/** * Wrapper around {@link #validateKerberosPrincipal(KerberosPrincipalId)} to validate a principal in string format */ public static void validateKerberosPrincipal(String principal) { validateKerberosPrincipal(new KerberosPrincipalId(principal)); }
@Override public String getEntityName() { return getPrincipal(); }
@SuppressWarnings("unused") public static KerberosPrincipalId fromIdParts(Iterable<String> idString) { Iterator<String> iterator = idString.iterator(); return new KerberosPrincipalId(nextAndEnd(iterator, "principal")); }
appRequest.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(appRequest.getOwnerPrincipal());
@Override public String getEntityName() { return getPrincipal(); }
@SuppressWarnings("unused") public static KerberosPrincipalId fromIdParts(Iterable<String> idString) { Iterator<String> iterator = idString.iterator(); return new KerberosPrincipalId(nextAndEnd(iterator, "principal")); }
appRequest.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(appRequest.getOwnerPrincipal());
@Nullable @Override public String getOwnerPrincipal(NamespacedEntityId entityId) throws IOException { KerberosPrincipalId owner = getOwner(entityId); return owner == null ? null : owner.getPrincipal(); }
/** * Helper function to get the effective owner of an entity. It will check the owner store to get the namespace * owner if the provided owner principal is null. * * Note that this method need not be used after the entity is created, in that case simply * use {@link OwnerAdmin}.getImpersonationPrincipal() * * @param ownerAdmin owner admin to query the owner * @param namespaceId the namespace the entity is in * @param ownerPrincipal the owner principal of the entity, null if not provided * @return the effective owner of the entity, null if no owner is provided for both the enity and the namespace. */ @Nullable public static KerberosPrincipalId getEffectiveOwner(OwnerAdmin ownerAdmin, NamespaceId namespaceId, @Nullable String ownerPrincipal) throws IOException { if (ownerPrincipal != null) { // if entity owner is present, return it return new KerberosPrincipalId(ownerPrincipal); } if (!namespaceId.equals(NamespaceId.SYSTEM)) { // if entity owner is not present, get the namespace impersonation principal String namespacePrincipal = ownerAdmin.getImpersonationPrincipal(namespaceId); return namespacePrincipal == null ? null : new KerberosPrincipalId(namespacePrincipal); } // No owner found return null; } }
/** * Returns a {@link KerberosName} from the given {@link KerberosPrincipalId} if the given kerberos principal id * is valid. Refer to * <a href="https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html"> * Kerberos Principal</a> for details. * * @param principalId The {@link KerberosPrincipalId} from which {@link KerberosName} needs to be created * @return {@link KerberosName} for the given {@link KerberosPrincipalId} * @throws IllegalArgumentException if failed to create a {@link KerberosName} from the given * {@link KerberosPrincipalId} */ public static KerberosName getKerberosName(KerberosPrincipalId principalId) { return new KerberosName(principalId.getPrincipal()); }
/** * Returns the application principal if there is one. * * @param programOptions the program options to extract information from * @return the application principal or {@code null} if no application principal is available. */ @Nullable public static KerberosPrincipalId getApplicationPrincipal(ProgramOptions programOptions) { Arguments systemArgs = programOptions.getArguments(); boolean hasAppPrincipal = Boolean.parseBoolean(systemArgs.getOption(ProgramOptionConstants.APP_PRINCIPAL_EXISTS)); return hasAppPrincipal ? new KerberosPrincipalId(systemArgs.getOption(ProgramOptionConstants.PRINCIPAL)) : null; }
private void verifyOwner(NamespacedEntityId entityId, @Nullable KerberosPrincipalId specifiedOwnerPrincipal) throws DatasetManagementException, UnauthorizedException { try { SecurityUtil.verifyOwnerPrincipal(entityId, specifiedOwnerPrincipal == null ? null : specifiedOwnerPrincipal.getPrincipal(), ownerAdmin); } catch (IOException e) { throw new DatasetManagementException(e.getMessage(), e); } }
/** * Returns the application principal if there is one. * * @param programOptions the program options to extract information from * @return the application principal or {@code null} if no application principal is available. */ @Nullable public static KerberosPrincipalId getApplicationPrincipal(ProgramOptions programOptions) { Arguments systemArgs = programOptions.getArguments(); boolean hasAppPrincipal = Boolean.parseBoolean(systemArgs.getOption(ProgramOptionConstants.APP_PRINCIPAL_EXISTS)); return hasAppPrincipal ? new KerberosPrincipalId(systemArgs.getOption(ProgramOptionConstants.PRINCIPAL)) : null; }
private void verifyOwner(NamespacedEntityId entityId, @Nullable KerberosPrincipalId specifiedOwnerPrincipal) throws DatasetManagementException, UnauthorizedException { try { SecurityUtil.verifyOwnerPrincipal(entityId, specifiedOwnerPrincipal == null ? null : specifiedOwnerPrincipal.getPrincipal(), ownerAdmin); } catch (IOException e) { throw new DatasetManagementException(e.getMessage(), e); } }
@Override @Nullable public KerberosPrincipalId getOwner(final NamespacedEntityId entityId) throws IOException { validate(entityId); return Transactionals.execute(transactional, context -> { byte[] principalBytes = getTable(context).get(createRowKey(entityId), COL); return principalBytes == null ? null : new KerberosPrincipalId(Bytes.toString(principalBytes)); }, IOException.class); }
props.put(Constants.Security.PRINCIPAL, ownerPrincipal.getPrincipal());
@Override @Nullable public KerberosPrincipalId getOwner(final NamespacedEntityId entityId) throws IOException { validate(entityId); return Transactionals.execute(transactional, context -> { byte[] principalBytes = getTable(context).get(createRowKey(entityId), COL); return principalBytes == null ? null : new KerberosPrincipalId(Bytes.toString(principalBytes)); }, IOException.class); }
/** * Helper function to get the authorizing user for app deployment, the authorzing user will be the app owner if it * is present. If not, it will be the namespace owner. If that is also not present, it will be the user who is making * the request */ public static String getAppAuthorizingUser(OwnerAdmin ownerAdmin, AuthenticationContext authenticationContext, ApplicationId applicationId, @Nullable KerberosPrincipalId appOwner) throws IOException { KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, applicationId.getNamespaceId(), appOwner == null ? null : appOwner.getPrincipal()); // CDAP-13154 If impersonation is configured for either the application or namespace the effective owner will be // a kerberos principal which can have different form // (refer: https://docs.oracle.com/cd/E21455_01/common/tutorials/kerberos_principal.html). For example it can be // a complete principal name (alice/somehost.net@someREALM). For authorization we need the enforcement to happen // on the username and not the complete principal. The user name is the shortname of the principal so return the // shortname as authorizing user. String appAuthorizingUser = effectiveOwner != null ? new KerberosName(effectiveOwner.getPrincipal()).getShortName() : authenticationContext.getPrincipal().getName(); LOG.trace("Returning {} as authorizing app user for {}", appAuthorizingUser, applicationId); return appAuthorizingUser; }
ownerAdmin.add(streamId, new KerberosPrincipalId(specifiedOwnerPrincipal));
@Nullable @Override public String getImpersonationPrincipal(NamespacedEntityId entityId) throws IOException { entityId = getEffectiveEntity(entityId); KerberosPrincipalId effectiveOwner = null; if (!entityId.getEntityType().equals(EntityType.NAMESPACE)) { effectiveOwner = ownerStore.getOwner(entityId); } // (CDAP-8176) Since no owner was found for the entity return namespace principal if present. return effectiveOwner != null ? effectiveOwner.getPrincipal() : getNamespaceConfig(entityId).getPrincipal(); }