Java Code Examples for org.elasticsearch.rest.RestStatus#FORBIDDEN
The following examples show how to use
org.elasticsearch.rest.RestStatus#FORBIDDEN .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: AuthService.java From Elasticsearch with Apache License 2.0 | 6 votes |
|
public static AuthResult checkWhiteList(String user, Set<String> addrs, Set<String> ipWhiteList) {
for (String addr : addrs) {
String userAndIp = user + "@" + addr;
try {
if (!userIpCache.get(userAndIp)) {
boolean addrInWhiteList = false;
for (String ip : ipWhiteList) {
if (matchIP(addr, ip)) {
addrInWhiteList = true;
userIpCache.put(userAndIp, true);
break;
}
}
if (!addrInWhiteList) {
return new AuthResult(RestStatus.UNAUTHORIZED, "proxy or source address is not in whitelist: " + addr);
}
}
} catch (Exception e) {
return new AuthResult(RestStatus.FORBIDDEN, "load cache occurs exceptions");
}
}
return new AuthResult(RestStatus.OK, null);
}
Example 2
| Source File: RangerSecurityActionFilter.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public <Request extends ActionRequest, Response extends ActionResponse> void apply(Task task, String action,
Request request, ActionListener<Response> listener, ActionFilterChain<Request, Response> chain) {
String user = threadContext.getTransient(UsernamePasswordToken.USERNAME);
// If user is not null, then should check permission of the outside caller.
if (StringUtils.isNotEmpty(user)) {
List<String> indexs = RequestUtils.getIndexFromRequest(request);
String clientIPAddress = threadContext.getTransient(RequestUtils.CLIENT_IP_ADDRESS);
for (String index : indexs) {
boolean result = rangerElasticsearchAuthorizer.checkPermission(user, null, index, action,
clientIPAddress);
if (!result) {
String errorMsg = "Error: User[{}] could not do action[{}] on index[{}]";
throw new ElasticsearchStatusException(errorMsg, RestStatus.FORBIDDEN, user, action, index);
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("User is null, no check permission for elasticsearch do action[{}] with request[{}]", action,
request);
}
}
chain.proceed(task, action, request, listener);
}
Example 3
| Source File: AuthService.java From Elasticsearch with Apache License 2.0 | 4 votes |
|
public static AuthResult internalAuthenticate(final UserProperty userProperty, String dbName,
String tableName, PrivilegeType type) {
if (userProperty == null) {
return new AuthResult(RestStatus.UNAUTHORIZED, "User may not exist.");
}
// root have all permission
if (userProperty.getUsernameWithoutTenant().equals(UserProperty.ROOT_NAME)) {
return new AuthResult(RestStatus.OK, null);
}
if (type == null) {
return new AuthResult(RestStatus.FORBIDDEN, "PrivilegeType is null");
}
// check table black list
String realTableName = dbName + "." + tableName;
// only sys db should check superuser and ordinary user
if (VirtualTableNames.sys.name().equals(dbName)) {
if (type == PrivilegeType.READ_WRITE && TABLE_BLACK_LIST.contains(tableName)) {
// only root have privilege to do write on tables in black list
return new AuthResult(RestStatus.UNAUTHORIZED, "Only root have permission to WRITE on table: " + realTableName);
} else if (userProperty.getUsernameWithoutTenant().equals(UserProperty.SUPER_USER_NAME) && !TABLE_BLACK_LIST.contains(tableName)) {
// superuser have privilege on other tables in sys db
return new AuthResult(RestStatus.OK, null);
} else if (type == PrivilegeType.READ_ONLY) {
// all user have permission to read cluster metadata
return new AuthResult(RestStatus.OK, null);
}
}
// if username is superuser and without tenant name then it has privileges on all tables
// it is just to compatible to old privilege system
if (userProperty.getUsernameWithoutTenant().equals(UserProperty.SUPER_USER_NAME) && userProperty.getTenantId() == TenantProperty.ROOT_TENANT_ID) {
return new AuthResult(RestStatus.OK, null);
}
// for ordinary db, both superuser and ordinary user should check privilege
Set<PrivilegeType> dbPrivileges = userProperty.getDbPrivileges().get(dbName);
Set<PrivilegeType> tablePrivileges = userProperty.getTablePrivileges().get(realTableName);
if (type == PrivilegeType.READ_ONLY) {
if ((dbPrivileges != null && (dbPrivileges.contains(PrivilegeType.READ_ONLY)
|| dbPrivileges.contains(PrivilegeType.READ_WRITE)))
|| (tablePrivileges != null && (tablePrivileges.contains(PrivilegeType.READ_ONLY)
|| tablePrivileges.contains(PrivilegeType.READ_WRITE)))) {
return new AuthResult(RestStatus.OK, null);
}
} else if ((dbPrivileges != null && dbPrivileges.contains(type))
|| (tablePrivileges != null && tablePrivileges.contains(type))) {
return new AuthResult(RestStatus.OK, null);
}
String reason = userProperty.getUsernameWithTenant()
+ " have no permission " + type.name()
+ " on table: " + realTableName;
return new AuthResult(RestStatus.UNAUTHORIZED, reason);
}
Example 4
| Source File: TransportBaseSQLAction.java From Elasticsearch with Apache License 2.0 | 4 votes |
|
/**
* Create a {@link io.crate.action.sql.SQLActionException} out of a {@link java.lang.Throwable}.
* If concrete {@link org.elasticsearch.ElasticsearchException} is found, first transform it
* to a {@link io.crate.exceptions.CrateException}
*/
private SQLActionException buildSQLActionException(Throwable e) {
logger.error("errors while processing sql", e);
if (e instanceof SQLActionException) {
return (SQLActionException) e;
}
e = esToCrateException(e);
int errorCode = 5000;
RestStatus restStatus = RestStatus.INTERNAL_SERVER_ERROR;
if (e instanceof CrateException) {
CrateException crateException = (CrateException) e;
if (e instanceof ValidationException) {
errorCode = 4000 + crateException.errorCode();
restStatus = RestStatus.BAD_REQUEST;
} else if (e instanceof NoPermissionException) {
errorCode = 4000 + crateException.errorCode();
restStatus = RestStatus.UNAUTHORIZED;
e.setStackTrace(new StackTraceElement[0]);
} else if (e instanceof ForbiddenException) {
errorCode = 4030 + crateException.errorCode();
restStatus = RestStatus.FORBIDDEN;
} else if (e instanceof ResourceUnknownException) {
errorCode = 4040 + crateException.errorCode();
restStatus = RestStatus.NOT_FOUND;
} else if (e instanceof ConflictException) {
errorCode = 4090 + crateException.errorCode();
restStatus = RestStatus.CONFLICT;
} else if (e instanceof UnhandledServerException) {
errorCode = 5000 + crateException.errorCode();
}
} else if (e instanceof ParsingException) {
errorCode = 4000;
restStatus = RestStatus.BAD_REQUEST;
} else if (e instanceof MapperParsingException) {
errorCode = 4000;
restStatus = RestStatus.BAD_REQUEST;
}
String message = e.getMessage();
if (message == null) {
if (e instanceof CrateException && e.getCause() != null) {
e = e.getCause(); // use cause because it contains a more meaningful error in most cases
}
StackTraceElement[] stackTraceElements = e.getStackTrace();
if (stackTraceElements.length > 0) {
message = String.format(Locale.ENGLISH, "%s in %s", e.getClass().getSimpleName(), stackTraceElements[0]);
} else {
message = "Error in " + e.getClass().getSimpleName();
}
} else {
message = e.getClass().getSimpleName() + ": " + message;
}
return new SQLActionException(message, errorCode, restStatus, e.getStackTrace());
}
Example 5
| Source File: IndexClosedException.java From Elasticsearch with Apache License 2.0 | 4 votes |
|
@Override
public RestStatus status() {
return RestStatus.FORBIDDEN;
}
