/** * Authorize proxy users to access this server * @throws WrappedRpcServerException - user is not allowed to proxy */ private void authorizeConnection() throws WrappedRpcServerException { try { // If auth method is TOKEN, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.TOKEN)) { ProxyUsers.authorize(user, this.getHostAddress()); } authorize(user, protocolName, getHostInetAddress()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + connectionContext); } rpcMetrics.incrAuthorizationSuccesses(); } catch (AuthorizationException ae) { LOG.info("Connection from " + this + " for protocol " + connectionContext.getProtocol() + " is unauthorized for user " + user); rpcMetrics.incrAuthorizationFailures(); throw new WrappedRpcServerException( RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae); } }
/** * Authorize the incoming client connection. * * @param user client user * @param protocolName - the protocol * @param addr InetAddress of incoming connection * @throws AuthorizationException when the client isn't authorized to talk the protocol */ private void authorize(UserGroupInformation user, String protocolName, InetAddress addr) throws AuthorizationException { if (authorize) { if (protocolName == null) { throw new AuthorizationException("Null protocol not authorized"); } Class<?> protocol = null; try { protocol = getProtocolClass(protocolName, getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + protocolName); } serviceAuthorizationManager.authorize(user, protocol, getConf(), addr); } }
private void authorizeCreateKey(String keyName, Options options, UserGroupInformation ugi) throws IOException{ Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null"); Map<String, String> attributes = options.getAttributes(); String aclName = attributes.get(KEY_ACL_NAME); boolean success = false; if (Strings.isNullOrEmpty(aclName)) { if (acls.isACLPresent(keyName, KeyOpType.MANAGEMENT)) { options.setAttributes(ImmutableMap.<String, String> builder() .putAll(attributes).put(KEY_ACL_NAME, keyName).build()); success = acls.hasAccessToKey(keyName, ugi, KeyOpType.MANAGEMENT) || acls.hasAccessToKey(keyName, ugi, KeyOpType.ALL); } else { success = false; } } else { success = acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) && (acls.hasAccessToKey(aclName, ugi, KeyOpType.MANAGEMENT) || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL)); } if (!success) throw new AuthorizationException(String.format("User [%s] is not" + " authorized to create key !!", ugi.getShortUserName())); }
@GET @Path("/apps/{appid}/state") @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public AppState getAppState(@Context HttpServletRequest hsr, @PathParam("appid") String appId) throws AuthorizationException { init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); String userName = ""; if (callerUGI != null) { userName = callerUGI.getUserName(); } RMApp app = null; try { app = getRMAppForAppId(appId); } catch (NotFoundException e) { RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST, "UNKNOWN", "RMWebService", "Trying to get state of an absent application " + appId); throw e; } AppState ret = new AppState(); ret.setState(app.getState().toString()); return ret; }
@GET @Path("/apps/{appid}/queue") @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public AppQueue getAppQueue(@Context HttpServletRequest hsr, @PathParam("appid") String appId) throws AuthorizationException { init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); String userName = "UNKNOWN-USER"; if (callerUGI != null) { userName = callerUGI.getUserName(); } RMApp app = null; try { app = getRMAppForAppId(appId); } catch (NotFoundException e) { RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST, "UNKNOWN", "RMWebService", "Trying to get state of an absent application " + appId); throw e; } AppQueue ret = new AppQueue(); ret.setQueue(app.getQueue()); return ret; }
/** * Generates a new ApplicationId which is then sent to the client * * @param hsr * the servlet request * @return Response containing the app id and the maximum resource * capabilities * @throws AuthorizationException * @throws IOException * @throws InterruptedException */ @POST @Path("/apps/new-application") @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public Response createNewApplication(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException { init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); if (callerUGI == null) { throw new AuthorizationException("Unable to obtain user name, " + "user not authenticated"); } if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { String msg = "The default static user cannot carry out this operation."; return Response.status(Status.FORBIDDEN).entity(msg).build(); } NewApplication appId = createNewApplication(); return Response.status(Status.OK).entity(appId).build(); }
@POST @Path("/delegation-token") @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public Response postDelegationToken(DelegationToken tokenData, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception { init(); UserGroupInformation callerUGI; try { callerUGI = createKerberosUserGroupInformation(hsr); } catch (YarnException ye) { return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build(); } return createDelegationToken(tokenData, hsr, callerUGI); }
@POST @Path("/delegation-token/expiration") @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public Response postDelegationTokenExpiration(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception { init(); UserGroupInformation callerUGI; try { callerUGI = createKerberosUserGroupInformation(hsr); } catch (YarnException ye) { return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build(); } DelegationToken requestToken = new DelegationToken(); requestToken.setToken(extractToken(hsr).encodeToUrlString()); return renewDelegationToken(requestToken, hsr, callerUGI); }
@Test public void testProxyUserConfiguration() throws Exception { MockRM rm = null; try { rm = new MockRM(conf); rm.start(); // wait for web server starting Thread.sleep(10000); UserGroupInformation proxyUser = UserGroupInformation.createProxyUser( BAR_USER.getShortUserName(), FOO_USER); try { ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser, ipAddress); } catch (AuthorizationException e) { // Exception is not expected Assert.fail(); } } finally { if (rm != null) { rm.stop(); rm.close(); } } }
private void checkAccess(ApplicationReportExt app) throws YarnException, IOException { if (app.appViewACLs != null) { aclsManager.addApplication( app.appReport.getApplicationId(), app.appViewACLs); try { if (!aclsManager.checkAccess(UserGroupInformation.getCurrentUser(), ApplicationAccessType.VIEW_APP, app.appReport.getUser(), app.appReport.getApplicationId())) { throw new AuthorizationException("User " + UserGroupInformation.getCurrentUser().getShortUserName() + " does not have privilage to see this application " + app.appReport.getApplicationId()); } } finally { aclsManager.removeApplication(app.appReport.getApplicationId()); } } }
private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (ugi != null && ugi.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(ugi, this.getHostAddress(), conf); } authorize(ugi, connectionHeader, getHostInetAddress()); metrics.authorizationSuccess(); } catch (AuthorizationException ae) { if (LOG.isDebugEnabled()) { LOG.debug("Connection authorization failed: " + ae.getMessage(), ae); } metrics.authorizationFailure(); setupResponse(authFailedResponse, authFailedCall, new AccessDeniedException(ae), ae.getMessage()); responder.doRespond(authFailedCall); return false; } return true; }