = acl.get_name(); if (!StringUtils.isEmpty(aclUser) && !aclUsers.add(aclUser)) { LOG.error("'{}' user can't appear more than once in the ACLs", aclUser); duplicateUsers.add(aclUser); } } if (duplicateUsers.size() > 0) { String errorMessage = "user " + Arrays.toString(duplicateUsers.toArray()) + " can't appear more than once in the ACLs for key [" + key + "]."; throw new WrappedAuthorizationException(errorMessage); } }
@Override public java.lang.String toString() { java.lang.StringBuilder sb = new java.lang.StringBuilder("AccessControl("); boolean first = true; sb.append("type:"); if (this.type == null) { sb.append("null"); } else { sb.append(this.type); } first = false; if (is_set_name()) { if (!first) sb.append(", "); sb.append("name:"); if (this.name == null) { sb.append("null"); } else { sb.append(this.name); } first = false; } if (!first) sb.append(", "); sb.append("access:"); sb.append(this.access); first = false; sb.append(")"); return sb.toString(); }
private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, java.lang.ClassNotFoundException { try { // it doesn't seem like you should have to do this, but java serialization is wacky, and doesn't call the default constructor. __isset_bitfield = 0; read(new org.apache.storm.thrift.protocol.TCompactProtocol(new org.apache.storm.thrift.transport.TIOStreamTransport(in))); } catch (org.apache.storm.thrift.TException te) { throw new java.io.IOException(te); } }
private void fixEmptyNameACLForUsers(List<AccessControl> acls, Set<String> users, int mask) { List<AccessControl> aclsToAdd = new ArrayList<>(); List<AccessControl> aclsToRemove = new ArrayList<>(); for (AccessControl control : acls) { if (control.get_type() == AccessControlType.USER && !control.is_set_name()) { aclsToRemove.add(control); int currentAccess = control.get_access(); if ((currentAccess & mask) != mask) { control.set_access(currentAccess | mask); } for (String user : users) { AccessControl copiedControl = new AccessControl(control); copiedControl.set_name(user); aclsToAdd.add(copiedControl); } } } acls.removeAll(aclsToRemove); acls.addAll(aclsToAdd); }
private int getAllowed(AccessControl ac, Set<String> users) { switch (ac.get_type()) { case OTHER: return ac.get_access(); case USER: if (users.contains(ac.get_name())) { return ac.get_access(); } return 0; default: return 0; } }