@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "code runs in same security context as user who provided input") private static void printUserConfiguration(AccumuloClient accumuloClient, String user, File outputDirectory) throws IOException, AccumuloException, AccumuloSecurityException { File userScript = new File(outputDirectory, user + USER_FILE_SUFFIX); FileWriter userWriter = new FileWriter(userScript); userWriter.write(createUserFormat.format(new String[] {user})); Authorizations auths = accumuloClient.securityOperations().getUserAuthorizations(user); userWriter.write(userAuthsFormat.format(new String[] {user, auths.toString()})); for (SystemPermission sp : SystemPermission.values()) { if (accumuloClient.securityOperations().hasSystemPermission(user, sp)) { userWriter.write(sysPermFormat.format(new String[] {sp.name(), user})); } } for (String namespace : accumuloClient.namespaceOperations().list()) { for (NamespacePermission np : NamespacePermission.values()) { if (accumuloClient.securityOperations().hasNamespacePermission(user, namespace, np)) { userWriter.write(nsPermFormat.format(new String[] {np.name(), namespace, user})); } } } for (String tableName : accumuloClient.tableOperations().list()) { for (TablePermission perm : TablePermission.values()) { if (accumuloClient.securityOperations().hasTablePermission(user, tableName, perm)) { userWriter.write(tablePermFormat.format(new String[] {perm.name(), tableName, user})); } } } userWriter.close(); }
private void verifyHasNoSystemPermissions(Connector root_conn, String user, SystemPermission... perms) throws AccumuloException, AccumuloSecurityException { for (SystemPermission p : perms) if (root_conn.securityOperations().hasSystemPermission(user, p)) throw new IllegalStateException(user + " SHOULD NOT have system permission " + p); }
private void verifyHasOnlyTheseSystemPermissions(Connector root_conn, String user, SystemPermission... perms) throws AccumuloException, AccumuloSecurityException { List<SystemPermission> permList = Arrays.asList(perms); for (SystemPermission p : SystemPermission.values()) { if (permList.contains(p)) { // should have these if (!root_conn.securityOperations().hasSystemPermission(user, p)) throw new IllegalStateException(user + " SHOULD have system permission " + p); } else { // should not have these if (root_conn.securityOperations().hasSystemPermission(user, p)) throw new IllegalStateException(user + " SHOULD NOT have system permission " + p); } } }
for (SystemPermission p : SystemPermission.values()) { if (p != null && shellState.getAccumuloClient().securityOperations().hasSystemPermission(user, p)) { shellState.getReader().print(delim + "System." + p.name()); delim = ", ";
private void changeSystemPermission(Connector conn, Random rand, String userName) throws AccumuloException, AccumuloSecurityException { EnumSet<SystemPermission> perms = EnumSet.noneOf(SystemPermission.class); for (SystemPermission p : SystemPermission.values()) { if (conn.securityOperations().hasSystemPermission(userName, p)) perms.add(p); } EnumSet<SystemPermission> more = EnumSet.allOf(SystemPermission.class); more.removeAll(perms); more.remove(SystemPermission.GRANT); if (rand.nextBoolean() && more.size() > 0) { List<SystemPermission> moreList = new ArrayList<>(more); SystemPermission choice = moreList.get(rand.nextInt(moreList.size())); log.debug("adding permission " + choice); conn.securityOperations().grantSystemPermission(userName, choice); } else { if (perms.size() > 0) { List<SystemPermission> permList = new ArrayList<>(perms); SystemPermission choice = permList.get(rand.nextInt(permList.size())); log.debug("removing permission " + choice); conn.securityOperations().revokeSystemPermission(userName, choice); } } }
@Override public Void run() throws Exception { // Indirectly creates this user when we use it Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken()); log.info("Created connector as {}", qualifiedUser1); // The new user should have no system permissions for (SystemPermission perm : SystemPermission.values()) { assertFalse(conn.securityOperations().hasSystemPermission(qualifiedUser1, perm)); } return null; }
@Override public Void run() throws Exception { // Indirectly creates this user when we use it Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken()); log.info("Created connector as {}", qualifiedUser1); // The new user should have no system permissions for (SystemPermission perm : SystemPermission.values()) { assertFalse(conn.securityOperations().hasSystemPermission(qualifiedUser1, perm)); } return null; } });
if (dice == 0) { log.debug("Checking systerm permission " + userName); conn.securityOperations().hasSystemPermission(userName, SystemPermission.values()[rand.nextInt(SystemPermission.values().length)]); } else if (dice == 1) {
if (!conn.securityOperations().hasSystemPermission(conn.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) { log.error(
private static void printUserConfiguration(Connector connector, String user, File outputDirectory) throws IOException, AccumuloException, AccumuloSecurityException { File userScript = new File(outputDirectory, user + USER_FILE_SUFFIX); FileWriter userWriter = new FileWriter(userScript); userWriter.write(createUserFormat.format(new String[] {user})); Authorizations auths = connector.securityOperations().getUserAuthorizations(user); userWriter.write(userAuthsFormat.format(new String[] {user, auths.toString()})); for (SystemPermission sp : SystemPermission.values()) { if (connector.securityOperations().hasSystemPermission(user, sp)) { userWriter.write(sysPermFormat.format(new String[] {sp.name(), user})); } } for (String namespace : connector.namespaceOperations().list()) { for (NamespacePermission np : NamespacePermission.values()) { if (connector.securityOperations().hasNamespacePermission(user, namespace, np)) { userWriter.write(nsPermFormat.format(new String[] {np.name(), namespace, user})); } } } for (String tableName : connector.tableOperations().list()) { for (TablePermission perm : TablePermission.values()) { if (connector.securityOperations().hasTablePermission(user, tableName, perm)) { userWriter.write(tablePermFormat.format(new String[] {perm.name(), tableName, user})); } } } userWriter.close(); }
@Override public boolean hasSystemPermission(ByteBuffer login, String user, org.apache.accumulo.proxy.thrift.SystemPermission perm) throws org.apache.accumulo.proxy.thrift.AccumuloException, org.apache.accumulo.proxy.thrift.AccumuloSecurityException, TException { try { return getConnector(login).securityOperations().hasSystemPermission(user, SystemPermission.getPermissionById((byte) perm.getValue())); } catch (Exception e) { handleException(e); return false; } }
if (!client.securityOperations().hasSystemPermission(client.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) { log.error(
@Override public Void run() throws Exception { Connector conn = mac.getConnector(newQualifiedUser, new KerberosToken()); log.info("Created connector as {}", newQualifiedUser); assertEquals(newQualifiedUser, conn.whoami()); // The new user should have no system permissions for (SystemPermission perm : SystemPermission.values()) { assertFalse(conn.securityOperations().hasSystemPermission(newQualifiedUser, perm)); } users.add(newQualifiedUser); // Same users as before, plus the new user we just created assertEquals(users, conn.securityOperations().listLocalUsers()); return null; }
if (!client.securityOperations().hasSystemPermission(client.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) { log.error(
if (!conn.securityOperations().hasSystemPermission(conn.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) { log.error(
if (!conn.securityOperations().hasSystemPermission(conn.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) { log.error(
SystemPermission[] allSystemPerms = SystemPermission.values(); for (SystemPermission next : allSystemPerms) { if (ops.hasSystemPermission(userName, next)) { systemPermissions.add(new datawave.webservice.response.objects.SystemPermission(next.name()));
@Override public Void run() throws Exception { final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); // The "root" user should have all system permissions for (SystemPermission perm : SystemPermission.values()) { assertTrue("Expected user to have permission: " + perm, conn.securityOperations().hasSystemPermission(conn.whoami(), perm)); } // and the ability to modify the root and metadata tables for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) { assertTrue(conn.securityOperations().hasTablePermission(conn.whoami(), table, TablePermission.ALTER_TABLE)); } return null; } });
if (hasPerm != conn.securityOperations().hasSystemPermission(targetUser, sysPerm)) throw new AccumuloException("Test framework and accumulo are out of sync!"); if (hasPerm)
for (SystemPermission p : SystemPermission.values()) { if (p != null && shellState.getConnector().securityOperations().hasSystemPermission(user, p)) { shellState.getReader().print(delim + "System." + p.name()); delim = ", ";