List of usage examples for org.apache.hadoop.security.authorize AuthorizationException AuthorizationException
public AuthorizationException(Throwable cause)
From source file:common.NameNode.java
License:Apache License
@Override public void refreshServiceAcl() throws IOException { if (!serviceAuthEnabled) { throw new AuthorizationException("Service Level Authorization not enabled!"); }//from w w w .ja v a2 s . c o m ServiceAuthorizationManager.refresh(new Configuration(), new HDFSPolicyProvider()); }
From source file:org.apache.falcon.entity.parser.EntityParser.java
License:Apache License
/** * Checks if the acl owner is a valid user by fetching the groups for the owner. * Also checks if the acl group is one of the fetched groups for membership. * The only limitation is that a user cannot add a group in ACL that he does not belong to. * * @param acl entity ACL/*from ww w. j ava2s . c om*/ * @throws org.apache.falcon.entity.parser.ValidationException */ protected void validateACLOwnerAndGroup(AccessControlList acl) throws ValidationException { String aclOwner = acl.getOwner(); String aclGroup = acl.getGroup(); try { UserGroupInformation proxyACLUser = UserGroupInformation.createProxyUser(aclOwner, UserGroupInformation.getLoginUser()); Set<String> groups = new HashSet<String>(Arrays.asList(proxyACLUser.getGroupNames())); if (!groups.contains(aclGroup)) { throw new AuthorizationException("Invalid group: " + aclGroup + " for user: " + aclOwner); } } catch (IOException e) { throw new ValidationException( "Invalid acl owner " + aclOwner + ", does not exist or does not belong to group: " + aclGroup); } }
From source file:org.apache.falcon.entity.parser.EntityParser.java
License:Apache License
/** * Validate if the entity owner is the logged-in authenticated user. * * @param entityName entity name//w w w . java 2s.com * @param acl entity ACL * @throws AuthorizationException */ protected void authorize(String entityName, AccessControlList acl) throws AuthorizationException { try { SecurityUtil.getAuthorizationProvider().authorizeEntity(entityName, getEntityType().name(), acl, "submit", CurrentUser.getAuthenticatedUGI()); } catch (FalconException e) { throw new AuthorizationException(e); } catch (IOException e) { throw new AuthorizationException(e); } }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Determines if the authenticated user is authorized to execute the action on the resource. * Throws an exception if not authorized. * * @param resource api resource, admin, entities or instance * @param action action being authorized on resource and entity if applicable * @param entityType entity type in question, not for admin resource * @param entityName entity name in question, not for admin resource * @param authenticatedUGI proxy ugi for the authenticated user * @throws org.apache.hadoop.security.authorize.AuthorizationException *//*from w w w. j a v a2 s.c om*/ @Override public void authorizeResource(String resource, String action, String entityType, String entityName, UserGroupInformation authenticatedUGI) throws AuthorizationException, EntityNotRegisteredException { Validate.notEmpty(resource, "Resource cannot be empty or null"); Validate.isTrue(RESOURCES.contains(resource), "Illegal resource: " + resource); Validate.notEmpty(action, "Action cannot be empty or null"); try { if (isSuperUser(authenticatedUGI)) { return; } if ("admin".equals(resource)) { if (!("version".equals(action) || "clearuser".equals(action) || "getuser".equals(action))) { authorizeAdminResource(authenticatedUGI, action); } } else if ("entities".equals(resource) || "instance".equals(resource)) { if ("entities".equals(resource) && LIST_OPERATION.equals(action)) { LOG.info("Skipping authorization for entity list operations"); } else { authorizeEntityResource(authenticatedUGI, entityName, entityType, action); } } else if ("metadata".equals(resource)) { authorizeMetadataResource(authenticatedUGI, action); } } catch (IOException e) { throw new AuthorizationException(e); } }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Determines if the authenticated user is authorized to execute the action on the entity. * Throws an exception if not authorized. * * @param entityName entity in question, applicable for entities and instance resource * @param entityType entity in question, applicable for entities and instance resource * @param acl entity ACL/* w ww . j av a2s . co m*/ * @param action action being authorized on resource and entity if applicable * @param authenticatedUGI proxy ugi for the authenticated user * @throws org.apache.hadoop.security.authorize.AuthorizationException */ @Override public void authorizeEntity(String entityName, String entityType, AccessControlList acl, String action, UserGroupInformation authenticatedUGI) throws AuthorizationException { try { LOG.info("Authorizing authenticatedUser={}, action={}, entity={}, type{}", authenticatedUGI.getShortUserName(), action, entityName, entityType); if (isSuperUser(authenticatedUGI)) { return; } checkUser(entityName, acl.getOwner(), acl.getGroup(), action, authenticatedUGI); } catch (IOException e) { throw new AuthorizationException(e); } }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Validate if the entity owner is the logged-in authenticated user. * * @param entityName entity name. * @param aclOwner entity ACL Owner. * @param aclGroup entity ACL group. * @param action action being authorized on resource and entity if applicable. * @param authenticatedUGI proxy ugi for the authenticated user. * @throws AuthorizationException//from w ww . j av a 2 s .c o m */ protected void checkUser(String entityName, String aclOwner, String aclGroup, String action, UserGroupInformation authenticatedUGI) throws AuthorizationException { final String authenticatedUser = authenticatedUGI.getShortUserName(); if (isUserACLOwner(authenticatedUser, aclOwner) || isUserInGroup(aclGroup, authenticatedUGI)) { return; } StringBuilder message = new StringBuilder("Permission denied: authenticatedUser="); message.append(authenticatedUser); message.append(!authenticatedUser.equals(aclOwner) ? " not entity owner=" + aclOwner : " not in group=" + aclGroup); message.append(", entity=").append(entityName).append(", action=").append(action); LOG.error(message.toString()); throw new AuthorizationException(message.toString()); }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
/** * Check if the user has admin privileges. * * @param authenticatedUGI proxy ugi for the authenticated user. * @param action admin action on the resource. * @throws AuthorizationException if the user does not have admin privileges. *//* w w w . j a v a 2s . co m*/ protected void authorizeAdminResource(UserGroupInformation authenticatedUGI, String action) throws AuthorizationException { final String authenticatedUser = authenticatedUGI.getShortUserName(); LOG.debug("Authorizing user={} for admin, action={}", authenticatedUser, action); if (adminUsers.contains(authenticatedUser) || isUserInAdminGroups(authenticatedUGI)) { return; } LOG.error("Permission denied: user {} does not have admin privilege for action={}", authenticatedUser, action); throw new AuthorizationException("Permission denied: user=" + authenticatedUser + " does not have admin privilege for action=" + action); }
From source file:org.apache.falcon.security.DefaultAuthorizationProvider.java
License:Apache License
private Entity getEntity(String entityName, String entityType) throws EntityNotRegisteredException, AuthorizationException { try {//from w w w . j a v a2 s. c om EntityType type = EntityType.getEnum(entityType); return EntityUtil.getEntity(type, entityName); } catch (FalconException e) { if (e instanceof EntityNotRegisteredException) { throw (EntityNotRegisteredException) e; } else { throw new AuthorizationException(e); } } }
From source file:org.apache.hama.ipc.Server.java
License:Apache License
/** * Authorize the incoming client connection. * /* ww w .j a v a 2 s .c o m*/ * @param user client user * @param connection incoming connection * @param addr InetAddress of incoming connection * @throws AuthorizationException when the client isn't authorized to talk the * protocol */ @SuppressWarnings("static-access") public void authorize(UserGroupInformation user, ConnectionHeader connection, InetAddress addr) throws AuthorizationException { if (authorize) { Class<?> protocol = null; try { protocol = getProtocolClass(connection.getProtocol(), getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + connection.getProtocol()); } ServiceAuthorizationManager authManager = new ServiceAuthorizationManager(); authManager.authorize(user, protocol, getConf(), addr); } }