in storm-webapp/src/main/java/org/apache/storm/daemon/ui/filters/AuthorizedUserFilter.java [102:181]
public void filter(ContainerRequestContext containerRequestContext) {
AuthNimbusOp annotation = resourceInfo.getResourceMethod().getAnnotation(AuthNimbusOp.class);
if (annotation == null) {
return;
}
String op = annotation.value();
if (op == null) {
return;
}
Map topoConf = null;
if (annotation.needsTopoId()) {
final String topoId = containerRequestContext.getUriInfo().getPathParameters().get("id").get(0);
try (NimbusClient nimbusClient = NimbusClient.Builder.withConf(conf).build()) {
topoConf = (Map) JSONValue.parse(nimbusClient.getClient().getTopologyConf(topoId));
} catch (AuthorizationException ae) {
LOG.error("Nimbus isn't allowing {} to access the topology conf of {}. {}", ReqContext.context(), topoId, ae.get_msg());
containerRequestContext.abortWith(makeResponse(ae, containerRequestContext, 403));
return;
} catch (TException e) {
LOG.error("Unable to fetch topo conf for {} due to ", topoId, e);
containerRequestContext.abortWith(
makeResponse(new IOException("Unable to fetch topo conf for topo id " + topoId, e),
containerRequestContext, 500)
);
return;
}
}
ReqContext reqContext = ReqContext.context();
if (reqContext.isImpersonating()) {
if (uiImpersonationHandler != null) {
if (!uiImpersonationHandler.permit(reqContext, op, topoConf)) {
Principal realPrincipal = reqContext.realPrincipal();
Principal principal = reqContext.principal();
String user = "unknown";
if (principal != null) {
user = principal.getName();
}
String realUser = "unknown";
if (realPrincipal != null) {
realUser = realPrincipal.getName();
}
InetAddress remoteAddress = reqContext.remoteAddress();
containerRequestContext.abortWith(
makeResponse(new AuthorizationException(
"user '" + realUser + "' is not authorized to impersonate user '"
+ user + "' from host '" + remoteAddress.toString() + "'. Please"
+ "see SECURITY.MD to learn how to configure impersonation ACL."
), containerRequestContext, 401)
);
return;
}
LOG.warn(" principal {} is trying to impersonate {} but {} has no authorizer configured. "
+ "This is a potential security hole. Please see SECURITY.MD to learn how to "
+ "configure an impersonation authorizer.",
reqContext.realPrincipal().toString(), reqContext.principal().toString(),
conf.get(DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER));
}
}
if (uiAclHandler != null) {
if (!uiAclHandler.permit(reqContext, op, topoConf)) {
Principal principal = reqContext.principal();
String user = "unknown";
if (principal != null) {
user = principal.getName();
}
containerRequestContext.abortWith(
makeResponse(new AuthorizationException("UI request '" + op + "' for '"
+ user + "' user is not authorized"),
containerRequestContext, 403)
);
return;
}
}
}