@Override public void checkPropertiesAccess() { throw new AccessControlException("Not Allowed"); } @Override
@Override public void checkPropertiesAccess() { // see http://download.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#getProperties() throw new AccessControlException("Accessing the system properties is disallowed"); } @Override
@Override public void checkPropertyAccess(String key) { // see http://download.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#getProperty(java.lang.String) if (DISALLOWED_PROPERTY_NAME.equals(key)) { throw new AccessControlException( String.format("Accessing the system property [%s] is disallowed", DISALLOWED_PROPERTY_NAME)); } } @Override
private static AccessControlException accessControlException(Exception e) { AccessControlException ace = new AccessControlException(e.getMessage()); ace.initCause(e); return ace; }
/** * If there is an AccessException buried somewhere in the chain of failures, wrap the original * exception in an AccessException. Othewise just return the original exception. */ private static Exception wrapAccessException(Exception err) { final int maxDepth = 20; Throwable curErr = err; for (int idx = 0; curErr != null && idx < maxDepth; ++idx) { // fs.permission.AccessControlException removed by HADOOP-11356, but Hive users on older // Hadoop versions may still see this exception .. have to reference by name. if (curErr instanceof org.apache.hadoop.security.AccessControlException || curErr.getClass().getName().equals("org.apache.hadoop.fs.permission.AccessControlException")) { Exception newErr = new AccessControlException(curErr.getMessage()); newErr.initCause(err); return newErr; } curErr = curErr.getCause(); } return err; }
private static AccessControlException accessControlException(Exception e) { AccessControlException ace = new AccessControlException(e.getMessage()); ace.initCause(e); return ace; }
private void checkAccess(Job job, JobACL jobOperation) throws IOException { UserGroupInformation callerUGI; callerUGI = UserGroupInformation.getCurrentUser(); if (!job.checkAccess(callerUGI, jobOperation)) { throw new IOException(new AccessControlException("User " + callerUGI.getShortUserName() + " cannot perform operation " + jobOperation.name() + " on " + job.getID())); } }
@Override public void checkPermission(Permission perm) { // Disallowing access to System#getenv means that our // ReadOnlySystemAttributesMap will come into play. if ("getenv.*".equals(perm.getName())) { throw new AccessControlException("Accessing the system environment is disallowed"); } } };
@Override public void checkPermission(Permission perm) { //see http://download.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#getenv() if ("getenv.*".equals(perm.getName())) { throw new AccessControlException("Accessing the system environment is disallowed"); } //see http://download.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#getenv(java.lang.String) if (("getenv."+DISALLOWED_PROPERTY_NAME).equals(perm.getName())) { throw new AccessControlException( String.format("Accessing the system environment variable [%s] is disallowed", DISALLOWED_PROPERTY_NAME)); } } };
@Override public void checkPermission(Permission perm) { // Disallowing access to System#getenv means that our // ReadOnlySystemAttributesMap will come into play. if ("getenv.*".equals(perm.getName())) { throw new AccessControlException("Accessing the system environment is disallowed"); } // Disallowing access to the spring.profiles.active property means that // the BeanDefinitionReader won't be able to determine which profiles are // active. We should see an INFO-level message in the console about this // and as a result, any components marked with a non-default profile will // be ignored. if (("getenv." + AbstractEnvironment.ACTIVE_PROFILES_PROPERTY_NAME).equals(perm.getName())) { throw new AccessControlException( format("Accessing system environment variable [%s] is disallowed", AbstractEnvironment.ACTIVE_PROFILES_PROPERTY_NAME)); } } };
@Override public final AccessControlException accessControlException(final Permission permission, final Permission permission_, final CodeSource codeSource, final ClassLoader classLoader) { final AccessControlException result = new AccessControlException(String.format(getLoggingLocale(), accessControlException$str(), permission_, codeSource, classLoader), permission); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String secMgrChange = "WFSM000002: Security manager may not be changed";
throw new AccessControlException("un-registered SDK app"); throw new AccessControlException("dom already exists and you're not among the owners");
@RequestMapping("/onAddIP4Dom") public String onAddIP4Dom(HttpServletRequest request) throws Exception { if (Switch.getDisableAddIP()) { throw new AccessControlException("Adding IP for dom is forbidden now.");
@RequestMapping("/onRemvIP4Dom") public void onRemvIP4Dom(HttpServletRequest request) throws Exception { if (Switch.getDisableAddIP()) { throw new AccessControlException("Deleting IP for dom is forbidden now.");
public static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action, String user, List<String> groups) throws IOException, AccessControlException { if (groups == null) { groups = emptyGroups; } String superGroupName = getSuperGroupName(fs.getConf()); if (userBelongsToSuperGroup(superGroupName, groups)) { LOG.info("User \"" + user + "\" belongs to super-group \"" + superGroupName + "\". " + "Permission granted for action: " + action + "."); return; } final FsPermission dirPerms = stat.getPermission(); final String grp = stat.getGroup(); if (user.equals(stat.getOwner())) { if (dirPerms.getUserAction().implies(action)) { return; } } else if (groups.contains(grp)) { if (dirPerms.getGroupAction().implies(action)) { return; } } else if (dirPerms.getOtherAction().implies(action)) { return; } throw new AccessControlException("action " + action + " not permitted on path " + stat.getPath() + " for user " + user); }
throw new AccessControlException("Adding IP for dom is forbidden now.");
} else { if (!hasPermission(project, user, Type.READ)) { throw new AccessControlException("No permission to view project " + projectName + ".");
} else { if (!hasPermission(project, user, Type.READ)) { throw new AccessControlException("No permission to view project " + projectName + ".");
} else { if (!hasPermission(project, user, Type.READ)) { throw new AccessControlException("No permission to view project " + projectName + ".");
throw new AccessControlException("No permission Project " + projectName + ".");