@Override protected Map<String, String> addAdditionalSecurityHeaders() { return Collections.singletonMap(Constants.Security.Headers.USER_PRINCIPAL, authenticationContext.getPrincipal().getKerberosPrincipal()); } }
/** * Returns the {@link ProgramSpecification} for the specified {@link ProgramId program}. * * @param programId the {@link ProgramId program} for which the {@link ProgramSpecification} is requested * @return the {@link ProgramSpecification} for the specified {@link ProgramId program} */ @Nullable public ProgramSpecification getProgramSpecification(ProgramId programId) throws Exception { AuthorizationUtil.ensureOnePrivilege(programId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); return getProgramSpecificationWithoutAuthz(programId); }
@Override public UGIWithPrincipal getConfiguredUGI(ImpersonationRequest impersonationRequest) throws IOException { return new UGIWithPrincipal(authenticationContext.getPrincipal().getKerberosPrincipal(), UserGroupInformation.getCurrentUser()); } }
@Override public BodyConsumer addModule(DatasetModuleId datasetModuleId, String className, boolean forceUpdate) throws Exception { final Principal principal = authenticationContext.getPrincipal(); // enforce that the principal has ADMIN access on the dataset module authorizationEnforcer.enforce(datasetModuleId, principal, Action.ADMIN); return delegate.addModule(datasetModuleId, className, forceUpdate); }
@Override public List<DatasetModuleMeta> listModules(final NamespaceId namespaceId) throws Exception { List<DatasetModuleMeta> modules = delegate.listModules(namespaceId); return AuthorizationUtil.isVisible(modules, authorizationEnforcer, authenticationContext.getPrincipal(), new Function<DatasetModuleMeta, EntityId>() { @Override public EntityId apply(DatasetModuleMeta input) { return namespaceId.datasetModule(input.getName()); } }, null); }
@Override public List<StreamSpecification> listStreams(final NamespaceId namespaceId) throws Exception { return AuthorizationUtil.isVisible(delegate.listStreams(namespaceId), authorizationEnforcer, authenticationContext.getPrincipal(), new Function<StreamSpecification, EntityId>() { @Override public EntityId apply(StreamSpecification input) { return namespaceId.stream(input.getName()); } }, null); }
@Override public List<StreamViewId> listViews(StreamId streamId) throws Exception { AuthorizationUtil.ensureAccess(streamId, authorizationEnforcer, authenticationContext.getPrincipal()); return delegate.listViews(streamId); }
@Override public void addSystemArtifacts() throws Exception { // to add system artifacts, users should have admin privileges on the system namespace Principal principal = authenticationContext.getPrincipal(); authorizationEnforcer.enforce(NamespaceId.SYSTEM, principal, Action.ADMIN); delegate.addSystemArtifacts(); }
private void createLogEntry(HttpRequest httpRequest, HttpResponseStatus responseStatus) throws UnknownHostException { InetAddress clientAddr = InetAddress.getByName(Objects.firstNonNull(SecurityRequestContext.getUserIP(), "0.0.0.0")); AuditLogEntry logEntry = new AuditLogEntry(httpRequest, clientAddr.getHostAddress()); logEntry.setUserName(authenticationContext.getPrincipal().getName()); logEntry.setResponse(responseStatus.code(), 0L); AUDIT_LOG.trace(logEntry.toString()); } }
@Override public void deleteArtifactProperty(Id.Artifact artifactId, String key) throws Exception { authorizationEnforcer.enforce(artifactId.toEntityId(), authenticationContext.getPrincipal(), Action.ADMIN); delegate.deleteArtifactProperty(artifactId, key); }
@Override public void deleteArtifactProperties(Id.Artifact artifactId) throws Exception { authorizationEnforcer.enforce(artifactId.toEntityId(), authenticationContext.getPrincipal(), Action.ADMIN); delegate.deleteArtifactProperties(artifactId); }
@Override public void deleteView(StreamViewId viewId) throws Exception { AuthorizationUtil.ensureAccess(viewId.getParent(), authorizationEnforcer, authenticationContext.getPrincipal()); delegate.deleteView(viewId); }
@Override public ViewSpecification getView(StreamViewId viewId) throws Exception { AuthorizationUtil.ensureAccess(viewId.getParent(), authorizationEnforcer, authenticationContext.getPrincipal()); return delegate.getView(viewId); }
@Override public DatasetTypeMeta getType(DatasetTypeId datasetTypeId) throws Exception { // No authorization for system dataset types if (!NamespaceId.SYSTEM.equals(datasetTypeId.getNamespaceId())) { AuthorizationUtil.ensureOnePrivilege(datasetTypeId, EnumSet.allOf(Action.class), authorizationEnforcer, authenticationContext.getPrincipal()); } return delegate.getType(datasetTypeId); } }
@Override public void deleteArtifact(Id.Artifact artifactId) throws Exception { // for deleting artifacts, users need admin privileges on the artifact being deleted. Principal principal = authenticationContext.getPrincipal(); authorizationEnforcer.enforce(artifactId.toEntityId(), principal, Action.ADMIN); delegate.deleteArtifact(artifactId); }
@Override public void writeArtifactProperties(Id.Artifact artifactId, Map<String, String> properties) throws Exception { authorizationEnforcer.enforce(artifactId.toEntityId(), authenticationContext.getPrincipal(), Action.ADMIN); delegate.writeArtifactProperties(artifactId, properties); }
private HttpRequest addUserIdHeader(HttpRequest request) throws IOException { return new HttpRequest.Builder(request).addHeader(Constants.Security.Headers.USER_ID, authenticationContext.getPrincipal().getName()).build(); } }
private HttpRequest addUserIdHeader(HttpRequest request) { return new HttpRequest.Builder(request).addHeader(Constants.Security.Headers.USER_ID, authenticationContext.getPrincipal().getName()).build(); } }
@Override public void deleteAll(NamespaceId namespaceId) throws Exception { Principal principal = authenticationContext.getPrincipal(); for (DatasetModuleMeta meta : delegate.listModules(namespaceId)) { DatasetModuleId datasetModuleId = namespaceId.datasetModule(meta.getName()); authorizationEnforcer.enforce(datasetModuleId, principal, Action.ADMIN); } delegate.deleteAll(namespaceId); }
@Override public void clear(NamespaceId namespace) throws Exception { List<ArtifactSummary> artifacts = delegate.getArtifactSummaries(namespace, false); for (ArtifactSummary artifactSummary : artifacts) { authorizationEnforcer.enforce(namespace.artifact(artifactSummary.getName(), artifactSummary.getVersion()), authenticationContext.getPrincipal(), Action.ADMIN); } delegate.clear(namespace); }