/** * Validates the given {@link NamespacedEntityId} to be supported by the {@link OwnerStore} * i.e. the entity can be associated with an owner. * * @param entityId {@link NamespacedEntityId} to be validated */ protected final void validate(NamespacedEntityId entityId) { if (!SUPPORTED_ENTITY_TYPES.contains(entityId.getEntityType())) { throw new IllegalArgumentException(String.format("The given entity '%s' is of unsupported types '%s'. " + "Entity ownership is only supported for '%s'.", entityId.getEntityName(), entityId.getEntityType(), SUPPORTED_ENTITY_TYPES)); } }
private NamespacedEntityId getEffectiveEntity(NamespacedEntityId entityId) { // For program we look for application owner. In future we might want to support lookup parent owner // recursively once we have a use-case for it. if (entityId.getEntityType().equals(EntityType.PROGRAM)) { entityId = ((ProgramId) entityId).getParent(); } return entityId; }
/** * <p>Verifies the owner principal of an entity is same as the owner specified during entity creation. If an owner * was not specified during entity creation but is being specified later (i.e. during updating properties etc) the * specified owner principal is same as the effective impersonating principal.</p> * <p>Note: This method should not be called for an non-existing entity for example while the entity is being * created.</p> * @param existingEntity the existing entity whose owner principal is being verified * @param specifiedOwnerPrincipal the specified principal * @param ownerAdmin {@link OwnerAdmin} * @throws IOException if failed to query the given ownerAdmin * @throws UnauthorizedException if the specified owner information is not valid with the existing * impersonation principal */ public static void verifyOwnerPrincipal(NamespacedEntityId existingEntity, @Nullable String specifiedOwnerPrincipal, OwnerAdmin ownerAdmin) throws IOException, UnauthorizedException { // if an owner principal was not specified then ensure that a direct owner doesn't exist. Although, if an owner // principal was specified then it must be equal to the effective impersonating principal of this entity if (!((specifiedOwnerPrincipal == null && ownerAdmin.getOwnerPrincipal(existingEntity) == null) || Objects.equals(specifiedOwnerPrincipal, ownerAdmin.getImpersonationPrincipal(existingEntity)))) { // Not giving existing owner information as it might be unacceptable under some security scenarios throw new UnauthorizedException(String.format("%s '%s' already exists and the specified %s '%s' is not the " + "same as the existing one. The %s of an entity cannot be " + "changed.", existingEntity.getEntityType(), existingEntity.getEntityName(), Constants.Security.PRINCIPAL, specifiedOwnerPrincipal, Constants.Security.PRINCIPAL)); } }
/** * In remote mode, we should not cache the explore request */ @Override protected boolean checkExploreAndDetermineCache(ImpersonationRequest impersonationRequest) throws IOException { return !(impersonationRequest.getEntityId().getEntityType().equals(EntityType.NAMESPACE) && impersonationRequest.getImpersonatedOpType().equals(ImpersonatedOpType.EXPLORE)); }
@Nullable @Override public String getImpersonationPrincipal(NamespacedEntityId entityId) throws IOException { entityId = getEffectiveEntity(entityId); KerberosPrincipalId effectiveOwner = null; if (!entityId.getEntityType().equals(EntityType.NAMESPACE)) { effectiveOwner = ownerStore.getOwner(entityId); } // (CDAP-8176) Since no owner was found for the entity return namespace principal if present. return effectiveOwner != null ? effectiveOwner.getPrincipal() : getNamespaceConfig(entityId).getPrincipal(); }
if (impersonationRequest.getEntityId().getEntityType().equals(EntityType.NAMESPACE) && impersonationRequest.getImpersonatedOpType().equals(ImpersonatedOpType.EXPLORE)) {
@Nullable @Override public ImpersonationInfo getImpersonationInfo(NamespacedEntityId entityId) throws IOException { entityId = getEffectiveEntity(entityId); if (!entityId.getEntityType().equals(EntityType.NAMESPACE)) { KerberosPrincipalId effectiveOwner = ownerStore.getOwner(entityId); if (effectiveOwner != null) { return new ImpersonationInfo(effectiveOwner.getPrincipal(), SecurityUtil.getKeytabURIforPrincipal(effectiveOwner.getPrincipal(), cConf)); } } // (CDAP-8176) Since no owner was found for the entity return namespace principal if present. NamespaceConfig nsConfig = getNamespaceConfig(entityId.getNamespaceId()); return nsConfig.getPrincipal() == null ? null : new ImpersonationInfo(nsConfig.getPrincipal(), nsConfig.getKeytabURI()); }