/** * Wrapper around {@link #validateKerberosPrincipal(KerberosPrincipalId)} to validate a principal in string format */ public static void validateKerberosPrincipal(String principal) { validateKerberosPrincipal(new KerberosPrincipalId(principal)); }
@SuppressWarnings("unused") public static KerberosPrincipalId fromIdParts(Iterable<String> idString) { Iterator<String> iterator = idString.iterator(); return new KerberosPrincipalId(nextAndEnd(iterator, "principal")); }
@SuppressWarnings("unused") public static KerberosPrincipalId fromIdParts(Iterable<String> idString) { Iterator<String> iterator = idString.iterator(); return new KerberosPrincipalId(nextAndEnd(iterator, "principal")); }
appRequest.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(appRequest.getOwnerPrincipal());
appRequest.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(appRequest.getOwnerPrincipal());
/** * Helper function to get the effective owner of an entity. It will check the owner store to get the namespace * owner if the provided owner principal is null. * * Note that this method need not be used after the entity is created, in that case simply * use {@link OwnerAdmin}.getImpersonationPrincipal() * * @param ownerAdmin owner admin to query the owner * @param namespaceId the namespace the entity is in * @param ownerPrincipal the owner principal of the entity, null if not provided * @return the effective owner of the entity, null if no owner is provided for both the enity and the namespace. */ @Nullable public static KerberosPrincipalId getEffectiveOwner(OwnerAdmin ownerAdmin, NamespaceId namespaceId, @Nullable String ownerPrincipal) throws IOException { if (ownerPrincipal != null) { // if entity owner is present, return it return new KerberosPrincipalId(ownerPrincipal); } if (!namespaceId.equals(NamespaceId.SYSTEM)) { // if entity owner is not present, get the namespace impersonation principal String namespacePrincipal = ownerAdmin.getImpersonationPrincipal(namespaceId); return namespacePrincipal == null ? null : new KerberosPrincipalId(namespacePrincipal); } // No owner found return null; } }
/** * Returns the application principal if there is one. * * @param programOptions the program options to extract information from * @return the application principal or {@code null} if no application principal is available. */ @Nullable public static KerberosPrincipalId getApplicationPrincipal(ProgramOptions programOptions) { Arguments systemArgs = programOptions.getArguments(); boolean hasAppPrincipal = Boolean.parseBoolean(systemArgs.getOption(ProgramOptionConstants.APP_PRINCIPAL_EXISTS)); return hasAppPrincipal ? new KerberosPrincipalId(systemArgs.getOption(ProgramOptionConstants.PRINCIPAL)) : null; }
/** * Returns the application principal if there is one. * * @param programOptions the program options to extract information from * @return the application principal or {@code null} if no application principal is available. */ @Nullable public static KerberosPrincipalId getApplicationPrincipal(ProgramOptions programOptions) { Arguments systemArgs = programOptions.getArguments(); boolean hasAppPrincipal = Boolean.parseBoolean(systemArgs.getOption(ProgramOptionConstants.APP_PRINCIPAL_EXISTS)); return hasAppPrincipal ? new KerberosPrincipalId(systemArgs.getOption(ProgramOptionConstants.PRINCIPAL)) : null; }
@Override @Nullable public KerberosPrincipalId getOwner(final NamespacedEntityId entityId) throws IOException { validate(entityId); return Transactionals.execute(transactional, context -> { byte[] principalBytes = getTable(context).get(createRowKey(entityId), COL); return principalBytes == null ? null : new KerberosPrincipalId(Bytes.toString(principalBytes)); }, IOException.class); }
@Override @Nullable public KerberosPrincipalId getOwner(final NamespacedEntityId entityId) throws IOException { validate(entityId); return Transactionals.execute(transactional, context -> { byte[] principalBytes = getTable(context).get(createRowKey(entityId), COL); return principalBytes == null ? null : new KerberosPrincipalId(Bytes.toString(principalBytes)); }, IOException.class); }
ownerAdmin.add(streamId, new KerberosPrincipalId(specifiedOwnerPrincipal));
appRequest.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(appRequest.getOwnerPrincipal());
appRequest.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(appRequest.getOwnerPrincipal());
Principal requestingUser = authenticationContext.getPrincipal(); if (ownerPrincipal != null) { authorizationEnforcer.enforce(new KerberosPrincipalId(ownerPrincipal), requestingUser, Action.ADMIN);
@BeforeClass public static void init() throws Exception { cConf = CConfiguration.create(); cConf.set(Constants.CFG_LOCAL_DATA_DIR, TEMP_FOLDER.newFolder().getAbsolutePath()); namespaceClient = new InMemoryNamespaceAdmin(); // Start KDC miniKdc = new MiniKdc(MiniKdc.createConf(), TEMP_FOLDER.newFolder()); miniKdc.start(); System.setProperty("java.security.krb5.conf", miniKdc.getKrb5conf().getAbsolutePath()); localKeytabDirPath = TEMP_FOLDER.newFolder(); // Generate keytab aliceKeytabFile = createPrincipal(localKeytabDirPath, "alice"); bobKeytabFile = createPrincipal(localKeytabDirPath, "bob"); eveKeytabFile = createPrincipal(localKeytabDirPath, "eve"); // construct Kerberos PrincipalIds aliceKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("alice")); bobKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("bob")); eveKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("eve")); // Start mini DFS cluster Configuration hConf = new Configuration(); hConf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, TEMP_FOLDER.newFolder().getAbsolutePath()); hConf.setBoolean("ipc.client.fallback-to-simple-auth-allowed", true); miniDFSCluster = new MiniDFSCluster.Builder(hConf).numDataNodes(1).build(); miniDFSCluster.waitClusterUp(); locationFactory = new FileContextLocationFactory(miniDFSCluster.getFileSystem().getConf()); hConf = new Configuration(); hConf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(hConf); }
DatasetTypeId datasetTypeId = namespaceId.datasetType(KeyValueTable.class.getName()); String owner = appOwner != null ? appOwner : nsMeta.getConfig().getPrincipal(); KerberosPrincipalId principalId = new KerberosPrincipalId(owner); Principal principal = new Principal(owner, Principal.PrincipalType.USER); DatasetId dummyDatasetId = namespaceId.dataset("customDataset");
@Override public void execute(Arguments arguments) throws Exception { ApplicationId appId = arguments.getId(); ArtifactSummary artifactSummary = arguments.getArtifact(); if (appExists(appId)) { return; } KerberosPrincipalId ownerPrincipalId = arguments.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(arguments.getOwnerPrincipal()); // if we don't null check, it gets serialized to "null" String configString = arguments.getConfig() == null ? null : GSON.toJson(arguments.getConfig()); try { appLifecycleService.deployApp(appId.getParent(), appId.getApplication(), appId.getVersion(), artifactSummary, configString, x -> { }, ownerPrincipalId, arguments.canUpdateSchedules()); } catch (NotFoundException | UnauthorizedException | InvalidArtifactException e) { // these exceptions are for sure not retry-able. It's hard to tell if the others are, so we just try retrying // up to the default time limit throw e; } catch (DatasetManagementException e) { if (e.getCause() instanceof UnauthorizedException) { throw (UnauthorizedException) e.getCause(); } else { throw new RetryableException(e); } } catch (Exception e) { throw new RetryableException(e); } }
@Override public void execute(Arguments arguments) throws Exception { ApplicationId appId = arguments.getId(); ArtifactSummary artifactSummary = arguments.getArtifact(); if (appExists(appId)) { return; } KerberosPrincipalId ownerPrincipalId = arguments.getOwnerPrincipal() == null ? null : new KerberosPrincipalId(arguments.getOwnerPrincipal()); // if we don't null check, it gets serialized to "null" String configString = arguments.getConfig() == null ? null : GSON.toJson(arguments.getConfig()); try { appLifecycleService.deployApp(appId.getParent(), appId.getApplication(), appId.getVersion(), artifactSummary, configString, x -> { }, ownerPrincipalId, arguments.canUpdateSchedules()); } catch (NotFoundException | UnauthorizedException | InvalidArtifactException e) { // these exceptions are for sure not retry-able. It's hard to tell if the others are, so we just try retrying // up to the default time limit throw e; } catch (DatasetManagementException e) { if (e.getCause() instanceof UnauthorizedException) { throw (UnauthorizedException) e.getCause(); } else { throw new RetryableException(e); } } catch (Exception e) { throw new RetryableException(e); } }
private void testDeployAppWithoutOwner() throws Exception { NamespaceId namespaceId = new NamespaceId("namespaceImpersonation"); // We will create a namespace as owner bob, the keytab url is provided to pass the check for DefaultNamespaceAdmin // in unit test, it is useless, since impersonation will never happen NamespaceMeta ownerNSMeta = new NamespaceMeta.Builder().setName(namespaceId.getNamespace()) .setPrincipal(BOB.getName()).setKeytabURI("/tmp/").build(); KerberosPrincipalId bobPrincipalId = new KerberosPrincipalId(BOB.getName()); // grant alice admin to the namespace, but creation should still fail since alice needs to have privilege on // principal bob grantAndAssertSuccess(namespaceId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(namespaceId); try { getNamespaceAdmin().create(ownerNSMeta); Assert.fail("Namespace creation should fail since alice does not have privilege on principal bob"); } catch (UnauthorizedException e) { // expected } // grant alice admin on principal bob, now creation of namespace should work grantAndAssertSuccess(bobPrincipalId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(bobPrincipalId); getNamespaceAdmin().create(ownerNSMeta); // deploy dummy app with ns impersonation deployDummyAppWithImpersonation(ownerNSMeta, null); }
KerberosPrincipalId kerberosPrincipalId = new KerberosPrincipalId("alice/somehost@SOMEKDC.NET"); ownerStore.add(datasetId, kerberosPrincipalId); ownerStore.add(datasetId, new KerberosPrincipalId("bob@SOMEKDC.NET")); Assert.fail(); } catch (AlreadyExistsException e) { ownerStore.add(datasetId, new KerberosPrincipalId("somePrincipal")); Assert.fail(); } catch (AlreadyExistsException e) { ownerStore.add(datasetId, new KerberosPrincipalId("b@ob@SOMEKDC.NET")); Assert.fail(); } catch (IllegalArgumentException e) { ownerStore.add(NamespaceId.DEFAULT.topic("anotherStream"), new KerberosPrincipalId("somePrincipal")); Assert.fail(); } catch (IllegalArgumentException e) {