@Override public void initUser(String user) throws AccumuloSecurityException { IZooReaderWriter zoo = context.getZooReaderWriter(); try { zoo.putPersistentData(ZKUserPath + "/" + user, new byte[0], NodeExistsPolicy.SKIP); } catch (KeeperException e) { log.error("{}", e.getMessage(), e); throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e); } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } }
public static void executeVoid(ClientContext context, ClientExec<ClientService.Client> exec) throws AccumuloException, AccumuloSecurityException { try { executeRawVoid(context, exec); } catch (ThriftSecurityException e) { throw new AccumuloSecurityException(e.user, e.code, e); } catch (AccumuloException e) { throw e; } catch (Exception e) { throw new AccumuloException(e); } }
@Override public synchronized void dropUser(String user) throws AccumuloSecurityException { final String encodedUser = Base64.getEncoder().encodeToString(user.getBytes(UTF_8)); try { zkAuthenticator.dropUser(encodedUser); } catch (AccumuloSecurityException e) { throw new AccumuloSecurityException(user, e.asThriftException().getCode(), e.getCause()); } }
@Override public void initUser(String user) throws AccumuloSecurityException { try { zoo.putPersistentData(ZKUserPath + "/" + user, new byte[0], NodeExistsPolicy.SKIP); zoo.putPersistentData(ZKUserPath + "/" + user + ZKUserTablePerms, new byte[0], NodeExistsPolicy.SKIP); zoo.putPersistentData(ZKUserPath + "/" + user + ZKUserNamespacePerms, new byte[0], NodeExistsPolicy.SKIP); } catch (KeeperException e) { log.error("{}", e.getMessage(), e); throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e); } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } }
@Override public void cleanNamespacePermissions(String namespace) throws AccumuloSecurityException { try { synchronized (zooCache) { zooCache.clear(); for (String user : zooCache.getChildren(ZKUserPath)) zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserNamespacePerms + "/" + namespace, NodeMissingPolicy.SKIP); } } catch (KeeperException e) { log.error("{}", e.getMessage(), e); throw new AccumuloSecurityException("unknownUser", SecurityErrorCode.CONNECTION_ERROR, e); } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } }
@Override public void dropUser(String user) throws AccumuloSecurityException { try { synchronized (zooCache) { IZooReaderWriter zoo = context.getZooReaderWriter(); zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserAuths, NodeMissingPolicy.SKIP); zooCache.clear(ZKUserPath + "/" + user); } } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } catch (KeeperException e) { log.error("{}", e.getMessage(), e); if (e.code().equals(KeeperException.Code.NONODE)) throw new AccumuloSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST, e); throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e); } }
@Override public void dropUser(String user) throws AccumuloSecurityException { try { synchronized (zooCache) { zooCache.clear(); context.getZooReaderWriter().recursiveDelete(ZKUserPath + "/" + user, NodeMissingPolicy.FAIL); } } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } catch (KeeperException e) { if (e.code().equals(KeeperException.Code.NONODE)) { throw new AccumuloSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST, e); } log.error("{}", e.getMessage(), e); throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e); } }
@Override public void cleanTablePermissions(String table) throws AccumuloSecurityException { try { synchronized (zooCache) { zooCache.clear(); for (String user : zooCache.getChildren(ZKUserPath)) zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserTablePerms + "/" + table, NodeMissingPolicy.SKIP); } } catch (KeeperException e) { log.error("{}", e.getMessage(), e); throw new AccumuloSecurityException("unknownUser", SecurityErrorCode.CONNECTION_ERROR, e); } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } }
@Override public void changeAuthorizations(String user, Authorizations authorizations) throws AccumuloSecurityException { try { synchronized (zooCache) { zooCache.clear(); context.getZooReaderWriter().putPersistentData(ZKUserPath + "/" + user + ZKUserAuths, ZKSecurityTool.convertAuthorizations(authorizations), NodeExistsPolicy.OVERWRITE); } } catch (KeeperException e) { log.error("{}", e.getMessage(), e); throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e); } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } }
@Override public void cleanUser(String user) throws AccumuloSecurityException { try { synchronized (zooCache) { zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserSysPerms, NodeMissingPolicy.SKIP); zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserTablePerms, NodeMissingPolicy.SKIP); zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserNamespacePerms, NodeMissingPolicy.SKIP); zooCache.clear(ZKUserPath + "/" + user); } } catch (InterruptedException e) { log.error("{}", e.getMessage(), e); throw new RuntimeException(e); } catch (KeeperException e) { log.error("{}", e.getMessage(), e); if (e.code().equals(KeeperException.Code.NONODE)) throw new AccumuloSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST, e); throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e); } }
/** * Converts the current object to the relevant thrift type. The object returned from this contains * a non-destroyable version of the {@link AuthenticationToken}, so this should be used just * before placing on the wire, and references to it should be tightly controlled. * * @param instanceID * Accumulo instance ID * @return Thrift credentials * @throws RuntimeException * if the authentication token has been destroyed (expired) */ public TCredentials toThrift(String instanceID) { TCredentials tCreds = new TCredentials(getPrincipal(), getToken().getClass().getName(), ByteBuffer.wrap(AuthenticationTokenSerializer.serialize(getToken())), instanceID); if (getToken().isDestroyed()) throw new RuntimeException("Token has been destroyed", new AccumuloSecurityException(getPrincipal(), SecurityErrorCode.TOKEN_EXPIRED)); return tCreds; }
@Override public void grantTablePermission(final String principal, final String table, final TablePermission permission) throws AccumuloException, AccumuloSecurityException { checkArgument(principal != null, "principal is null"); checkArgument(table != null, "table is null"); checkArgument(permission != null, "permission is null"); try { executeVoid(client -> client.grantTablePermission(Tracer.traceInfo(), context.rpcCreds(), principal, table, permission.getId())); } catch (AccumuloSecurityException e) { if (e.getSecurityErrorCode() == NAMESPACE_DOESNT_EXIST) throw new AccumuloSecurityException(null, SecurityErrorCode.TABLE_DOESNT_EXIST, e); else throw e; } }
@Override public void revokeTablePermission(final String principal, final String table, final TablePermission permission) throws AccumuloException, AccumuloSecurityException { checkArgument(principal != null, "principal is null"); checkArgument(table != null, "table is null"); checkArgument(permission != null, "permission is null"); try { executeVoid(client -> client.revokeTablePermission(Tracer.traceInfo(), context.rpcCreds(), principal, table, permission.getId())); } catch (AccumuloSecurityException e) { if (e.getSecurityErrorCode() == NAMESPACE_DOESNT_EXIST) throw new AccumuloSecurityException(null, SecurityErrorCode.TABLE_DOESNT_EXIST, e); else throw e; } }
@Override public boolean hasTablePermission(final String principal, final String table, final TablePermission perm) throws AccumuloException, AccumuloSecurityException { checkArgument(principal != null, "principal is null"); checkArgument(table != null, "table is null"); checkArgument(perm != null, "perm is null"); try { return execute(client -> client.hasTablePermission(Tracer.traceInfo(), context.rpcCreds(), principal, table, perm.getId())); } catch (AccumuloSecurityException e) { if (e.getSecurityErrorCode() == NAMESPACE_DOESNT_EXIST) throw new AccumuloSecurityException(null, SecurityErrorCode.TABLE_DOESNT_EXIST, e); else throw e; } }
private static void updateServer(ClientContext context, Mutation m, KeyExtent extent, HostAndPort server) throws TException, NotServingTabletException, ConstraintViolationException, AccumuloSecurityException { checkArgument(m != null, "m is null"); checkArgument(extent != null, "extent is null"); checkArgument(server != null, "server is null"); checkArgument(context != null, "context is null"); TabletClientService.Iface client = null; try { client = ThriftUtil.getTServerClient(server, context); client.update(Tracer.traceInfo(), context.rpcCreds(), extent.toThrift(), m.toThrift(), TDurability.DEFAULT); return; } catch (ThriftSecurityException e) { throw new AccumuloSecurityException(e.user, e.code); } finally { ThriftUtil.returnClient((TServiceClient) client); } }
public static <CT extends TServiceClient,RT> RT execute(ClientContext context, TServiceClientFactory<CT> factory, ClientExecReturn<RT,CT> exec) throws AccumuloException, AccumuloSecurityException { try { return executeRaw(context, factory, exec); } catch (ThriftSecurityException e) { throw new AccumuloSecurityException(e.user, e.code, e); } catch (AccumuloException e) { throw e; } catch (Exception e) { throw new AccumuloException(e); } }
public ConnectorImpl(ClientContext context) throws AccumuloSecurityException, AccumuloException { this.context = context; SingletonManager.setMode(Mode.CONNECTOR); if (context.getCredentials().getToken().isDestroyed()) throw new AccumuloSecurityException(context.getCredentials().getPrincipal(), SecurityErrorCode.TOKEN_EXPIRED); // Skip fail fast for system services; string literal for class name, to avoid dependency on // server jar final String tokenClassName = context.getCredentials().getToken().getClass().getName(); if (!SYSTEM_TOKEN_NAME.equals(tokenClassName)) { ServerClient.executeVoid(context, iface -> { if (!iface.authenticate(Tracer.traceInfo(), context.rpcCreds())) throw new AccumuloSecurityException("Authentication failed, access denied", SecurityErrorCode.BAD_CREDENTIALS); }); } }
public void initializeSecurity(TCredentials credentials, String rootPrincipal, byte[] token) throws AccumuloSecurityException { if (!isSystemUser(credentials)) throw new AccumuloSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); authenticator.initializeSecurity(rootPrincipal, token); authorizor.initializeSecurity(credentials, rootPrincipal); permHandle.initializeSecurity(credentials, rootPrincipal); try { permHandle.grantTablePermission(rootPrincipal, MetadataTable.ID.canonicalID(), TablePermission.ALTER_TABLE); } catch (TableNotFoundException e) { // Shouldn't happen throw new RuntimeException(e); } }
@Override public boolean authenticateUser(String principal, AuthenticationToken token) throws AccumuloSecurityException { if (!(token instanceof PasswordToken)) throw new AccumuloSecurityException(principal, SecurityErrorCode.INVALID_TOKEN); PasswordToken pt = (PasswordToken) token; byte[] pass; String zpath = ZKUserPath + "/" + principal; pass = zooCache.get(zpath); boolean result = ZKSecurityTool.checkPass(pt.getPassword(), pass); if (!result) { zooCache.clear(zpath); pass = zooCache.get(zpath); result = ZKSecurityTool.checkPass(pt.getPassword(), pass); } return result; }
@Override public TSummaries startGetSummariesForPartition(TInfo tinfo, TCredentials credentials, TSummaryRequest request, int modulus, int remainder) throws ThriftSecurityException, TException { // do not expect users to call this directly, expect other tservers to call this method if (!security.canPerformSystemActions(credentials)) { throw new AccumuloSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED).asThriftException(); } ServerConfigurationFactory factory = context.getServerConfFactory(); ExecutorService spe = resourceManager.getSummaryRemoteExecutor(); Future<SummaryCollection> future = new Gatherer(context, request, factory.getTableConfiguration(Table.ID.of(request.getTableId())), context.getCryptoService()).processPartition(spe, modulus, remainder); return startSummaryOperation(credentials, future); }