private int hasNextCode(RemoteIterator<LocatedFileStatus> statuses) throws IOException { try { if(statuses.hasNext()) return 1; else return 0; } catch (AccessControlException e) { String message = e.getMessage(); LOG.warn("Skipped file or directory because: " + message.substring(0, message.indexOf("\n"))); return 2; } }
private <T> T callAndWrapExceptions( IOExceptionCallable<T> ioExceptionCallable ) throws IOException { try { return ioExceptionCallable.call(); } catch ( AccessControlException e ) { throw new org.pentaho.bigdata.api.hdfs.exceptions.AccessControlException( e.getMessage(), e ); } }
} catch (AccessControlException e) { if (!schemaConfig.getIgnoreAuthErrors()) { logger.debug(e.getMessage()); throw UserException.permissionError(e) .message("Not authorized to list or query tables in schema %s", tableSchemaPath) } catch (AccessControlException e) { if (!schemaConfig.getIgnoreAuthErrors()) { logger.debug(e.getMessage()); throw UserException.permissionError(e) .message("Not authorized to read view [%s] in schema %s", tableSchemaPath.get(tableSchemaPath.size() - 1), tableSchemaPath.subList(0, tableSchemaPath.size() - 1))
private void assertPermissionDenied(UserGroupInformation user, String path, FsAction access) throws IOException { try { INodesInPath iip = dir.getINodesInPath(path, true); dir.getPermissionChecker(SUPERUSER, SUPERGROUP, user).checkPermission(iip, false, null, null, access, null, false); fail("expected AccessControlException for user + " + user + ", path = " + path + ", access = " + access); } catch (AccessControlException e) { assertTrue("Permission denied messages must carry the username", e.getMessage().contains(user.getUserName().toString())); assertTrue("Permission denied messages must carry the path parent", e.getMessage().contains( new Path(path).getParent().toUri().getPath())); } }
} catch (AccessControlException e) { if (!schemaConfig.getIgnoreAuthErrors()) { logger.debug(e.getMessage()); throw UserException.permissionError(e) .message("Not authorized to list or query tables in schema [%s]", getFullSchemaName())
private Set<String> getViews() { Set<String> viewSet = Sets.newHashSet(); // Look for files with ".view.drill" extension. List<DotDrillFile> files; try { files = DotDrillUtil.getDotDrills(getFS(), new Path(config.getLocation()), DotDrillType.VIEW); for (DotDrillFile f : files) { viewSet.add(f.getBaseName()); } } catch (UnsupportedOperationException e) { logger.debug("The filesystem for this workspace does not support this operation.", e); } catch (AccessControlException e) { if (!schemaConfig.getIgnoreAuthErrors()) { logger.debug(e.getMessage()); throw UserException .permissionError(e) .message("Not authorized to list view tables in schema [%s]", getFullSchemaName()) .build(logger); } } catch (Exception e) { logger.warn("Failure while trying to list .view.drill files in workspace [{}]", getFullSchemaName(), e); } return viewSet; }
throw new AuthorizationException(ErrorCode.E0507, appPath, ex.getMessage(), ex);
throw new AuthorizationException(ErrorCode.E0507, appPath, ex.getMessage(), ex);
@Test public void testAccessOthers() throws IOException, InterruptedException { FileSystem rootFs = FileSystem.get(conf); Path p3 = new Path("/p3"); rootFs.mkdirs(p3); rootFs.setPermission(p3, new FsPermission((short) 0774)); fs = USER1.doAs(new PrivilegedExceptionAction<FileSystem>() { @Override public FileSystem run() throws Exception { return FileSystem.get(conf); } }); fs.access(p3, FsAction.READ); try { fs.access(p3, FsAction.READ_WRITE); fail("The access call should have failed."); } catch (AccessControlException e) { assertTrue("Permission denied messages must carry the username", e.getMessage().contains(USER1_NAME)); assertTrue("Permission denied messages must carry the path parent", e.getMessage().contains( p3.getParent().toUri().getPath())); } }
@Test public void testAccessGroupMember() throws IOException, InterruptedException { FileSystem rootFs = FileSystem.get(conf); Path p2 = new Path("/p2"); rootFs.mkdirs(p2); rootFs.setOwner(p2, UserGroupInformation.getCurrentUser().getShortUserName(), GROUP1_NAME); rootFs.setPermission(p2, new FsPermission((short) 0740)); fs = USER1.doAs(new PrivilegedExceptionAction<FileSystem>() { @Override public FileSystem run() throws Exception { return FileSystem.get(conf); } }); fs.access(p2, FsAction.READ); try { fs.access(p2, FsAction.EXECUTE); fail("The access call should have failed."); } catch (AccessControlException e) { assertTrue("Permission denied messages must carry the username", e.getMessage().contains(USER1_NAME)); assertTrue("Permission denied messages must carry the path parent", e.getMessage().contains( p2.getParent().toUri().getPath())); } }
throw new AuthorizationException(ErrorCode.E0507, appPath, ex.getMessage(), ex);
} catch (AccessControlException e) { assertTrue("Permission denied messages must carry file path", e.getMessage().contains(fpath.getName())); assertTrue("Permission denied messages must specify existing_file is not " + "a directory, when checked on /existing_file/non_existing_name", e.getMessage().contains("is not a directory")); assertFalse("Permission denied messages must not carry full file path," + "since the user does not have permission on /p4: " + e.getMessage(), e.getMessage().contains(fpath.getName())); assertFalse("Permission denied messages must not specify /p4" + " is not a directory: " + e.getMessage(), e.getMessage().contains("is not a directory"));
} catch (AccessControlException e) { String errMsg = "User " + ugi.getShortUserName() + " failed to view " + jobid + "!<br><br>" + e.getMessage() + "<hr><a href=\"jobtracker.jsp\">Go back to JobTracker</a><br>"; JSPUtil.setErrorAndForward(errMsg, request, response);
private void verifyFilesUnreadablebyHDFS(MiniDFSCluster cluster, Path root) throws Exception{ DistributedFileSystem fs = cluster.getFileSystem(); Queue<Path> paths = new LinkedList<>(); paths.add(root); while (!paths.isEmpty()) { Path p = paths.poll(); FileStatus stat = fs.getFileStatus(p); if (!stat.isDirectory()) { try { LOG.warn("\n\n ##Testing path [" + p + "]\n\n"); fs.open(p); Assert.fail("Super user should not be able to read ["+ UserGroupInformation.getCurrentUser() + "] [" + p.getName() + "]"); } catch (AccessControlException e) { Assert.assertTrue(e.getMessage().contains("superuser is not allowed to perform this operation")); } catch (Exception e) { Assert.fail("Should get an AccessControlException here"); } } if (stat.isDirectory()) { FileStatus[] ls = fs.listStatus(p); for (FileStatus f : ls) { paths.add(f.getPath()); } } } }
private void verifyFilesUnreadablebyHDFS(MiniDFSCluster cluster, Path root) throws Exception{ DistributedFileSystem fs = cluster.getFileSystem(); Queue<Path> paths = new LinkedList<>(); paths.add(root); while (!paths.isEmpty()) { Path p = paths.poll(); FileStatus stat = fs.getFileStatus(p); if (!stat.isDirectory()) { try { LOG.warn("\n\n ##Testing path [" + p + "]\n\n"); fs.open(p); Assert.fail("Super user should not be able to read ["+ UserGroupInformation.getCurrentUser() + "] [" + p.getName() + "]"); } catch (AccessControlException e) { Assert.assertTrue(e.getMessage().contains("superuser is not allowed to perform this operation")); } catch (Exception e) { Assert.fail("Should get an AccessControlException here"); } } if (stat.isDirectory()) { FileStatus[] ls = fs.listStatus(p); for (FileStatus f : ls) { paths.add(f.getPath()); } } } }
} catch (AccessControlException e) { assertTrue("Permission denied messages must carry the username", e.getMessage().contains(USER1_NAME)); assertTrue("Permission denied messages must carry the path parent", e.getMessage().contains( p1.getParent().toUri().getPath()));
+ "<a href=\"jobhistory.jsp\">Go back to JobHistory</a><br>" + "<a href=\"jobtracker.jsp\">Go back to JobTracker</a>", user, jobid, e.getMessage()); JSPUtil.setErrorAndForward(errMsg, request, response); return null;
} catch (AccessControlException e) { if (!schemaConfig.getIgnoreAuthErrors()) { logger.debug(e.getMessage()); throw UserException.permissionError(e) .message("Not authorized to list or query tables in schema [%s]", getFullSchemaName()) } catch (AccessControlException e) { if (!schemaConfig.getIgnoreAuthErrors()) { logger.debug(e.getMessage()); throw UserException.permissionError(e) .message("Not authorized to read view [%s] in schema [%s]", tableName, getFullSchemaName())
return true; } catch (AccessControlException ex) { LOG.log(Level.SEVERE, "Permission denied:- {0}", ex.getMessage()); updateState(JobState.APP_MASTER_START_FAILED); return false;
@Test public void testDTInInsecureCluster() throws Exception { MiniDFSCluster cluster = null; final Configuration conf = WebHdfsTestUtil.createConf(); try { cluster = new MiniDFSCluster.Builder(conf).numDataNodes(0).build(); final FileSystem webHdfs = WebHdfsTestUtil.getWebHdfsFileSystem(conf, WebHdfsFileSystem.SCHEME); webHdfs.getDelegationToken(null); fail("No exception is thrown."); } catch (AccessControlException ace) { Assert.assertTrue(ace.getMessage().startsWith( WebHdfsFileSystem.CANT_FALLBACK_TO_INSECURE_MSG)); } finally { if (cluster != null) { cluster.shutdown(); } } }