requestCompleted = true; if (LOG.isDebugEnabled()) { LOG.debug("Authentication exception: " + ex.getMessage(), ex); } else { LOG.warn("Authentication exception: " + ex.getMessage());
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } catch(AuthorizationException e) { throw new ServletException(e.getMessage());
private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (ugi != null && ugi.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(ugi, this.getHostAddress(), this.rpcServer.conf); } this.rpcServer.authorize(ugi, connectionHeader, getHostInetAddress()); this.rpcServer.metrics.authorizationSuccess(); } catch (AuthorizationException ae) { if (RpcServer.LOG.isDebugEnabled()) { RpcServer.LOG.debug("Connection authorization failed: " + ae.getMessage(), ae); } this.rpcServer.metrics.authorizationFailure(); doRespond(getErrorResponse(ae.getMessage(), new AccessDeniedException(ae))); return false; } return true; }
@Override public String extract(HttpServletRequest request) throws RemoteUserExtractionException { if (request.getParameter(userExtractParam) != null) { String extractedUser = paramRemoteUserExtractor.extract(request); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser()); UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(extractedUser, ugi); // Check if this user is allowed to be impersonated. // Will throw AuthorizationException if the impersonation as this user is not allowed try { ProxyUsers.authorize(proxyUser, request.getRemoteAddr()); return extractedUser; } catch (AuthorizationException e) { throw new RemoteUserExtractionException(e.getMessage(), e); } } else { if (LOG.isDebugEnabled()) { LOG.debug("The parameter (" + userExtractParam + ") used to extract the remote user doesn't exist in the request."); } return requestRemoteUserExtractor.extract(request); } } }
setupResponse(authFailedResponse, authFailedCall, Status.FATAL, null, ae.getClass().getName(), ae.getMessage()); responder.doRespond(authFailedCall);
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } catch (AuthorizationException e) { throw new ServletException(e.getMessage());
private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(user, this.getHostAddress(), conf); } authorize(user, header, getHostInetAddress()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + header); } } catch (AuthorizationException ae) { setupResponse(authFailedResponse, authFailedCall, Status.FATAL, null, ae.getClass().getName(), ae.getMessage()); responder.doRespond(authFailedCall); return false; } return true; }
private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(user, this.getHostAddress(), conf); } authorize(user, header, getHostInetAddress()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + header); } } catch (AuthorizationException ae) { setupResponse(authFailedResponse, authFailedCall, Status.FATAL, null, ae.getClass().getName(), ae.getMessage()); responder.doRespond(authFailedCall); return false; } return true; }
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } catch(AuthorizationException e) { throw new ServletException(e.getMessage());
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } catch(AuthorizationException e) { throw new ServletException(e.getMessage());
private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (ugi != null && ugi.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(ugi, this.getHostAddress(), conf); } authorize(ugi, connectionHeader, getHostInetAddress()); metrics.authorizationSuccess(); } catch (AuthorizationException ae) { if (LOG.isDebugEnabled()) { LOG.debug("Connection authorization failed: " + ae.getMessage(), ae); } metrics.authorizationFailure(); setupResponse(authFailedResponse, authFailedCall, new AccessDeniedException(ae), ae.getMessage()); responder.doRespond(authFailedCall); return false; } return true; }
Assert.assertEquals( "User: " + user + " is not allowed to impersonate " + realUser, ae.getMessage()); Assert.assertEquals( "User: " + user + " is not allowed to impersonate " + realUser, ae.getMessage());