private void propagateUserId(HttpRequest request) { String userId = request.headers().get(Constants.Security.Headers.USER_ID); if (userId != null) { LOG.debug("Propagating userId as {}", userId); SecurityRequestContext.setUserId(userId); } } }
/** * Helper function, to run the callable as the principal provided and reset back when the call is done */ public static <T> T authorizeAs(String userName, Callable<T> callable) throws Exception { String oldUserName = SecurityRequestContext.getUserId(); SecurityRequestContext.setUserId(userName); try { return callable.call(); } finally { SecurityRequestContext.setUserId(oldUserName); } }
private void propagateUserId(HttpRequest request) { String userId = request.headers().get(Constants.Security.Headers.USER_ID); if (userId != null) { LOG.debug("Propagating userId as {}", userId); SecurityRequestContext.setUserId(userId); } } }
private void propagateUserId(HttpRequest request) { String userId = request.headers().get(Constants.Security.Headers.USER_ID); if (userId != null) { LOG.debug("Propagating userId as {}", userId); SecurityRequestContext.setUserId(userId); } } }
private void propagateUserId(HttpRequest request) { String userId = request.headers().get(Constants.Security.Headers.USER_ID); if (userId != null) { LOG.debug("Propagating userId as {}", userId); SecurityRequestContext.setUserId(userId); } } }
/** * Decode the AccessTokenIdentifier passed as a header and set it in a ThreadLocal. * Returns a 401 if the identifier is malformed. */ @Override public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception { if (msg instanceof HttpRequest) { // TODO: authenticate the user using user id - CDAP-688 HttpRequest request = (HttpRequest) msg; currentUserId = request.headers().get(Constants.Security.Headers.USER_ID); currentUserIP = request.headers().get(Constants.Security.Headers.USER_IP); SecurityRequestContext.setUserId(currentUserId); SecurityRequestContext.setUserIP(currentUserIP); } else if (msg instanceof HttpContent) { SecurityRequestContext.setUserId(currentUserId); SecurityRequestContext.setUserIP(currentUserIP); } ctx.fireChannelRead(msg); }
/** * Decode the AccessTokenIdentifier passed as a header and set it in a ThreadLocal. * Returns a 401 if the identifier is malformed. */ @Override public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception { if (msg instanceof HttpRequest) { // TODO: authenticate the user using user id - CDAP-688 HttpRequest request = (HttpRequest) msg; currentUserId = request.headers().get(Constants.Security.Headers.USER_ID); currentUserIP = request.headers().get(Constants.Security.Headers.USER_IP); SecurityRequestContext.setUserId(currentUserId); SecurityRequestContext.setUserIP(currentUserIP); } else if (msg instanceof HttpContent) { SecurityRequestContext.setUserId(currentUserId); SecurityRequestContext.setUserIP(currentUserIP); } ctx.fireChannelRead(msg); }
/** * Executes the given {@link ThrowingRunnable} by setting the {@link SecurityRequestContext} based on the given * {@link Principal}. */ private void runWithPrincipal(Principal principal, ThrowingRunnable runnable) throws Exception { String oldUserId = SecurityRequestContext.getUserId(); try { SecurityRequestContext.setUserId(principal.getName()); runnable.run(); } finally { SecurityRequestContext.setUserId(oldUserId); } } }
/** * Executes the given {@link ThrowingRunnable} by setting the {@link SecurityRequestContext} based on the given * {@link Principal}. */ private void runWithPrincipal(Principal principal, ThrowingRunnable runnable) throws Exception { String oldUserId = SecurityRequestContext.getUserId(); try { SecurityRequestContext.setUserId(principal.getName()); runnable.run(); } finally { SecurityRequestContext.setUserId(oldUserId); } } }
@Override public QueryHandle call() throws Exception { SecurityRequestContext.setUserId(userId); SecurityRequestContext.setUserIP(userIp); return handleProducer.getHandle(); } });
@Override public QueryHandle call() throws Exception { SecurityRequestContext.setUserId(userId); SecurityRequestContext.setUserIP(userIp); return handleProducer.getHandle(); } });
@Override public MetaDataInfo call() throws Exception { SecurityRequestContext.setUserId(userId); SecurityRequestContext.setUserIP(userIp); return getInfo(infoType); } });
@Override public MetaDataInfo call() throws Exception { SecurityRequestContext.setUserId(userId); SecurityRequestContext.setUserIP(userIp); return getInfo(infoType); } });
@AfterClass public static void cleanup() throws Exception { // we want to execute TestBase's @AfterClass after unsetting userid, because the old userid has been granted ADMIN // on default namespace in TestBase so it can clean the namespace. SecurityRequestContext.setUserId(oldUser); finish(); }
/** * Executes a program without blocking until its completion. */ public void execute(final ProgramId id, Map<String, String> sysArgs, Map<String, String> userArgs) throws Exception { String originalUserId = SecurityRequestContext.getUserId(); try { // if the program has a namespace user configured then set that user in the security request context. // See: CDAP-7396 String nsPrincipal = namespaceQueryAdmin.get(id.getNamespaceId()).getConfig().getPrincipal(); if (nsPrincipal != null && SecurityUtil.isKerberosEnabled(cConf)) { SecurityRequestContext.setUserId(new KerberosName(nsPrincipal).getServiceName()); } lifecycleService.runInternal(id, userArgs, sysArgs, false); } catch (ProgramNotFoundException | ApplicationNotFoundException e) { throw new TaskExecutionException(String.format(UserMessages.getMessage(UserErrors.PROGRAM_NOT_FOUND), id), e, false); } finally { SecurityRequestContext.setUserId(originalUserId); } } }
/** * Executes a program without blocking until its completion. */ public void execute(final ProgramId id, Map<String, String> sysArgs, Map<String, String> userArgs) throws Exception { String originalUserId = SecurityRequestContext.getUserId(); try { // if the program has a namespace user configured then set that user in the security request context. // See: CDAP-7396 String nsPrincipal = namespaceQueryAdmin.get(id.getNamespaceId()).getConfig().getPrincipal(); if (nsPrincipal != null && SecurityUtil.isKerberosEnabled(cConf)) { SecurityRequestContext.setUserId(new KerberosName(nsPrincipal).getServiceName()); } lifecycleService.runInternal(id, userArgs, sysArgs, false); } catch (ProgramNotFoundException | ApplicationNotFoundException e) { throw new TaskExecutionException(String.format(UserMessages.getMessage(UserErrors.PROGRAM_NOT_FOUND), id), e, false); } finally { SecurityRequestContext.setUserId(originalUserId); } } }
@Before public void setupTest() throws Exception { Assert.assertEquals(ImmutableSet.<Privilege>of(), getAuthorizer().listPrivileges(ALICE)); SecurityRequestContext.setUserId(ALICE.getName()); cleanUpEntities = new HashSet<>(); }
@AfterClass public static void cleanup() throws Exception { authorizer.revoke(Authorizable.fromEntityId(NamespaceId.SYSTEM)); Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE)); SecurityRequestContext.setUserId(OLD_USER_ID); }
@Test public void testCrossNSService() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(CrossNsDatasetAccessApp.APP_NAME); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(appId, EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.artifact(CrossNsDatasetAccessApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ProgramId programId = appId.service(CrossNsDatasetAccessApp.SERVICE_NAME); cleanUpEntities.add(programId); // grant bob execute on program and READ/WRITE on stream grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, CrossNsDatasetAccessApp.class); // switch to to ALICE SecurityRequestContext.setUserId(ALICE.getName()); ServiceManager serviceManager = appManager.getServiceManager(CrossNsDatasetAccessApp.SERVICE_NAME); testSystemDatasetAccessFromService(serviceManager); testCrossNSDatasetAccessFromService(serviceManager); }
@After @Override public void afterTest() throws Exception { Authorizer authorizer = getAuthorizer(); SecurityRequestContext.setUserId(ALICE.getName()); grantAndAssertSuccess(AUTH_NAMESPACE, SecurityRequestContext.toPrincipal(), EnumSet.of(Action.ADMIN)); // clean up. remove the namespace if it exists if (getNamespaceAdmin().exists(AUTH_NAMESPACE)) { getNamespaceAdmin().delete(AUTH_NAMESPACE); Assert.assertFalse(getNamespaceAdmin().exists(AUTH_NAMESPACE)); } revokeAndAssertSuccess(AUTH_NAMESPACE); for (EntityId entityId : cleanUpEntities) { revokeAndAssertSuccess(entityId); } Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE)); }