/** * Helper function to get the effective owner of an entity. It will check the owner store to get the namespace * owner if the provided owner principal is null. * * Note that this method need not be used after the entity is created, in that case simply * use {@link OwnerAdmin}.getImpersonationPrincipal() * * @param ownerAdmin owner admin to query the owner * @param namespaceId the namespace the entity is in * @param ownerPrincipal the owner principal of the entity, null if not provided * @return the effective owner of the entity, null if no owner is provided for both the enity and the namespace. */ @Nullable public static KerberosPrincipalId getEffectiveOwner(OwnerAdmin ownerAdmin, NamespaceId namespaceId, @Nullable String ownerPrincipal) throws IOException { if (ownerPrincipal != null) { // if entity owner is present, return it return new KerberosPrincipalId(ownerPrincipal); } if (!namespaceId.equals(NamespaceId.SYSTEM)) { // if entity owner is not present, get the namespace impersonation principal String namespacePrincipal = ownerAdmin.getImpersonationPrincipal(namespaceId); return namespacePrincipal == null ? null : new KerberosPrincipalId(namespacePrincipal); } // No owner found return null; } }
/** * <p>Verifies the owner principal of an entity is same as the owner specified during entity creation. If an owner * was not specified during entity creation but is being specified later (i.e. during updating properties etc) the * specified owner principal is same as the effective impersonating principal.</p> * <p>Note: This method should not be called for an non-existing entity for example while the entity is being * created.</p> * @param existingEntity the existing entity whose owner principal is being verified * @param specifiedOwnerPrincipal the specified principal * @param ownerAdmin {@link OwnerAdmin} * @throws IOException if failed to query the given ownerAdmin * @throws UnauthorizedException if the specified owner information is not valid with the existing * impersonation principal */ public static void verifyOwnerPrincipal(NamespacedEntityId existingEntity, @Nullable String specifiedOwnerPrincipal, OwnerAdmin ownerAdmin) throws IOException, UnauthorizedException { // if an owner principal was not specified then ensure that a direct owner doesn't exist. Although, if an owner // principal was specified then it must be equal to the effective impersonating principal of this entity if (!((specifiedOwnerPrincipal == null && ownerAdmin.getOwnerPrincipal(existingEntity) == null) || Objects.equals(specifiedOwnerPrincipal, ownerAdmin.getImpersonationPrincipal(existingEntity)))) { // Not giving existing owner information as it might be unacceptable under some security scenarios throw new UnauthorizedException(String.format("%s '%s' already exists and the specified %s '%s' is not the " + "same as the existing one. The %s of an entity cannot be " + "changed.", existingEntity.getEntityType(), existingEntity.getEntityName(), Constants.Security.PRINCIPAL, specifiedOwnerPrincipal, Constants.Security.PRINCIPAL)); } }