@Override public String getEntityName() { return getPrincipal(); }
@Override public String getEntityName() { return getPrincipal(); }
@Nullable @Override public String getOwnerPrincipal(NamespacedEntityId entityId) throws IOException { KerberosPrincipalId owner = getOwner(entityId); return owner == null ? null : owner.getPrincipal(); }
/** * Returns a {@link KerberosName} from the given {@link KerberosPrincipalId} if the given kerberos principal id * is valid. Refer to * <a href="https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html"> * Kerberos Principal</a> for details. * * @param principalId The {@link KerberosPrincipalId} from which {@link KerberosName} needs to be created * @return {@link KerberosName} for the given {@link KerberosPrincipalId} * @throws IllegalArgumentException if failed to create a {@link KerberosName} from the given * {@link KerberosPrincipalId} */ public static KerberosName getKerberosName(KerberosPrincipalId principalId) { return new KerberosName(principalId.getPrincipal()); }
private void verifyOwner(NamespacedEntityId entityId, @Nullable KerberosPrincipalId specifiedOwnerPrincipal) throws DatasetManagementException, UnauthorizedException { try { SecurityUtil.verifyOwnerPrincipal(entityId, specifiedOwnerPrincipal == null ? null : specifiedOwnerPrincipal.getPrincipal(), ownerAdmin); } catch (IOException e) { throw new DatasetManagementException(e.getMessage(), e); } }
private void verifyOwner(NamespacedEntityId entityId, @Nullable KerberosPrincipalId specifiedOwnerPrincipal) throws DatasetManagementException, UnauthorizedException { try { SecurityUtil.verifyOwnerPrincipal(entityId, specifiedOwnerPrincipal == null ? null : specifiedOwnerPrincipal.getPrincipal(), ownerAdmin); } catch (IOException e) { throw new DatasetManagementException(e.getMessage(), e); } }
props.put(Constants.Security.PRINCIPAL, ownerPrincipal.getPrincipal());
/** * Helper function to get the authorizing user for app deployment, the authorzing user will be the app owner if it * is present. If not, it will be the namespace owner. If that is also not present, it will be the user who is making * the request */ public static String getAppAuthorizingUser(OwnerAdmin ownerAdmin, AuthenticationContext authenticationContext, ApplicationId applicationId, @Nullable KerberosPrincipalId appOwner) throws IOException { KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, applicationId.getNamespaceId(), appOwner == null ? null : appOwner.getPrincipal()); // CDAP-13154 If impersonation is configured for either the application or namespace the effective owner will be // a kerberos principal which can have different form // (refer: https://docs.oracle.com/cd/E21455_01/common/tutorials/kerberos_principal.html). For example it can be // a complete principal name (alice/somehost.net@someREALM). For authorization we need the enforcement to happen // on the username and not the complete principal. The user name is the shortname of the principal so return the // shortname as authorizing user. String appAuthorizingUser = effectiveOwner != null ? new KerberosName(effectiveOwner.getPrincipal()).getShortName() : authenticationContext.getPrincipal().getName(); LOG.trace("Returning {} as authorizing app user for {}", appAuthorizingUser, applicationId); return appAuthorizingUser; }
@Nullable @Override public String getImpersonationPrincipal(NamespacedEntityId entityId) throws IOException { entityId = getEffectiveEntity(entityId); KerberosPrincipalId effectiveOwner = null; if (!entityId.getEntityType().equals(EntityType.NAMESPACE)) { effectiveOwner = ownerStore.getOwner(entityId); } // (CDAP-8176) Since no owner was found for the entity return namespace principal if present. return effectiveOwner != null ? effectiveOwner.getPrincipal() : getNamespaceConfig(entityId).getPrincipal(); }
public void addInstance(String datasetInstanceName, String datasetType, DatasetProperties props, @Nullable KerberosPrincipalId owner) throws DatasetManagementException { String ownerPrincipal = owner == null ? null : owner.getPrincipal(); DatasetInstanceConfiguration creationProperties = new DatasetInstanceConfiguration(datasetType, props.getProperties(), props.getDescription(), ownerPrincipal); HttpResponse response = doPut("datasets/" + datasetInstanceName, GSON.toJson(creationProperties)); if (HttpResponseStatus.CONFLICT.code() == response.getResponseCode()) { throw new InstanceConflictException(String.format("Failed to add instance %s due to conflict, details: %s", datasetInstanceName, response)); } if (HttpResponseStatus.FORBIDDEN.code() == response.getResponseCode()) { throw new DatasetManagementException(String.format("Failed to add instance %s, details: %s", datasetInstanceName, response), new UnauthorizedException(response.getResponseBodyAsString())); } if (HttpResponseStatus.OK.code() != response.getResponseCode()) { throw new DatasetManagementException(String.format("Failed to add instance %s, details: %s", datasetInstanceName, response)); } }
public void addInstance(String datasetInstanceName, String datasetType, DatasetProperties props, @Nullable KerberosPrincipalId owner) throws DatasetManagementException { String ownerPrincipal = owner == null ? null : owner.getPrincipal(); DatasetInstanceConfiguration creationProperties = new DatasetInstanceConfiguration(datasetType, props.getProperties(), props.getDescription(), ownerPrincipal); HttpResponse response = doPut("datasets/" + datasetInstanceName, GSON.toJson(creationProperties)); if (HttpResponseStatus.CONFLICT.code() == response.getResponseCode()) { throw new InstanceConflictException(String.format("Failed to add instance %s due to conflict, details: %s", datasetInstanceName, response)); } if (HttpResponseStatus.FORBIDDEN.code() == response.getResponseCode()) { throw new DatasetManagementException(String.format("Failed to add instance %s, details: %s", datasetInstanceName, response), new UnauthorizedException(response.getResponseBodyAsString())); } if (HttpResponseStatus.OK.code() != response.getResponseCode()) { throw new DatasetManagementException(String.format("Failed to add instance %s, details: %s", datasetInstanceName, response)); } }
@Nullable @Override public ImpersonationInfo getImpersonationInfo(NamespacedEntityId entityId) throws IOException { entityId = getEffectiveEntity(entityId); if (!entityId.getEntityType().equals(EntityType.NAMESPACE)) { KerberosPrincipalId effectiveOwner = ownerStore.getOwner(entityId); if (effectiveOwner != null) { return new ImpersonationInfo(effectiveOwner.getPrincipal(), SecurityUtil.getKeytabURIforPrincipal(effectiveOwner.getPrincipal(), cConf)); } } // (CDAP-8176) Since no owner was found for the entity return namespace principal if present. NamespaceConfig nsConfig = getNamespaceConfig(entityId.getNamespaceId()); return nsConfig.getPrincipal() == null ? null : new ImpersonationInfo(nsConfig.getPrincipal(), nsConfig.getKeytabURI()); }
@Override public void add(final NamespacedEntityId entityId, final KerberosPrincipalId kerberosPrincipalId) throws IOException, AlreadyExistsException { validate(entityId, kerberosPrincipalId); Transactionals.execute(transactional, context -> { Table metaTable = getTable(context); // make sure that an owner does not already exists byte[] principalBytes = metaTable.get(createRowKey(entityId), COL); if (principalBytes != null) { throw new AlreadyExistsException(entityId, String.format("Owner information already exists for entity '%s'.", entityId)); } metaTable.put(createRowKey(entityId), COL, Bytes.toBytes(kerberosPrincipalId.getPrincipal())); }, IOException.class, AlreadyExistsException.class); }
@Override public void add(final NamespacedEntityId entityId, final KerberosPrincipalId kerberosPrincipalId) throws IOException, AlreadyExistsException { validate(entityId, kerberosPrincipalId); Transactionals.execute(transactional, context -> { Table metaTable = getTable(context); // make sure that an owner does not already exists byte[] principalBytes = metaTable.get(createRowKey(entityId), COL); if (principalBytes != null) { throw new AlreadyExistsException(entityId, String.format("Owner information already exists for entity '%s'.", entityId)); } metaTable.put(createRowKey(entityId), COL, Bytes.toBytes(kerberosPrincipalId.getPrincipal())); }, IOException.class, AlreadyExistsException.class); }
credentials.writeTokenStorageToStream(os); PrincipalCredentials principalCredentials = new PrincipalCredentials(aliceKerberosPrincipalId.getPrincipal(), credentialsFile.toURI().toString()); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(principalCredentials));
ownerPrincipal == null ? null : ownerPrincipal.getPrincipal());
ownerPrincipal == null ? null : ownerPrincipal.getPrincipal());
eveKerberosPrincipalId.getPrincipal()).setKeytabURI(eveKeytabFile.getAbsolutePath()).build()); eveUGIWithPrincipal.getUGI().getAuthenticationMethod()); Assert.assertTrue(eveUGIWithPrincipal.getUGI().hasKerberosCredentials()); Assert.assertEquals(eveKerberosPrincipalId.getPrincipal(), eveUGIWithPrincipal.getPrincipal());
private UGIWithPrincipal verifyAndGetUGI(UGIProvider provider, KerberosPrincipalId principalId, ImpersonationRequest impersonationRequest) throws IOException { UGIWithPrincipal ugiWithPrincipal = provider.getConfiguredUGI(impersonationRequest); Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, ugiWithPrincipal.getUGI().getAuthenticationMethod()); Assert.assertEquals(principalId.getPrincipal(), ugiWithPrincipal.getPrincipal()); Assert.assertTrue(ugiWithPrincipal.getUGI().hasKerberosCredentials()); // Fetch it again, it is should return the same UGI since there is caching Assert.assertSame(ugiWithPrincipal.getUGI(), provider.getConfiguredUGI(impersonationRequest).getUGI()); return ugiWithPrincipal; }