/** * <p>Verifies the owner principal of an entity is same as the owner specified during entity creation. If an owner * was not specified during entity creation but is being specified later (i.e. during updating properties etc) the * specified owner principal is same as the effective impersonating principal.</p> * <p>Note: This method should not be called for an non-existing entity for example while the entity is being * created.</p> * @param existingEntity the existing entity whose owner principal is being verified * @param specifiedOwnerPrincipal the specified principal * @param ownerAdmin {@link OwnerAdmin} * @throws IOException if failed to query the given ownerAdmin * @throws UnauthorizedException if the specified owner information is not valid with the existing * impersonation principal */ public static void verifyOwnerPrincipal(NamespacedEntityId existingEntity, @Nullable String specifiedOwnerPrincipal, OwnerAdmin ownerAdmin) throws IOException, UnauthorizedException { // if an owner principal was not specified then ensure that a direct owner doesn't exist. Although, if an owner // principal was specified then it must be equal to the effective impersonating principal of this entity if (!((specifiedOwnerPrincipal == null && ownerAdmin.getOwnerPrincipal(existingEntity) == null) || Objects.equals(specifiedOwnerPrincipal, ownerAdmin.getImpersonationPrincipal(existingEntity)))) { // Not giving existing owner information as it might be unacceptable under some security scenarios throw new UnauthorizedException(String.format("%s '%s' already exists and the specified %s '%s' is not the " + "same as the existing one. The %s of an entity cannot be " + "changed.", existingEntity.getEntityType(), existingEntity.getEntityName(), Constants.Security.PRINCIPAL, specifiedOwnerPrincipal, Constants.Security.PRINCIPAL)); } }
new ArtifactSummary(appSpec.getName(), null) : ArtifactSummary.from(artifactId); ApplicationRecord record = new ApplicationRecord(artifactSummary, appId, appSpec.getDescription(), ownerAdmin.getOwnerPrincipal(appId)); if (predicate.apply(record)) { appRecords.add(record);
new ArtifactSummary(appSpec.getName(), null) : ArtifactSummary.from(artifactId); ApplicationRecord record = new ApplicationRecord(artifactSummary, appId, appSpec.getDescription(), ownerAdmin.getOwnerPrincipal(appId)); if (predicate.apply(record)) { appRecords.add(record);
@Override public StreamProperties getProperties(StreamId streamId) throws Exception { // get the principal which will be used for impersonation to display as owner String ownerPrincipal = ownerAdmin.getOwnerPrincipal(streamId); StreamConfig config = getConfig(streamId); StreamSpecification spec = streamMetaStore.getStream(streamId); return new StreamProperties(config.getTTL(), config.getFormat(), config.getNotificationThresholdMB(), spec.getDescription(), ownerPrincipal); }
/** * Get detail about the specified application * * @param appId the id of the application to get * @return detail about the specified application * @throws ApplicationNotFoundException if the specified application does not exist */ public ApplicationDetail getAppDetail(ApplicationId appId) throws Exception { // TODO: CDAP-12473: filter based on the entity visibility in the app detail // user needs to pass the visibility check to get the app detail AuthorizationUtil.ensureAccess(appId, authorizationEnforcer, authenticationContext.getPrincipal()); ApplicationSpecification appSpec = store.getApplication(appId); if (appSpec == null) { throw new ApplicationNotFoundException(appId); } String ownerPrincipal = ownerAdmin.getOwnerPrincipal(appId); return filterApplicationDetail(appId, ApplicationDetail.fromSpec(appSpec, ownerPrincipal)); }
/** * Get detail about the specified application * * @param appId the id of the application to get * @return detail about the specified application * @throws ApplicationNotFoundException if the specified application does not exist */ public ApplicationDetail getAppDetail(ApplicationId appId) throws Exception { // TODO: CDAP-12473: filter based on the entity visibility in the app detail // user needs to pass the visibility check to get the app detail AuthorizationUtil.ensureAccess(appId, authorizationEnforcer, authenticationContext.getPrincipal()); ApplicationSpecification appSpec = store.getApplication(appId); if (appSpec == null) { throw new ApplicationNotFoundException(appId); } String ownerPrincipal = ownerAdmin.getOwnerPrincipal(appId); return filterApplicationDetail(appId, ApplicationDetail.fromSpec(appSpec, ownerPrincipal)); }
if (!NamespaceId.SYSTEM.equals(instance.getNamespaceId())) { LOG.trace("Retrieving owner principal for dataset {}", instance.getDataset()); ownerPrincipal = ownerAdmin.getOwnerPrincipal(instance); LOG.trace("Retrieved owner principal for dataset {}", instance.getDataset());
if (!NamespaceId.SYSTEM.equals(instance.getNamespaceId())) { LOG.trace("Retrieving owner principal for dataset {}", instance.getDataset()); ownerPrincipal = ownerAdmin.getOwnerPrincipal(instance); LOG.trace("Retrieved owner principal for dataset {}", instance.getDataset());
@Test public void testOwner() throws Exception { // deploy modules deployModule("module1", TestModule1.class); // should not be able to create a dataset with invalid kerberos principal format HttpResponse response = createInstance(NamespaceId.DEFAULT.dataset("ownedDataset"), "datasetType1", null, DatasetProperties.EMPTY, "alice/bob/somehost.net@somekdc.net"); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getResponseCode()); // should be able to create a dataset with valid kerberos principal format String alicePrincipal = "alice/somehost.net@somekdc.net"; response = createInstance(NamespaceId.DEFAULT.dataset("ownedDataset"), "datasetType1", null, DatasetProperties.EMPTY, alicePrincipal); Assert.assertEquals(HttpStatus.SC_OK, response.getResponseCode()); // owner information should have stored Assert.assertEquals(alicePrincipal, ownerAdmin.getOwnerPrincipal(NamespaceId.DEFAULT.dataset("ownedDataset"))); // should be able to retrieve owner information back DatasetMeta meta = getInstanceObject("ownedDataset").getResponseObject(); Assert.assertEquals(alicePrincipal, meta.getOwnerPrincipal()); // deleting the dataset should delete the owner information response = deleteInstance(NamespaceId.DEFAULT.dataset("ownedDataset")); Assert.assertEquals(HttpStatus.SC_OK, response.getResponseCode()); Assert.assertNull(ownerAdmin.getOwner(NamespaceId.DEFAULT.dataset("ownedDataset"))); }