| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.oozie.service; |
| |
| import java.io.BufferedReader; |
| import java.io.File; |
| import java.io.FileInputStream; |
| import java.io.IOException; |
| import java.io.InputStreamReader; |
| import java.net.URI; |
| import java.nio.charset.StandardCharsets; |
| import java.util.HashSet; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Set; |
| import java.util.LinkedHashSet; |
| |
| import com.google.common.collect.Sets; |
| import org.apache.commons.io.FilenameUtils; |
| import org.apache.commons.lang3.StringUtils; |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.hadoop.fs.FileSystem; |
| import org.apache.hadoop.fs.Path; |
| import org.apache.hadoop.security.AccessControlException; |
| import org.apache.oozie.BundleJobBean; |
| import org.apache.oozie.CoordinatorJobBean; |
| import org.apache.oozie.ErrorCode; |
| import org.apache.oozie.WorkflowJobBean; |
| import org.apache.oozie.client.XOozieClient; |
| import org.apache.oozie.executor.jpa.BundleJobGetJPAExecutor; |
| import org.apache.oozie.executor.jpa.CoordJobInfoGetJPAExecutor; |
| import org.apache.oozie.executor.jpa.BundleJobInfoGetJPAExecutor; |
| import org.apache.oozie.executor.jpa.WorkflowsJobGetJPAExecutor; |
| import org.apache.oozie.executor.jpa.CoordJobGetJPAExecutor; |
| import org.apache.oozie.executor.jpa.JPAExecutorException; |
| import org.apache.oozie.executor.jpa.WorkflowJobQueryExecutor; |
| import org.apache.oozie.executor.jpa.WorkflowJobQueryExecutor.WorkflowJobQuery; |
| import org.apache.oozie.util.ConfigUtils; |
| import org.apache.oozie.util.Instrumentation; |
| import org.apache.oozie.util.XLog; |
| |
| /** |
| * The authorization service provides all authorization checks. |
| */ |
| public class AuthorizationService implements Service { |
| |
| public static final String CONF_PREFIX = Service.CONF_PREFIX + "AuthorizationService."; |
| |
| /** |
| * Configuration parameter to enable or disable Oozie admin role. |
| */ |
| public static final String CONF_SECURITY_ENABLED = CONF_PREFIX + "security.enabled"; |
| |
| /** |
| * Configuration parameter to enable or disable Oozie admin role. |
| */ |
| public static final String CONF_AUTHORIZATION_ENABLED = CONF_PREFIX + "authorization.enabled"; |
| |
| /** |
| * Configuration parameter to enable old behavior default group as ACL. |
| */ |
| public static final String CONF_DEFAULT_GROUP_AS_ACL = CONF_PREFIX + "default.group.as.acl"; |
| |
| /** |
| * Configuration parameter to define admin groups, if NULL/empty the adminusers.txt file is used. |
| */ |
| public static final String CONF_ADMIN_GROUPS = CONF_PREFIX + "admin.groups"; |
| |
| public static final String CONF_SYSTEM_INFO_AUTHORIZED_USERS = CONF_PREFIX + "system.info.authorized.users"; |
| |
| /** |
| * Configuration parameter to define admin users in oozie-site.xml. |
| * These admin users shall be added to the admin users found in adminusers.txt |
| */ |
| public static final String CONF_ADMIN_USERS = CONF_PREFIX + "admin.users"; |
| |
| /** |
| * File that contains list of admin users for Oozie. |
| */ |
| public static final String ADMIN_USERS_FILE = "adminusers.txt"; |
| |
| protected static final String INSTRUMENTATION_GROUP = "authorization"; |
| protected static final String INSTR_FAILED_AUTH_COUNTER = "authorization.failed"; |
| |
| private Set<String> adminGroups; |
| private Set<String> adminUsers; |
| private Set<String> sysInfoAuthUsers; |
| private boolean authorizationEnabled; |
| private boolean useDefaultGroupAsAcl; |
| private boolean authorizedSystemInfo = false; |
| private final XLog log = XLog.getLog(getClass()); |
| private Instrumentation instrumentation; |
| |
| private String[] getTrimmedStrings(String str) { |
| if (null == str || "".equals(str.trim())) { |
| return new String[0]; |
| } |
| return str.trim().split("\\s*,\\s*"); |
| } |
| |
| /** |
| * Initialize the service. <p> Reads the security related configuration. parameters - security enabled and list of |
| * super users. |
| * |
| * @param services services instance. |
| * @throws ServiceException thrown if the service could not be initialized. |
| */ |
| public void init(Services services) throws ServiceException { |
| authorizationEnabled = |
| ConfigUtils.getWithDeprecatedCheck(services.getConf(), CONF_AUTHORIZATION_ENABLED, |
| CONF_SECURITY_ENABLED, false); |
| String systemInfoAuthUsers = ConfigurationService.get(CONF_SYSTEM_INFO_AUTHORIZED_USERS); |
| if (!StringUtils.isBlank(systemInfoAuthUsers)) { |
| authorizedSystemInfo = true; |
| sysInfoAuthUsers = new HashSet<>(); |
| for (String user : getTrimmedStrings(systemInfoAuthUsers)) { |
| sysInfoAuthUsers.add(user); |
| } |
| } |
| if (authorizationEnabled) { |
| log.info("Oozie running with authorization enabled"); |
| useDefaultGroupAsAcl = ConfigurationService.getBoolean(CONF_DEFAULT_GROUP_AS_ACL); |
| String[] str = getTrimmedStrings(Services.get().getConf().get(CONF_ADMIN_GROUPS)); |
| if (str.length > 0) { |
| log.info("Admin users will be checked against the defined admin groups"); |
| adminGroups = new HashSet<>(); |
| for (String s : str) { |
| adminGroups.add(s.trim()); |
| } |
| } |
| else { |
| log.info("Admin users will be checked against the 'adminusers.txt' file contents"); |
| adminUsers = new HashSet<>(); |
| loadAdminUsersFromFile(); |
| loadAdminUsersFromConfiguration(); |
| } |
| } |
| else { |
| log.warn("Oozie running with authorization disabled"); |
| } |
| instrumentation = Services.get().get(InstrumentationService.class).get(); |
| } |
| |
| /** |
| * Return if security is enabled or not. |
| * |
| * @return if security is enabled or not. |
| */ |
| @Deprecated |
| public boolean isSecurityEnabled() { |
| return authorizationEnabled; |
| } |
| |
| public boolean useDefaultGroupAsAcl() { |
| return useDefaultGroupAsAcl; |
| } |
| |
| /** |
| * Return if security is enabled or not. |
| * |
| * @return if security is enabled or not. |
| */ |
| public boolean isAuthorizationEnabled() { |
| return isSecurityEnabled(); |
| } |
| |
| /** |
| * Load the list of admin users from {@link AuthorizationService#ADMIN_USERS_FILE} </p> |
| * |
| * @throws ServiceException if the admin user list could not be loaded. |
| */ |
| private void loadAdminUsersFromFile() throws ServiceException { |
| String configDir = Services.get().get(ConfigurationService.class).getConfigDir(); |
| if (configDir != null) { |
| File file = new File(FilenameUtils.getFullPath(configDir)+FilenameUtils.getBaseName(configDir), |
| FilenameUtils.getName(ADMIN_USERS_FILE)); |
| if (file.exists()) { |
| try { |
| BufferedReader br = new BufferedReader( |
| new InputStreamReader(new FileInputStream(file), StandardCharsets.UTF_8)); |
| try { |
| String line = br.readLine(); |
| while (line != null) { |
| line = line.trim(); |
| if (line.length() > 0 && !line.startsWith("#")) { |
| adminUsers.add(line); |
| } |
| line = br.readLine(); |
| } |
| } |
| catch (IOException ex) { |
| throw new ServiceException(ErrorCode.E0160, file.getAbsolutePath(), ex); |
| } |
| finally { |
| br.close(); |
| } |
| } |
| catch (IOException ex) { |
| throw new ServiceException(ErrorCode.E0160, file.getAbsolutePath(), ex); |
| } |
| } |
| else { |
| log.warn("Admin users file not available in config dir [{0}]", configDir); |
| } |
| } |
| else { |
| log.warn("Reading configuration from classpath, running without admin users"); |
| } |
| } |
| |
| private void loadAdminUsersFromConfiguration() { |
| LinkedHashSet<String> adminsFromOozieSite = Sets.newLinkedHashSet(); |
| adminsFromOozieSite.addAll(Services.get().get(ConfigurationService.class).getConf().getStringCollection(CONF_ADMIN_USERS)); |
| if (!adminsFromOozieSite.isEmpty()) { |
| log.info("{0} admin users found in oozie-site.xml", adminsFromOozieSite.size()); |
| adminUsers.addAll(adminsFromOozieSite); |
| } |
| } |
| |
| /** |
| * Destroy the service. <p> This implementation does a NOP. |
| */ |
| public void destroy() { |
| } |
| |
| /** |
| * Return the public interface of the service. |
| * |
| * @return {@link AuthorizationService}. |
| */ |
| public Class<? extends Service> getInterface() { |
| return AuthorizationService.class; |
| } |
| |
| /** |
| * Check if the user belongs to the group or not. |
| * |
| * @param user user name. |
| * @param group group name. |
| * @return if the user belongs to the group or not. |
| * @throws AuthorizationException thrown if the authorization query can not be performed. |
| */ |
| protected boolean isUserInGroup(String user, String group) throws AuthorizationException { |
| GroupsService groupsService = Services.get().get(GroupsService.class); |
| try { |
| return groupsService.getGroups(user).contains(group); |
| } |
| catch (IOException ex) { |
| throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex); |
| } |
| } |
| |
| /** |
| * Check if the user belongs to the group or not. <p> Subclasses should override the {@link #isUserInGroup} |
| * method. <p> |
| * |
| * @param user user name. |
| * @param group group name. |
| * @throws AuthorizationException thrown if the user is not authorized for the group or if the authorization query |
| * can not be performed. |
| */ |
| public void authorizeForGroup(String user, String group) throws AuthorizationException { |
| if (authorizationEnabled && !isUserInGroup(user, group)) { |
| throw new AuthorizationException(ErrorCode.E0502, user, group); |
| } |
| } |
| |
| /** |
| * Return the default group to which the user belongs. <p> This implementation always returns 'users'. |
| * |
| * @param user user name. |
| * @return default group of user. |
| * @throws AuthorizationException thrown if the default group con not be retrieved. |
| */ |
| public String getDefaultGroup(String user) throws AuthorizationException { |
| try { |
| return Services.get().get(GroupsService.class).getGroups(user).get(0); |
| } |
| catch (IOException ex) { |
| throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex); |
| } |
| } |
| |
| /** |
| * Check if the user has admin privileges. <p> If admin is disabled it returns always <code>true</code>. <p> If |
| * admin is enabled it returns <code>true</code> if the user is in the <code>adminusers.txt</code> file. |
| * |
| * @param user user name. |
| * @return if the user has admin privileges or not. |
| */ |
| protected boolean isAdmin(String user) { |
| boolean admin = false; |
| if (adminUsers != null) { |
| admin = adminUsers.contains(user); |
| } |
| else { |
| for (String adminGroup : adminGroups) { |
| try { |
| admin = isUserInGroup(user, adminGroup); |
| if (admin) { |
| break; |
| } |
| } |
| catch (AuthorizationException ex) { |
| log.warn("Admin check failed, " + ex.toString(), ex); |
| break; |
| } |
| } |
| } |
| return admin; |
| } |
| |
| /** |
| * Check if the user is authorized to access system information. |
| * |
| * @param user user name. |
| * @param proxyUser proxy user name. |
| * @throws AuthorizationException thrown if user does not have admin priviledges. |
| */ |
| public void authorizeForSystemInfo(String user, String proxyUser) throws AuthorizationException { |
| if (authorizationEnabled && authorizedSystemInfo && !(sysInfoAuthUsers.contains(user) || sysInfoAuthUsers |
| .contains(proxyUser) || isAdmin(user) || isAdmin(proxyUser))) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0503, user); |
| } |
| } |
| |
| /** |
| * Check if the user has admin privileges. <p> Subclasses should override the {@link #isUserInGroup} method. |
| * |
| * @param user user name. |
| * @param write indicates if the check is for read or write admin tasks (in this implementation this is ignored) |
| * @throws AuthorizationException thrown if user does not have admin privileges. |
| */ |
| public void authorizeForAdmin(String user, boolean write) throws AuthorizationException { |
| if (authorizationEnabled && write && !isAdmin(user)) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0503, user); |
| } |
| } |
| |
| /** |
| * Check if the user+group is authorized to use the specified application. <p> The check is done by checking the |
| * file system permissions on the workflow application. |
| * |
| * @param user user name. |
| * @param group group name. |
| * @param appPath application path. |
| * @param jobConf job configuration |
| * @throws AuthorizationException thrown if the user is not authorized for the app. |
| */ |
| public void authorizeForApp(String user, String group, String appPath, Configuration jobConf) |
| throws AuthorizationException { |
| try { |
| HadoopAccessorService has = Services.get().get(HadoopAccessorService.class); |
| URI uri = new Path(appPath).toUri(); |
| Configuration fsConf = has.createConfiguration(uri.getAuthority()); |
| FileSystem fs = has.createFileSystem(user, uri, fsConf); |
| |
| Path path = new Path(appPath); |
| try { |
| if (!fs.exists(path)) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0504, appPath); |
| } |
| Path wfXml = new Path(path, "workflow.xml"); |
| if (!fs.exists(wfXml)) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0505, appPath); |
| } |
| if (!fs.isFile(wfXml)) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0506, appPath); |
| } |
| fs.open(wfXml).close(); |
| } |
| catch (AccessControlException ex) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0507, appPath, ex.getMessage(), ex); |
| } |
| } |
| catch (IOException ex) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex); |
| } |
| catch (HadoopAccessorException e) { |
| throw new AuthorizationException(e); |
| } |
| } |
| |
| /** |
| * Check if the user+group is authorized to use the specified application. <p> The check is done by checking the |
| * file system permissions on the workflow application. |
| * |
| * @param user user name. |
| * @param group group name. |
| * @param appPath application path. |
| * @param fileName workflow or coordinator.xml |
| * @param conf configuration |
| * @throws AuthorizationException thrown if the user is not authorized for the app. |
| */ |
| public void authorizeForApp(String user, String group, String appPath, String fileName, Configuration conf) |
| throws AuthorizationException { |
| try { |
| HadoopAccessorService has = Services.get().get(HadoopAccessorService.class); |
| URI uri = new Path(appPath).toUri(); |
| Configuration fsConf = has.createConfiguration(uri.getAuthority()); |
| FileSystem fs = has.createFileSystem(user, uri, fsConf); |
| |
| Path path = new Path(appPath); |
| try { |
| if (!fs.exists(path)) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0504, appPath); |
| } |
| if (conf.get(XOozieClient.IS_PROXY_SUBMISSION) == null) { // Only further check existence of job definition |
| //files for non proxy submission jobs; |
| if (!fs.isFile(path)) { |
| Path appXml = new Path(path, fileName); |
| if (!fs.exists(appXml)) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0505, appPath); |
| } |
| if (!fs.isFile(appXml)) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0506, appPath); |
| } |
| fs.open(appXml).close(); |
| } |
| } |
| } |
| catch (AccessControlException ex) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0507, appPath, ex.getMessage(), ex); |
| } |
| } |
| catch (IOException ex) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex); |
| } |
| catch (HadoopAccessorException e) { |
| throw new AuthorizationException(e); |
| } |
| } |
| |
| private boolean isUserInAcl(String user, String aclStr) throws IOException { |
| boolean userInAcl = false; |
| if (aclStr != null && aclStr.trim().length() > 0) { |
| GroupsService groupsService = Services.get().get(GroupsService.class); |
| String[] acl = aclStr.split(","); |
| for (int i = 0; !userInAcl && i < acl.length; i++) { |
| String aclItem = acl[i].trim(); |
| userInAcl = aclItem.equals(user) || groupsService.getGroups(user).contains(aclItem); |
| } |
| } |
| return userInAcl; |
| } |
| |
| /** |
| * Check if the user+group is authorized to operate on the specified job. <p> Checks if the user is a super-user or |
| * the one who started the job. <p> Read operations are allowed to all users. |
| * |
| * @param user user name. |
| * @param jobId job id. |
| * @param write indicates if the check is for read or write job tasks. |
| * @throws AuthorizationException thrown if the user is not authorized for the job. |
| */ |
| public void authorizeForJob(String user, String jobId, boolean write) throws AuthorizationException { |
| if (authorizationEnabled && write && !isAdmin(user)) { |
| try { |
| // handle workflow jobs |
| if (jobId.endsWith("-W")) { |
| WorkflowJobBean jobBean; |
| JPAService jpaService = Services.get().get(JPAService.class); |
| if (jpaService != null) { |
| try { |
| jobBean = WorkflowJobQueryExecutor.getInstance().get(WorkflowJobQuery.GET_WORKFLOW_USER_GROUP, jobId); |
| } |
| catch (JPAExecutorException je) { |
| throw new AuthorizationException(je); |
| } |
| } |
| else { |
| throw new AuthorizationException(ErrorCode.E0610); |
| } |
| if (jobBean != null && !jobBean.getUser().equals(user)) { |
| if (!isUserInAcl(user, jobBean.getGroup())) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0508, user, jobId); |
| } |
| } |
| } |
| // handle bundle jobs |
| else if (jobId.endsWith("-B")){ |
| BundleJobBean jobBean = null; |
| JPAService jpaService = Services.get().get(JPAService.class); |
| if (jpaService != null) { |
| try { |
| jobBean = jpaService.execute(new BundleJobGetJPAExecutor(jobId)); |
| } |
| catch (JPAExecutorException je) { |
| throw new AuthorizationException(je); |
| } |
| } |
| else { |
| throw new AuthorizationException(ErrorCode.E0610); |
| } |
| if (jobBean != null && !jobBean.getUser().equals(user)) { |
| if (!isUserInAcl(user, jobBean.getGroup())) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0509, user, jobId); |
| } |
| } |
| } |
| // handle coordinator jobs |
| else { |
| CoordinatorJobBean jobBean; |
| JPAService jpaService = Services.get().get(JPAService.class); |
| if (jpaService != null) { |
| try { |
| jobBean = jpaService.execute(new CoordJobGetJPAExecutor(jobId)); |
| } |
| catch (JPAExecutorException je) { |
| throw new AuthorizationException(je); |
| } |
| } |
| else { |
| throw new AuthorizationException(ErrorCode.E0610); |
| } |
| if (jobBean != null && !jobBean.getUser().equals(user)) { |
| if (!isUserInAcl(user, jobBean.getGroup())) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0509, user, jobId); |
| } |
| } |
| } |
| } |
| catch (IOException ex) { |
| throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex); |
| } |
| } |
| } |
| |
| /** |
| * Check if the user+group is authorized to operate on the specified jobs. <p> Checks if the user is a super-user or |
| * the one who started the jobs. <p> Read operations are allowed to all users. |
| * |
| * @param user user name. |
| * @param filter filter used to select jobs |
| * @param jobType job type |
| * @param start starting index of the jobs in DB |
| * @param len maximum amount of jobs to select |
| * @param write indicates if the check is for read or write job tasks. |
| * @throws AuthorizationException thrown if the user is not authorized for the job. |
| */ |
| public void authorizeForJobs(String user, Map<String, List<String>> filter, String jobType, |
| int start, int len, boolean write) throws AuthorizationException { |
| if (authorizationEnabled && write && !isAdmin(user)) { |
| try { |
| // handle workflow jobs |
| switch (jobType) { |
| case "wf": { |
| List<WorkflowJobBean> jobBeans; |
| JPAService jpaService = Services.get().get(JPAService.class); |
| if (jpaService != null) { |
| try { |
| jobBeans = jpaService.execute(new WorkflowsJobGetJPAExecutor( |
| filter, start, len)).getWorkflows(); |
| } catch (JPAExecutorException je) { |
| throw new AuthorizationException(je); |
| } |
| } else { |
| throw new AuthorizationException(ErrorCode.E0610); |
| } |
| for (WorkflowJobBean jobBean : jobBeans) { |
| if (jobBean != null && !jobBean.getUser().equals(user)) { |
| if (!isUserInAcl(user, jobBean.getGroup())) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0508, user, jobBean.getId()); |
| } |
| } |
| } |
| break; |
| } |
| // handle bundle jobs |
| case "bundle": { |
| List<BundleJobBean> jobBeans; |
| JPAService jpaService = Services.get().get(JPAService.class); |
| if (jpaService != null) { |
| try { |
| jobBeans = jpaService.execute(new BundleJobInfoGetJPAExecutor( |
| filter, start, len)).getBundleJobs(); |
| } catch (JPAExecutorException je) { |
| throw new AuthorizationException(je); |
| } |
| } else { |
| throw new AuthorizationException(ErrorCode.E0610); |
| } |
| for (BundleJobBean jobBean : jobBeans) { |
| if (jobBean != null && !jobBean.getUser().equals(user)) { |
| if (!isUserInAcl(user, jobBean.getGroup())) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0509, user, jobBean.getId()); |
| } |
| } |
| } |
| break; |
| } |
| // handle coordinator jobs |
| default: { |
| List<CoordinatorJobBean> jobBeans; |
| JPAService jpaService = Services.get().get(JPAService.class); |
| if (jpaService != null) { |
| try { |
| jobBeans = jpaService.execute(new CoordJobInfoGetJPAExecutor( |
| filter, start, len)).getCoordJobs(); |
| } catch (JPAExecutorException je) { |
| throw new AuthorizationException(je); |
| } |
| } else { |
| throw new AuthorizationException(ErrorCode.E0610); |
| } |
| for (CoordinatorJobBean jobBean : jobBeans) { |
| if (jobBean != null && !jobBean.getUser().equals(user)) { |
| if (!isUserInAcl(user, jobBean.getGroup())) { |
| incrCounter(INSTR_FAILED_AUTH_COUNTER, 1); |
| throw new AuthorizationException(ErrorCode.E0509, user, jobBean.getId()); |
| } |
| } |
| } |
| } |
| } |
| } |
| catch (IOException ex) { |
| throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex); |
| } |
| } |
| } |
| /** |
| * Convenience method for instrumentation counters. |
| * |
| * @param name counter name. |
| * @param count count to increment the counter. |
| */ |
| private void incrCounter(String name, int count) { |
| if (instrumentation != null) { |
| instrumentation.incr(INSTRUMENTATION_GROUP, name, count); |
| } |
| } |
| |
| public boolean isAuthorizedSystemInfo() { |
| return authorizedSystemInfo; |
| } |
| } |