private NamespaceConfig getNamespaceConfig(NamespacedEntityId entityId) throws IOException { try { if (entityId.getNamespaceId().equals(NamespaceId.SYSTEM)) { return NamespaceMeta.SYSTEM.getConfig(); } return namespaceQueryAdmin.get(entityId.getNamespaceId()).getConfig(); } catch (IOException e) { throw e; } catch (Exception e) { throw new IOException(e); } }
private boolean isAccessingSystemNSAsMasterUser(EntityId entityId, Principal principal) { return entityId instanceof NamespacedEntityId && ((NamespacedEntityId) entityId).getNamespaceId().equals(NamespaceId.SYSTEM) && principal.equals(masterUser); }
/** * Get the profile id for the provided entity id from its own preferences from preference dataset. * * @param entityId entity id to lookup the profile id * @return the profile id configured for this entity id, if any */ private Optional<ProfileId> getProfileId(EntityId entityId) { NamespaceId namespaceId = entityId.getEntityType().equals(EntityType.INSTANCE) ? NamespaceId.SYSTEM : ((NamespacedEntityId) entityId).getNamespaceId(); String profileName = preferencesDataset.getPreferences(entityId).get(SystemArguments.PROFILE_NAME); return profileName == null ? Optional.empty() : Optional.of(ProfileId.fromScopedName(namespaceId, profileName)); }
/** * use impersonator to call the passed callable, * use namespaceId of the instance while calling the doAs of impersonator, return the result of callable. * @param callable callable * @param <T> callable return type * @return result of callable */ public <T> T impersonate(final Callable<T> callable) throws Exception { // todo entityId shouldn't be null, it's passed null only from PluginService. which needs to be updated. if (entityId == null || entityId.getNamespaceId().equals(NamespaceId.SYSTEM)) { // do not impersonate for system namespace return callable.call(); } return impersonator.doAs(entityId, new Callable<T>() { @Override public T call() throws Exception { return callable.call(); } }); } }
private UserGroupInformation getUGI(NamespacedEntityId entityId, ImpersonatedOpType impersonatedOpType) throws IOException { UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); // don't impersonate if kerberos isn't enabled OR if the operation is in the system namespace if (!kerberosEnabled || NamespaceId.SYSTEM.equals(entityId.getNamespaceId())) { return currentUser; } ImpersonationRequest impersonationRequest = new ImpersonationRequest(entityId, impersonatedOpType); // if the current user is not same as cdap master user then it means we are already impersonating some user // and hence we should not allow another impersonation. See CDAP-8641 and CDAP-13123 // Note that this is just a temporary fix and we will need to revisit the impersonation model in the future. if (!currentUser.getShortUserName().equals(masterShortUsername)) { LOG.debug("Not impersonating for {} as the call is already impersonated as {}", impersonationRequest, currentUser); IMPERSONATION_FAILTURE_LOG.warn("Not impersonating for {} as the call is already impersonated as {}", impersonationRequest, currentUser); return currentUser; } return ugiProvider.getConfiguredUGI(impersonationRequest).getUGI(); } }
/** * Get the profile id for the provided entity id from the resolved preferences from preference dataset, * if no profile is inside, it will return the default profile * * @param entityId entity id to lookup the profile id * @return the profile id which will be used by this entity id, default profile if not find */ // TODO: CDAP-13579 consider preference key starts with [scope].[name].system.profile.name private ProfileId getResolvedProfileId(EntityId entityId) { NamespaceId namespaceId = entityId.getEntityType().equals(EntityType.INSTANCE) ? NamespaceId.SYSTEM : ((NamespacedEntityId) entityId).getNamespaceId(); return SystemArguments.getProfileIdFromArgs( namespaceId, preferencesDataset.getResolvedPreferences(entityId)).orElse(ProfileId.NATIVE); }
/** * Get the profile id for the provided entity id from the resolved preferences from preference dataset, * if no profile is inside, it will return the default profile * * @param entityId entity id to lookup the profile id * @return the profile id which will be used by this entity id, default profile if not find */ // TODO: CDAP-13579 consider preference key starts with [scope].[name].system.profile.name private ProfileId getResolvedProfileId(EntityId entityId) { NamespaceId namespaceId = entityId.getEntityType().equals(EntityType.INSTANCE) ? NamespaceId.SYSTEM : ((NamespacedEntityId) entityId).getNamespaceId(); String profileName = preferencesDataset.getResolvedPreference(entityId, SystemArguments.PROFILE_NAME); return profileName == null ? ProfileId.NATIVE : ProfileId.fromScopedName(namespaceId, profileName); }
NamespaceId.SYSTEM : ((NamespacedEntityId) entityId).getNamespaceId();
NamespaceId.SYSTEM : ((NamespacedEntityId) entityId).getNamespaceId();
private void deleteConfig(EntityId entityId) { Transactionals.execute(transactional, context -> { PreferencesDataset dataset = PreferencesDataset.get(context, datasetFramework); Map<String, String> oldProp = dataset.getPreferences(entityId); NamespaceId namespaceId = entityId.getEntityType().equals(EntityType.INSTANCE) ? NamespaceId.SYSTEM : ((NamespacedEntityId) entityId).getNamespaceId(); Optional<ProfileId> oldProfile = SystemArguments.getProfileIdFromArgs(namespaceId, oldProp); dataset.deleteProperties(entityId); // if there is profile properties, publish the message to update metadata and remove the assignment if (oldProfile.isPresent()) { ProfileDataset.get(context, datasetFramework).removeProfileAssignment(oldProfile.get(), entityId); adminEventPublisher.publishProfileUnAssignment(entityId); } }); }
private void deleteConfig(EntityId entityId) { Transactionals.execute(transactional, context -> { PreferencesDataset dataset = PreferencesDataset.get(context, datasetFramework); Map<String, String> oldProp = dataset.getPreferences(entityId); NamespaceId namespaceId = entityId.getEntityType().equals(EntityType.INSTANCE) ? NamespaceId.SYSTEM : ((NamespacedEntityId) entityId).getNamespaceId(); Optional<ProfileId> oldProfile = SystemArguments.getProfileIdFromArgs(namespaceId, oldProp); dataset.deleteProperties(entityId); // if there is profile properties, publish the message to update metadata and remove the assignment if (oldProfile.isPresent()) { ProfileDataset.get(context, datasetFramework).removeProfileAssignment(oldProfile.get(), entityId); adminEventPublisher.publishProfileUnAssignment(entityId); } }); }
namespaceQueryAdmin.get(impersonationRequest.getEntityId().getNamespaceId()).getConfig(); if (!nsConfig.isExploreAsPrincipal()) { throw new FeatureDisabledException(FeatureDisabledException.Feature.EXPLORE,
@Nullable @Override public ImpersonationInfo getImpersonationInfo(NamespacedEntityId entityId) throws IOException { entityId = getEffectiveEntity(entityId); if (!entityId.getEntityType().equals(EntityType.NAMESPACE)) { KerberosPrincipalId effectiveOwner = ownerStore.getOwner(entityId); if (effectiveOwner != null) { return new ImpersonationInfo(effectiveOwner.getPrincipal(), SecurityUtil.getKeytabURIforPrincipal(effectiveOwner.getPrincipal(), cConf)); } } // (CDAP-8176) Since no owner was found for the entity return namespace principal if present. NamespaceConfig nsConfig = getNamespaceConfig(entityId.getNamespaceId()); return nsConfig.getPrincipal() == null ? null : new ImpersonationInfo(nsConfig.getPrincipal(), nsConfig.getKeytabURI()); }