@Nullable @Override public StreamConfig create(StreamId streamId, @Nullable Properties props) throws Exception { String specifiedOwnerPrincipal = props != null && props.containsKey(Constants.Security.PRINCIPAL) ? props.getProperty(Constants.Security.PRINCIPAL) : null; // need to enforce on the principal id if impersonation is involved KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, streamId.getNamespaceId(), specifiedOwnerPrincipal); Principal requestingUser = authenticationContext.getPrincipal(); if (effectiveOwner != null) { authorizationEnforcer.enforce(effectiveOwner, requestingUser, Action.ADMIN); } ensureAccess(streamId, Action.ADMIN); return delegate.create(streamId, props); }
/** * Helper function to get the authorizing user for app deployment, the authorzing user will be the app owner if it * is present. If not, it will be the namespace owner. If that is also not present, it will be the user who is making * the request */ public static String getAppAuthorizingUser(OwnerAdmin ownerAdmin, AuthenticationContext authenticationContext, ApplicationId applicationId, @Nullable KerberosPrincipalId appOwner) throws IOException { KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, applicationId.getNamespaceId(), appOwner == null ? null : appOwner.getPrincipal()); // CDAP-13154 If impersonation is configured for either the application or namespace the effective owner will be // a kerberos principal which can have different form // (refer: https://docs.oracle.com/cd/E21455_01/common/tutorials/kerberos_principal.html). For example it can be // a complete principal name (alice/somehost.net@someREALM). For authorization we need the enforcement to happen // on the username and not the complete principal. The user name is the shortname of the principal so return the // shortname as authorizing user. String appAuthorizingUser = effectiveOwner != null ? new KerberosName(effectiveOwner.getPrincipal()).getShortName() : authenticationContext.getPrincipal().getName(); LOG.trace("Returning {} as authorizing app user for {}", appAuthorizingUser, applicationId); return appAuthorizingUser; }
KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, namespace, ownerPrincipal); if (DatasetsUtil.isUserDataset(datasetId)) { LOG.trace("Authorizing impersonation for dataset {}", name);
KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, namespace, ownerPrincipal); if (!DatasetsUtil.isSystemDatasetInUserNamespace(datasetId)) { LOG.trace("Authorizing impersonation for dataset {}", name);
SecurityUtil.getEffectiveOwner(ownerAdmin, namespaceId, ownerPrincipal == null ? null : ownerPrincipal.getPrincipal());
SecurityUtil.getEffectiveOwner(ownerAdmin, namespaceId, ownerPrincipal == null ? null : ownerPrincipal.getPrincipal());