Java 类org.apache.hadoop.security.authorize.AuthorizationException 实例源码

项目:hadoop-oss    文件:Server.java   
/**
 * Authorize proxy users to access this server
 * @throws WrappedRpcServerException - user is not allowed to proxy
 */
private void authorizeConnection() throws WrappedRpcServerException {
  try {
    // If auth method is TOKEN, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (user != null && user.getRealUser() != null
        && (authMethod != AuthMethod.TOKEN)) {
      ProxyUsers.authorize(user, this.getHostAddress());
    }
    authorize(user, protocolName, getHostInetAddress());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Successfully authorized " + connectionContext);
    }
    rpcMetrics.incrAuthorizationSuccesses();
  } catch (AuthorizationException ae) {
    LOG.info("Connection from " + this
        + " for protocol " + connectionContext.getProtocol()
        + " is unauthorized for user " + user);
    rpcMetrics.incrAuthorizationFailures();
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae);
  }
}
项目:hadoop-oss    文件:Server.java   
/**
 * Authorize the incoming client connection.
 * 
 * @param user client user
 * @param protocolName - the protocol
 * @param addr InetAddress of incoming connection
 * @throws AuthorizationException when the client isn't authorized to talk the protocol
 */
private void authorize(UserGroupInformation user, String protocolName,
    InetAddress addr) throws AuthorizationException {
  if (authorize) {
    if (protocolName == null) {
      throw new AuthorizationException("Null protocol not authorized");
    }
    Class<?> protocol = null;
    try {
      protocol = getProtocolClass(protocolName, getConf());
    } catch (ClassNotFoundException cfne) {
      throw new AuthorizationException("Unknown protocol: " + 
                                       protocolName);
    }
    serviceAuthorizationManager.authorize(user, protocol, getConf(), addr);
  }
}
项目:hadoop-oss    文件:KeyAuthorizationKeyProvider.java   
private void authorizeCreateKey(String keyName, Options options,
    UserGroupInformation ugi) throws IOException{
  Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
  Map<String, String> attributes = options.getAttributes();
  String aclName = attributes.get(KEY_ACL_NAME);
  boolean success = false;
  if (Strings.isNullOrEmpty(aclName)) {
    if (acls.isACLPresent(keyName, KeyOpType.MANAGEMENT)) {
      options.setAttributes(ImmutableMap.<String, String> builder()
          .putAll(attributes).put(KEY_ACL_NAME, keyName).build());
      success =
          acls.hasAccessToKey(keyName, ugi, KeyOpType.MANAGEMENT)
              || acls.hasAccessToKey(keyName, ugi, KeyOpType.ALL);
    } else {
      success = false;
    }
  } else {
    success = acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) &&
        (acls.hasAccessToKey(aclName, ugi, KeyOpType.MANAGEMENT)
        || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL));
  }
  if (!success)
    throw new AuthorizationException(String.format("User [%s] is not"
        + " authorized to create key !!", ugi.getShortUserName()));
}
项目:hadoop    文件:RMWebServices.java   
@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
项目:hadoop    文件:RMWebServices.java   
@GET
@Path("/apps/{appid}/queue")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppQueue getAppQueue(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "UNKNOWN-USER";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppQueue ret = new AppQueue();
  ret.setQueue(app.getQueue());

  return ret;
}
项目:hadoop    文件:RMWebServices.java   
/**
 * Generates a new ApplicationId which is then sent to the client
 * 
 * @param hsr
 *          the servlet request
 * @return Response containing the app id and the maximum resource
 *         capabilities
 * @throws AuthorizationException
 * @throws IOException
 * @throws InterruptedException
 */
@POST
@Path("/apps/new-application")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response createNewApplication(@Context HttpServletRequest hsr)
    throws AuthorizationException, IOException, InterruptedException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  if (callerUGI == null) {
    throw new AuthorizationException("Unable to obtain user name, "
        + "user not authenticated");
  }
  if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
    String msg = "The default static user cannot carry out this operation.";
    return Response.status(Status.FORBIDDEN).entity(msg).build();
  }

  NewApplication appId = createNewApplication();
  return Response.status(Status.OK).entity(appId).build();

}
项目:hadoop    文件:RMWebServices.java   
@POST
@Path("/delegation-token")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response postDelegationToken(DelegationToken tokenData,
    @Context HttpServletRequest hsr) throws AuthorizationException,
    IOException, InterruptedException, Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }
  return createDelegationToken(tokenData, hsr, callerUGI);
}
项目:hadoop    文件:RMWebServices.java   
@POST
@Path("/delegation-token/expiration")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response
    postDelegationTokenExpiration(@Context HttpServletRequest hsr)
        throws AuthorizationException, IOException, InterruptedException,
        Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }

  DelegationToken requestToken = new DelegationToken();
  requestToken.setToken(extractToken(hsr).encodeToUrlString());
  return renewDelegationToken(requestToken, hsr, callerUGI);
}
项目:hadoop    文件:TestRMProxyUsersConf.java   
@Test
public void testProxyUserConfiguration() throws Exception {
  MockRM rm = null;
  try {
    rm = new MockRM(conf);
    rm.start();
    // wait for web server starting
    Thread.sleep(10000);
    UserGroupInformation proxyUser =
        UserGroupInformation.createProxyUser(
            BAR_USER.getShortUserName(), FOO_USER);
    try {
      ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser,
          ipAddress);
    } catch (AuthorizationException e) {
      // Exception is not expected
      Assert.fail();
    }
  } finally {
    if (rm != null) {
      rm.stop();
      rm.close();
    }
  }
}
项目:hadoop    文件:ApplicationHistoryManagerOnTimelineStore.java   
private void checkAccess(ApplicationReportExt app)
        throws YarnException, IOException {
  if (app.appViewACLs != null) {
    aclsManager.addApplication(
        app.appReport.getApplicationId(), app.appViewACLs);
    try {
      if (!aclsManager.checkAccess(UserGroupInformation.getCurrentUser(),
          ApplicationAccessType.VIEW_APP, app.appReport.getUser(),
          app.appReport.getApplicationId())) {
        throw new AuthorizationException("User "
            + UserGroupInformation.getCurrentUser().getShortUserName()
            + " does not have privilage to see this application "
            + app.appReport.getApplicationId());
      }
    } finally {
      aclsManager.removeApplication(app.appReport.getApplicationId());
    }
  }
}
项目:hadoop    文件:Server.java   
/**
 * Authorize proxy users to access this server
 * @throws WrappedRpcServerException - user is not allowed to proxy
 */
private void authorizeConnection() throws WrappedRpcServerException {
  try {
    // If auth method is TOKEN, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (user != null && user.getRealUser() != null
        && (authMethod != AuthMethod.TOKEN)) {
      ProxyUsers.authorize(user, this.getHostAddress());
    }
    authorize(user, protocolName, getHostInetAddress());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Successfully authorized " + connectionContext);
    }
    rpcMetrics.incrAuthorizationSuccesses();
  } catch (AuthorizationException ae) {
    LOG.info("Connection from " + this
        + " for protocol " + connectionContext.getProtocol()
        + " is unauthorized for user " + user);
    rpcMetrics.incrAuthorizationFailures();
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae);
  }
}
项目:hadoop    文件:Server.java   
/**
 * Authorize the incoming client connection.
 * 
 * @param user client user
 * @param protocolName - the protocol
 * @param addr InetAddress of incoming connection
 * @throws AuthorizationException when the client isn't authorized to talk the protocol
 */
private void authorize(UserGroupInformation user, String protocolName,
    InetAddress addr) throws AuthorizationException {
  if (authorize) {
    if (protocolName == null) {
      throw new AuthorizationException("Null protocol not authorized");
    }
    Class<?> protocol = null;
    try {
      protocol = getProtocolClass(protocolName, getConf());
    } catch (ClassNotFoundException cfne) {
      throw new AuthorizationException("Unknown protocol: " + 
                                       protocolName);
    }
    serviceAuthorizationManager.authorize(user, protocol, getConf(), addr);
  }
}
项目:hadoop    文件:KeyAuthorizationKeyProvider.java   
private void authorizeCreateKey(String keyName, Options options,
    UserGroupInformation ugi) throws IOException{
  Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
  Map<String, String> attributes = options.getAttributes();
  String aclName = attributes.get(KEY_ACL_NAME);
  boolean success = false;
  if (Strings.isNullOrEmpty(aclName)) {
    if (acls.isACLPresent(keyName, KeyOpType.MANAGEMENT)) {
      options.setAttributes(ImmutableMap.<String, String> builder()
          .putAll(attributes).put(KEY_ACL_NAME, keyName).build());
      success =
          acls.hasAccessToKey(keyName, ugi, KeyOpType.MANAGEMENT)
              || acls.hasAccessToKey(keyName, ugi, KeyOpType.ALL);
    } else {
      success = false;
    }
  } else {
    success = acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) &&
        (acls.hasAccessToKey(aclName, ugi, KeyOpType.MANAGEMENT)
        || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL));
  }
  if (!success)
    throw new AuthorizationException(String.format("User [%s] is not"
        + " authorized to create key !!", ugi.getShortUserName()));
}
项目:ditb    文件:RpcServer.java   
private boolean authorizeConnection() throws IOException {
  try {
    // If auth method is DIGEST, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (ugi != null && ugi.getRealUser() != null
        && (authMethod != AuthMethod.DIGEST)) {
      ProxyUsers.authorize(ugi, this.getHostAddress(), conf);
    }
    authorize(ugi, connectionHeader, getHostInetAddress());
    metrics.authorizationSuccess();
  } catch (AuthorizationException ae) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Connection authorization failed: " + ae.getMessage(), ae);
    }
    metrics.authorizationFailure();
    setupResponse(authFailedResponse, authFailedCall,
      new AccessDeniedException(ae), ae.getMessage());
    responder.doRespond(authFailedCall);
    return false;
  }
  return true;
}
项目:aliyun-oss-hadoop-fs    文件:RMWebServices.java   
@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
项目:aliyun-oss-hadoop-fs    文件:RMWebServices.java   
@GET
@Path("/apps/{appid}/queue")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppQueue getAppQueue(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "UNKNOWN-USER";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppQueue ret = new AppQueue();
  ret.setQueue(app.getQueue());

  return ret;
}
项目:aliyun-oss-hadoop-fs    文件:RMWebServices.java   
/**
 * Generates a new ApplicationId which is then sent to the client
 * 
 * @param hsr
 *          the servlet request
 * @return Response containing the app id and the maximum resource
 *         capabilities
 * @throws AuthorizationException
 * @throws IOException
 * @throws InterruptedException
 */
@POST
@Path("/apps/new-application")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response createNewApplication(@Context HttpServletRequest hsr)
    throws AuthorizationException, IOException, InterruptedException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  if (callerUGI == null) {
    throw new AuthorizationException("Unable to obtain user name, "
        + "user not authenticated");
  }
  if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
    String msg = "The default static user cannot carry out this operation.";
    return Response.status(Status.FORBIDDEN).entity(msg).build();
  }

  NewApplication appId = createNewApplication();
  return Response.status(Status.OK).entity(appId).build();

}
项目:aliyun-oss-hadoop-fs    文件:RMWebServices.java   
@POST
@Path("/delegation-token")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response postDelegationToken(DelegationToken tokenData,
    @Context HttpServletRequest hsr) throws AuthorizationException,
    IOException, InterruptedException, Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }
  return createDelegationToken(tokenData, hsr, callerUGI);
}
项目:aliyun-oss-hadoop-fs    文件:RMWebServices.java   
@POST
@Path("/delegation-token/expiration")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response
    postDelegationTokenExpiration(@Context HttpServletRequest hsr)
        throws AuthorizationException, IOException, InterruptedException,
        Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }

  DelegationToken requestToken = new DelegationToken();
  requestToken.setToken(extractToken(hsr).encodeToUrlString());
  return renewDelegationToken(requestToken, hsr, callerUGI);
}
项目:aliyun-oss-hadoop-fs    文件:TestRMProxyUsersConf.java   
@Test
public void testProxyUserConfiguration() throws Exception {
  MockRM rm = null;
  try {
    rm = new MockRM(conf);
    rm.start();
    // wait for web server starting
    Thread.sleep(10000);
    UserGroupInformation proxyUser =
        UserGroupInformation.createProxyUser(
            BAR_USER.getShortUserName(), FOO_USER);
    try {
      ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser,
          ipAddress);
    } catch (AuthorizationException e) {
      // Exception is not expected
      Assert.fail();
    }
  } finally {
    if (rm != null) {
      rm.stop();
      rm.close();
    }
  }
}
项目:aliyun-oss-hadoop-fs    文件:ApplicationHistoryManagerOnTimelineStore.java   
private void checkAccess(ApplicationReportExt app)
        throws YarnException, IOException {
  if (app.appViewACLs != null) {
    aclsManager.addApplication(
        app.appReport.getApplicationId(), app.appViewACLs);
    try {
      if (!aclsManager.checkAccess(UserGroupInformation.getCurrentUser(),
          ApplicationAccessType.VIEW_APP, app.appReport.getUser(),
          app.appReport.getApplicationId())) {
        throw new AuthorizationException("User "
            + UserGroupInformation.getCurrentUser().getShortUserName()
            + " does not have privilage to see this application "
            + app.appReport.getApplicationId());
      }
    } finally {
      aclsManager.removeApplication(app.appReport.getApplicationId());
    }
  }
}
项目:aliyun-oss-hadoop-fs    文件:Server.java   
/**
 * Authorize proxy users to access this server
 * @throws WrappedRpcServerException - user is not allowed to proxy
 */
private void authorizeConnection() throws WrappedRpcServerException {
  try {
    // If auth method is TOKEN, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (user != null && user.getRealUser() != null
        && (authMethod != AuthMethod.TOKEN)) {
      ProxyUsers.authorize(user, this.getHostAddress());
    }
    authorize(user, protocolName, getHostInetAddress());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Successfully authorized " + connectionContext);
    }
    rpcMetrics.incrAuthorizationSuccesses();
  } catch (AuthorizationException ae) {
    LOG.info("Connection from " + this
        + " for protocol " + connectionContext.getProtocol()
        + " is unauthorized for user " + user);
    rpcMetrics.incrAuthorizationFailures();
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae);
  }
}
项目:aliyun-oss-hadoop-fs    文件:Server.java   
/**
 * Authorize the incoming client connection.
 * 
 * @param user client user
 * @param protocolName - the protocol
 * @param addr InetAddress of incoming connection
 * @throws AuthorizationException when the client isn't authorized to talk the protocol
 */
private void authorize(UserGroupInformation user, String protocolName,
    InetAddress addr) throws AuthorizationException {
  if (authorize) {
    if (protocolName == null) {
      throw new AuthorizationException("Null protocol not authorized");
    }
    Class<?> protocol = null;
    try {
      protocol = getProtocolClass(protocolName, getConf());
    } catch (ClassNotFoundException cfne) {
      throw new AuthorizationException("Unknown protocol: " + 
                                       protocolName);
    }
    serviceAuthorizationManager.authorize(user, protocol, getConf(), addr);
  }
}
项目:aliyun-oss-hadoop-fs    文件:KeyAuthorizationKeyProvider.java   
private void authorizeCreateKey(String keyName, Options options,
    UserGroupInformation ugi) throws IOException{
  Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
  Map<String, String> attributes = options.getAttributes();
  String aclName = attributes.get(KEY_ACL_NAME);
  boolean success = false;
  if (Strings.isNullOrEmpty(aclName)) {
    if (acls.isACLPresent(keyName, KeyOpType.MANAGEMENT)) {
      options.setAttributes(ImmutableMap.<String, String> builder()
          .putAll(attributes).put(KEY_ACL_NAME, keyName).build());
      success =
          acls.hasAccessToKey(keyName, ugi, KeyOpType.MANAGEMENT)
              || acls.hasAccessToKey(keyName, ugi, KeyOpType.ALL);
    } else {
      success = false;
    }
  } else {
    success = acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) &&
        (acls.hasAccessToKey(aclName, ugi, KeyOpType.MANAGEMENT)
        || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL));
  }
  if (!success)
    throw new AuthorizationException(String.format("User [%s] is not"
        + " authorized to create key !!", ugi.getShortUserName()));
}
项目:big-c    文件:RMWebServices.java   
@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
项目:big-c    文件:RMWebServices.java   
@GET
@Path("/apps/{appid}/queue")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppQueue getAppQueue(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "UNKNOWN-USER";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppQueue ret = new AppQueue();
  ret.setQueue(app.getQueue());

  return ret;
}
项目:big-c    文件:RMWebServices.java   
/**
 * Generates a new ApplicationId which is then sent to the client
 * 
 * @param hsr
 *          the servlet request
 * @return Response containing the app id and the maximum resource
 *         capabilities
 * @throws AuthorizationException
 * @throws IOException
 * @throws InterruptedException
 */
@POST
@Path("/apps/new-application")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response createNewApplication(@Context HttpServletRequest hsr)
    throws AuthorizationException, IOException, InterruptedException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  if (callerUGI == null) {
    throw new AuthorizationException("Unable to obtain user name, "
        + "user not authenticated");
  }
  if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
    String msg = "The default static user cannot carry out this operation.";
    return Response.status(Status.FORBIDDEN).entity(msg).build();
  }

  NewApplication appId = createNewApplication();
  return Response.status(Status.OK).entity(appId).build();

}
项目:big-c    文件:RMWebServices.java   
@POST
@Path("/delegation-token")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response postDelegationToken(DelegationToken tokenData,
    @Context HttpServletRequest hsr) throws AuthorizationException,
    IOException, InterruptedException, Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }
  return createDelegationToken(tokenData, hsr, callerUGI);
}
项目:big-c    文件:RMWebServices.java   
@POST
@Path("/delegation-token/expiration")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response
    postDelegationTokenExpiration(@Context HttpServletRequest hsr)
        throws AuthorizationException, IOException, InterruptedException,
        Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }

  DelegationToken requestToken = new DelegationToken();
  requestToken.setToken(extractToken(hsr).encodeToUrlString());
  return renewDelegationToken(requestToken, hsr, callerUGI);
}
项目:big-c    文件:TestRMProxyUsersConf.java   
@Test
public void testProxyUserConfiguration() throws Exception {
  MockRM rm = null;
  try {
    rm = new MockRM(conf);
    rm.start();
    // wait for web server starting
    Thread.sleep(10000);
    UserGroupInformation proxyUser =
        UserGroupInformation.createProxyUser(
            BAR_USER.getShortUserName(), FOO_USER);
    try {
      ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser,
          ipAddress);
    } catch (AuthorizationException e) {
      // Exception is not expected
      Assert.fail();
    }
  } finally {
    if (rm != null) {
      rm.stop();
      rm.close();
    }
  }
}
项目:big-c    文件:ApplicationHistoryManagerOnTimelineStore.java   
private void checkAccess(ApplicationReportExt app)
        throws YarnException, IOException {
  if (app.appViewACLs != null) {
    aclsManager.addApplication(
        app.appReport.getApplicationId(), app.appViewACLs);
    try {
      if (!aclsManager.checkAccess(UserGroupInformation.getCurrentUser(),
          ApplicationAccessType.VIEW_APP, app.appReport.getUser(),
          app.appReport.getApplicationId())) {
        throw new AuthorizationException("User "
            + UserGroupInformation.getCurrentUser().getShortUserName()
            + " does not have privilage to see this application "
            + app.appReport.getApplicationId());
      }
    } finally {
      aclsManager.removeApplication(app.appReport.getApplicationId());
    }
  }
}
项目:big-c    文件:Server.java   
/**
 * Authorize proxy users to access this server
 * @throws WrappedRpcServerException - user is not allowed to proxy
 */
private void authorizeConnection() throws WrappedRpcServerException {
  try {
    // If auth method is TOKEN, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (user != null && user.getRealUser() != null
        && (authMethod != AuthMethod.TOKEN)) {
      ProxyUsers.authorize(user, this.getHostAddress());
    }
    authorize(user, protocolName, getHostInetAddress());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Successfully authorized " + connectionContext);
    }
    rpcMetrics.incrAuthorizationSuccesses();
  } catch (AuthorizationException ae) {
    LOG.info("Connection from " + this
        + " for protocol " + connectionContext.getProtocol()
        + " is unauthorized for user " + user);
    rpcMetrics.incrAuthorizationFailures();
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae);
  }
}
项目:big-c    文件:Server.java   
/**
 * Authorize the incoming client connection.
 * 
 * @param user client user
 * @param protocolName - the protocol
 * @param addr InetAddress of incoming connection
 * @throws AuthorizationException when the client isn't authorized to talk the protocol
 */
private void authorize(UserGroupInformation user, String protocolName,
    InetAddress addr) throws AuthorizationException {
  if (authorize) {
    if (protocolName == null) {
      throw new AuthorizationException("Null protocol not authorized");
    }
    Class<?> protocol = null;
    try {
      protocol = getProtocolClass(protocolName, getConf());
    } catch (ClassNotFoundException cfne) {
      throw new AuthorizationException("Unknown protocol: " + 
                                       protocolName);
    }
    serviceAuthorizationManager.authorize(user, protocol, getConf(), addr);
  }
}
项目:big-c    文件:KeyAuthorizationKeyProvider.java   
private void authorizeCreateKey(String keyName, Options options,
    UserGroupInformation ugi) throws IOException{
  Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
  Map<String, String> attributes = options.getAttributes();
  String aclName = attributes.get(KEY_ACL_NAME);
  boolean success = false;
  if (Strings.isNullOrEmpty(aclName)) {
    if (acls.isACLPresent(keyName, KeyOpType.MANAGEMENT)) {
      options.setAttributes(ImmutableMap.<String, String> builder()
          .putAll(attributes).put(KEY_ACL_NAME, keyName).build());
      success =
          acls.hasAccessToKey(keyName, ugi, KeyOpType.MANAGEMENT)
              || acls.hasAccessToKey(keyName, ugi, KeyOpType.ALL);
    } else {
      success = false;
    }
  } else {
    success = acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) &&
        (acls.hasAccessToKey(aclName, ugi, KeyOpType.MANAGEMENT)
        || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL));
  }
  if (!success)
    throw new AuthorizationException(String.format("User [%s] is not"
        + " authorized to create key !!", ugi.getShortUserName()));
}
项目:hadoop-2.6.0-cdh5.4.3    文件:RMWebServices.java   
@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
项目:hadoop-2.6.0-cdh5.4.3    文件:RMWebServices.java   
/**
 * Generates a new ApplicationId which is then sent to the client
 * 
 * @param hsr
 *          the servlet request
 * @return Response containing the app id and the maximum resource
 *         capabilities
 * @throws AuthorizationException
 * @throws IOException
 * @throws InterruptedException
 */
@POST
@Path("/apps/new-application")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response createNewApplication(@Context HttpServletRequest hsr)
    throws AuthorizationException, IOException, InterruptedException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  if (callerUGI == null) {
    throw new AuthorizationException("Unable to obtain user name, "
        + "user not authenticated");
  }
  if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) {
    String msg = "The default static user cannot carry out this operation.";
    return Response.status(Status.FORBIDDEN).entity(msg).build();
  }

  NewApplication appId = createNewApplication();
  return Response.status(Status.OK).entity(appId).build();

}
项目:hadoop-2.6.0-cdh5.4.3    文件:RMWebServices.java   
@POST
@Path("/delegation-token")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response postDelegationToken(DelegationToken tokenData,
    @Context HttpServletRequest hsr) throws AuthorizationException,
    IOException, InterruptedException, Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }
  return createDelegationToken(tokenData, hsr, callerUGI);
}
项目:hadoop-2.6.0-cdh5.4.3    文件:RMWebServices.java   
@POST
@Path("/delegation-token/expiration")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response
    postDelegationTokenExpiration(@Context HttpServletRequest hsr)
        throws AuthorizationException, IOException, InterruptedException,
        Exception {

  init();
  UserGroupInformation callerUGI;
  try {
    callerUGI = createKerberosUserGroupInformation(hsr);
  } catch (YarnException ye) {
    return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
  }

  DelegationToken requestToken = new DelegationToken();
  requestToken.setToken(extractToken(hsr).encodeToUrlString());
  return renewDelegationToken(requestToken, hsr, callerUGI);
}
项目:hadoop-2.6.0-cdh5.4.3    文件:TestRMProxyUsersConf.java   
@Test
public void testProxyUserConfiguration() throws Exception {
  MockRM rm = null;
  try {
    rm = new MockRM(conf);
    rm.start();
    // wait for web server starting
    Thread.sleep(10000);
    UserGroupInformation proxyUser =
        UserGroupInformation.createProxyUser(
            BAR_USER.getShortUserName(), FOO_USER);
    try {
      ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser,
          ipAddress);
    } catch (AuthorizationException e) {
      // Exception is not expected
      Assert.fail();
    }
  } finally {
    if (rm != null) {
      rm.stop();
      rm.close();
    }
  }
}
项目:hadoop-2.6.0-cdh5.4.3    文件:Server.java   
/**
 * Authorize proxy users to access this server
 * @throws WrappedRpcServerException - user is not allowed to proxy
 */
private void authorizeConnection() throws WrappedRpcServerException {
  try {
    // If auth method is TOKEN, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (user != null && user.getRealUser() != null
        && (authMethod != AuthMethod.TOKEN)) {
      ProxyUsers.authorize(user, this.getHostAddress());
    }
    authorize(user, protocolName, getHostInetAddress());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Successfully authorized " + connectionContext);
    }
    rpcMetrics.incrAuthorizationSuccesses();
  } catch (AuthorizationException ae) {
    LOG.info("Connection from " + this
        + " for protocol " + connectionContext.getProtocol()
        + " is unauthorized for user " + user);
    rpcMetrics.incrAuthorizationFailures();
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae);
  }
}