public void checkForAuthorization(SingularityRequest request, SingularityUser user, SingularityAuthorizationScope scope) { if (!authEnabled) { return; } checkForbidden(user.isAuthenticated(), "Not authenticated!"); final Set<String> readWriteGroups = Sets.union(request.getGroup().asSet(), request.getReadWriteGroups().or(Collections.emptySet())); final Set<String> readOnlyGroups = request.getReadOnlyGroups().or(defaultReadOnlyGroups); checkForAuthorization(user, readWriteGroups, readOnlyGroups, scope, Optional.of(request.getId())); }
private Optional<String> getRequestGroup(final String requestId, SingularityUser user) { final Optional<SingularityRequestWithState> maybeRequest = requestManager.getRequest(requestId); if (maybeRequest.isPresent()) { authorizationHelper.checkForAuthorization(maybeRequest.get().getRequest(), user, SingularityAuthorizationScope.READ); return maybeRequest.get().getRequest().getGroup(); } else { Optional<SingularityRequestHistory> maybeRequestHistory = requestHistoryHelper.getLastHistory(requestId); if (maybeRequestHistory.isPresent()) { authorizationHelper.checkForAuthorization(maybeRequestHistory.get().getRequest(), user, SingularityAuthorizationScope.READ); return maybeRequestHistory.get().getRequest().getGroup(); } else { // Deleted requests with no history data are searchable, but only by admins since we have no auth information about them authorizationHelper.checkAdminAuthorization(user); return Optional.absent(); } } }
public void checkForAuthorizedChanges(SingularityRequest request, SingularityRequest oldRequest, SingularityUser user) { if (!authEnabled) { return; } checkForbidden(user.isAuthenticated(), "Not Authenticated!"); if (!oldRequest.getReadWriteGroups().equals(request.getReadWriteGroups()) || !oldRequest.getGroup().equals(request.getGroup())) { // If group or readWriteGroups are changing, a user must be authorized for both the old and new request groups checkForAuthorization(oldRequest, user, SingularityAuthorizationScope.WRITE); checkForAuthorization(request, user, SingularityAuthorizationScope.WRITE); } }
private Optional<String> getRequestGroupForTask(final SingularityTaskId taskId, SingularityUser user) { Optional<SingularityTaskHistory> maybeTaskHistory = getTaskHistory(taskId, user); if (maybeTaskHistory.isPresent()) { SingularityRequest request = maybeTaskHistory.get().getTask().getTaskRequest().getRequest(); authorizationHelper.checkForAuthorization(request, user, SingularityAuthorizationScope.READ); return request.getGroup(); } else { return getRequestGroup(taskId.getRequestId(), user); } }
public boolean isAuthorizedForRequest(SingularityRequest request, SingularityUser user, SingularityAuthorizationScope scope) { if (!authEnabled) { return true; // no auth == no rules! } if (!user.isAuthenticated()) { return false; } final Set<String> userGroups = user.getGroups(); final Set<String> readWriteGroups = Sets.union(request.getGroup().asSet(), request.getReadWriteGroups().or(Collections.<String>emptySet())); final Set<String> readOnlyGroups = request.getReadOnlyGroups().or(defaultReadOnlyGroups); final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups); final boolean userIsJITA = !jitaGroups.isEmpty() && groupsIntersect(userGroups, jitaGroups); final boolean userIsReadWriteUser = readWriteGroups.isEmpty() || groupsIntersect(userGroups, readWriteGroups); final boolean userIsReadOnlyUser = groupsIntersect(userGroups, readOnlyGroups) || (!globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups)); final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups); if (userIsAdmin) { return true; // Admins Rule Everything Around Me } else if (scope == SingularityAuthorizationScope.READ) { return (userIsReadOnlyUser || userIsReadWriteUser || userIsJITA) && userIsPartOfRequiredGroups; } else if (scope == SingularityAuthorizationScope.WRITE) { return (userIsReadWriteUser || userIsJITA) && userIsPartOfRequiredGroups; } else { return false; } }
if (task.getRequest().getGroup().isPresent() && configuration.getS3ConfigurationOptional().get().getGroupOverrides().containsKey(task.getRequest().getGroup().get())) { defaultS3Bucket = configuration.getS3ConfigurationOptional().get().getGroupOverrides().get(task.getRequest().getGroup().get()).getS3Bucket(); LOG.trace("Setting defaultS3Bucket to {} for task {} executorData", defaultS3Bucket, taskId.getId()); } else { configuration.getCustomExecutorConfiguration().getServiceLog(), configuration.getCustomExecutorConfiguration().getServiceFinishedTailLog(), task.getRequest().getGroup(), maybeS3StorageClass, maybeApplyAfterBytes, getCpuHardLimit(task), healthcheckOptions);
public void checkForAuthorization(SingularityRequest request, SingularityUser user, SingularityAuthorizationScope scope) { if (!authEnabled) { return; } checkForbidden(user.isAuthenticated(), "Not authenticated!"); final Set<String> readWriteGroups = Sets.union(request.getGroup().asSet(), request.getReadWriteGroups().or(Collections.emptySet())); final Set<String> readOnlyGroups = request.getReadOnlyGroups().or(defaultReadOnlyGroups); checkForAuthorization(user, readWriteGroups, readOnlyGroups, scope, Optional.of(request.getId())); }
private Optional<String> getRequestGroup(final String requestId, SingularityUser user) { final Optional<SingularityRequestWithState> maybeRequest = requestManager.getRequest(requestId); if (maybeRequest.isPresent()) { authorizationHelper.checkForAuthorization(maybeRequest.get().getRequest(), user, SingularityAuthorizationScope.READ); return maybeRequest.get().getRequest().getGroup(); } else { Optional<SingularityRequestHistory> maybeRequestHistory = requestHistoryHelper.getLastHistory(requestId); if (maybeRequestHistory.isPresent()) { authorizationHelper.checkForAuthorization(maybeRequestHistory.get().getRequest(), user, SingularityAuthorizationScope.READ); return maybeRequestHistory.get().getRequest().getGroup(); } else { // Deleted requests with no history data are searchable, but only by admins since we have no auth information about them authorizationHelper.checkAdminAuthorization(user); return Optional.absent(); } } }
public void checkForAuthorizedChanges(SingularityRequest request, SingularityRequest oldRequest, SingularityUser user) { if (!authEnabled) { return; } checkForbidden(user.isAuthenticated(), "Not Authenticated!"); if (!oldRequest.getReadWriteGroups().equals(request.getReadWriteGroups()) || !oldRequest.getGroup().equals(request.getGroup())) { // If group or readWriteGroups are changing, a user must be authorized for both the old and new request groups checkForAuthorization(oldRequest, user, SingularityAuthorizationScope.WRITE); checkForAuthorization(request, user, SingularityAuthorizationScope.WRITE); } }
private Optional<String> getRequestGroupForTask(final SingularityTaskId taskId, SingularityUser user) { Optional<SingularityTaskHistory> maybeTaskHistory = getTaskHistory(taskId, user); if (maybeTaskHistory.isPresent()) { SingularityRequest request = maybeTaskHistory.get().getTask().getTaskRequest().getRequest(); authorizationHelper.checkForAuthorization(request, user, SingularityAuthorizationScope.READ); return request.getGroup(); } else { return getRequestGroup(taskId.getRequestId(), user); } }
public boolean isAuthorizedForRequest(SingularityRequest request, SingularityUser user, SingularityAuthorizationScope scope) { if (!authEnabled) { return true; // no auth == no rules! } if (!user.isAuthenticated()) { return false; } final Set<String> userGroups = user.getGroups(); final Set<String> readWriteGroups = Sets.union(request.getGroup().asSet(), request.getReadWriteGroups().or(Collections.<String>emptySet())); final Set<String> readOnlyGroups = request.getReadOnlyGroups().or(defaultReadOnlyGroups); final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups); final boolean userIsJITA = !jitaGroups.isEmpty() && groupsIntersect(userGroups, jitaGroups); final boolean userIsReadWriteUser = readWriteGroups.isEmpty() || groupsIntersect(userGroups, readWriteGroups); final boolean userIsReadOnlyUser = groupsIntersect(userGroups, readOnlyGroups) || (!globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups)); final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups); if (userIsAdmin) { return true; // Admins Rule Everything Around Me } else if (scope == SingularityAuthorizationScope.READ) { return (userIsReadOnlyUser || userIsReadWriteUser || userIsJITA) && userIsPartOfRequiredGroups; } else if (scope == SingularityAuthorizationScope.WRITE) { return (userIsReadWriteUser || userIsJITA) && userIsPartOfRequiredGroups; } else { return false; } }
if (task.getRequest().getGroup().isPresent() && configuration.getS3ConfigurationOptional().get().getGroupOverrides().containsKey(task.getRequest().getGroup().get())) { defaultS3Bucket = configuration.getS3ConfigurationOptional().get().getGroupOverrides().get(task.getRequest().getGroup().get()).getS3Bucket(); LOG.trace("Setting defaultS3Bucket to {} for task {} executorData", defaultS3Bucket, taskId.getId()); } else { configuration.getCustomExecutorConfiguration().getServiceLog(), configuration.getCustomExecutorConfiguration().getServiceFinishedTailLog(), task.getRequest().getGroup(), maybeS3StorageClass, maybeApplyAfterBytes, getCpuHardLimit(task), healthcheckOptions);