private List<Object> getAuthorizerResources(StreamlineAuthorizer authorizer, SecurityCatalogService securityCatalogService) { return Collections.singletonList(new SecurityCatalogResource(authorizer, securityCatalogService)); }
@PUT @Path("/roles/{roleNameOrId}/users") @Timed public Response addOrUpdateRoleUsers(@PathParam("roleNameOrId") String roleNameOrId, Set<String> userNames, @Context SecurityContext securityContext) { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long roleId = StringUtils.isNumeric(roleNameOrId) ? Long.valueOf(roleNameOrId) : getIdFromRoleName(roleNameOrId); Set<Long> userIds = new HashSet<>(); for (String userName: userNames) { userIds.add(getUserId(userName)); } return addOrUpdateRoleUsers(roleId, userIds); }
@POST @Path("/roles/{roleNameOrId}/users") @Timed public Response addRoleUsers(@PathParam("roleNameOrId") String roleNameOrId, Set<String> userNames, @Context SecurityContext securityContext) { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long roleId = StringUtils.isNumeric(roleNameOrId) ? Long.valueOf(roleNameOrId) : getIdFromRoleName(roleNameOrId); Set<Long> userIds = new HashSet<>(); for (String userName: userNames) { userIds.add(getUserId(userName)); } return addRoleUsers(roleId, userIds); }
@GET @Path("/roles/{roleNameOrId}/users") @Timed public Response getRoleUsers(@PathParam("roleNameOrId") String roleNameOrId, @Context SecurityContext securityContext) { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long roleId = StringUtils.isNumeric(roleNameOrId) ? Long.valueOf(roleNameOrId) : getIdFromRoleName(roleNameOrId); return getRoleUsers(roleId); }
@PUT @Path("/acls/{id}") @Timed public Response addOrUpdateAcl(@PathParam("id") Long aclId, AclEntry aclEntry, @Context SecurityContext securityContext) { mayBeFillSidId(aclEntry); checkAclOp(aclEntry, securityContext, this::shouldAllowAclAddOrUpdate); AclEntry newAclEntry = catalogService.addOrUpdateAcl(aclId, aclEntry); return WSUtils.respondEntity(newAclEntry, OK); }
private Collection<AclEntry> filter(Collection<AclEntry> aclEntries, SecurityContext securityContext) { User currentUser = getCurrentUser(securityContext); Set<Role> currentUserRoles = catalogService.getAllUserRoles(currentUser); boolean isSecurityAdmin = SecurityUtil.hasRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); return aclEntries.stream() .filter(aclEntry -> isSecurityAdmin || matches(aclEntry, currentUser, currentUserRoles)) .collect(Collectors.toSet()); }
@GET @Path("/roles/{roleIdOrName}/children") @Timed public Response listChildRoles(@PathParam("roleIdOrName") String roleIdOrName, @Context SecurityContext securityContext) throws Exception { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long roleId = StringUtils.isNumeric(roleIdOrName) ? Long.valueOf(roleIdOrName) : getIdFromRoleName(roleIdOrName); return listChildRoles(roleId, securityContext); }
@GET @Path("/users/current") @Timed public Response getCurrentUser(@Context UriInfo uriInfo, @Context SecurityContext securityContext) throws Exception { return WSUtils.respondEntity(getCurrentUser(securityContext), OK); }
@POST @Path("/roles/{parentRoleName}/children") @Timed public Response addChildRoles(@PathParam("parentRoleName") String parentRoleName, Set<String> childRoleNames, @Context SecurityContext securityContext) throws Exception { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long parentId = getIdFromRoleName(parentRoleName); Set<Long> childIds = new HashSet<>(); childRoleNames.forEach(childRoleName -> { if (childRoleName.equals(parentRoleName)) { throw new IllegalArgumentException("Child role(s) contain parent role"); } childIds.add(getIdFromRoleName(childRoleName)); }); Set<RoleHierarchy> res = new HashSet<>(); childIds.forEach(childId -> res.add(catalogService.addChildRole(parentId, childId))); return WSUtils.respondEntities(res, OK); }
@GET @Path("/acls/{id}") @Timed public Response getAcl(@PathParam("id") Long aclId, @Context SecurityContext securityContext) { AclEntry aclEntry = catalogService.getAcl(aclId); checkAclOp(aclEntry, securityContext, this::shouldAllowAclGet); if (aclEntry != null) { return WSUtils.respondEntity(aclEntry, OK); } throw EntityNotFoundException.byId(aclId.toString()); }
@GET @Path("/acls") @Timed public Response listAcls(@Context UriInfo uriInfo, @Context SecurityContext securityContext) throws Exception { Collection<AclEntry> acls; MultivaluedMap<String, String> params = uriInfo.getQueryParameters(); List<QueryParam> queryParams = WSUtils.buildQueryParameters(params); if (params == null || params.isEmpty()) { acls = catalogService.listAcls(); } else { acls = catalogService.listAcls(queryParams); } if (acls != null) { return WSUtils.respondEntities(filter(acls, securityContext), OK); } throw EntityNotFoundException.byFilter(queryParams.toString()); }
@POST @Path("/acls") @Timed public Response addAcl(AclEntry aclEntry, @Context SecurityContext securityContext) { mayBeFillSidId(aclEntry); checkAclOp(aclEntry, securityContext, this::shouldAllowAclAddOrUpdate); AclEntry createdAcl = catalogService.addAcl(aclEntry); return WSUtils.respondEntity(createdAcl, CREATED); }
private boolean shouldAllowAclGet(AclEntry aclEntry, SecurityContext securityContext) { if (SecurityUtil.hasRole(authorizer, securityContext, ROLE_SECURITY_ADMIN)) { return true; } User currentUser = getCurrentUser(securityContext); Set<Role> currentUserRoles = catalogService.getAllUserRoles(currentUser); return matches(aclEntry, currentUser, currentUserRoles); }
@POST @Path("/users/current/logout") @Timed public Response logoutCurrentUser(@Context UriInfo uriInfo, @Context SecurityContext securityContext) throws Exception { User currentUser = getCurrentUser(securityContext); // Set-Cookie hadoop.auth=deleted;Version=1;Path=/;Max-Age=0;HttpOnly;Expires=Thu, 01 Jan 1970 00:00:00 GMT Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, "deleted", "/", null); NewCookie newCookie = new NewCookie(cookie, null, 0, new Date(0), securityContext.isSecure(), true); return Response.status(OK) .entity(currentUser) .cookie(newCookie) .build(); }
@POST @Path("/roles/{parentRoleName}/children/{childRoleName}") @Timed public Response addChildRole(@PathParam("parentRoleName") String parentRoleName, @PathParam("childRoleName") String childRoleName, @Context SecurityContext securityContext) throws Exception { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); if (childRoleName.equals(parentRoleName)) { throw new IllegalArgumentException("Child role is same as parent role"); } Long parentId = getIdFromRoleName(parentRoleName); Long childId = getIdFromRoleName(childRoleName); Role childRole = catalogService.getRole(childId); if (childRole != null) { RoleHierarchy roleHierarchy = catalogService.addChildRole(parentId, childId); return WSUtils.respondEntity(roleHierarchy, OK); } throw EntityNotFoundException.byId(childId.toString()); }
@DELETE @Path("/acls/{id}") @Timed public Response deleteAcl(@PathParam("id") Long aclId, @Context SecurityContext securityContext) { AclEntry aclEntry = catalogService.getAcl(aclId); if (aclEntry != null) { checkAclOp(aclEntry, securityContext, this::shouldAllowAclDelete); AclEntry removedAcl = catalogService.removeAcl(aclId); if (removedAcl != null) { return WSUtils.respondEntity(aclEntry, OK); } } throw EntityNotFoundException.byId(aclId.toString()); }
return true; User currentUser = getCurrentUser(securityContext);
@PUT @Path("/roles/{parentRoleName}/children") @Timed public Response addOrUpdateChildRoles(@PathParam("parentRoleName") String parentRoleName, Set<String> childRoleNames, @Context SecurityContext securityContext) throws Exception { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long parentId = getIdFromRoleName(parentRoleName); Set<Long> currentChildIds = new HashSet<>(); catalogService.getChildRoles(parentId).forEach(role -> currentChildIds.add(role.getId())); Set<Long> updatedChildIds = new HashSet<>(); childRoleNames.forEach(childRoleName -> { if (childRoleName.equals(parentRoleName)) { throw new IllegalArgumentException("Child role(s) contain parent role"); } updatedChildIds.add(getIdFromRoleName(childRoleName)); }); Set<Long> childIdsToAdd = Sets.difference(updatedChildIds, currentChildIds); Set<Long> childIdsToRemove = Sets.difference(currentChildIds, updatedChildIds); childIdsToRemove.forEach(childId -> catalogService.removeChildRole(parentId, childId)); Set<RoleHierarchy> res = new HashSet<>(); Sets.intersection(currentChildIds, updatedChildIds).forEach(childId -> res.add(new RoleHierarchy(parentId, childId))); childIdsToAdd.forEach(childId -> res.add(catalogService.addChildRole(parentId, childId))); return WSUtils.respondEntities(res, OK); }