/// <summary>
/// First Check if user is in ACL for the KMS operation, if yes, then
/// return true if user is not present in any configured blacklist for
/// the operation
/// </summary>
/// <param name="type">KMS Operation</param>
/// <param name="ugi">UserGroupInformation of user</param>
/// <returns>true is user has access</returns>
public virtual bool HasAccess(KMSACLs.Type type, UserGroupInformation ugi)
{
bool access = acls[type].IsUserAllowed(ugi);
if (access)
{
AccessControlList blacklist = blacklistedAcls[type];
access = (blacklist == null) || !blacklist.IsUserInList(ugi);
}
return(access);
}
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
public virtual void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi,
KMS.KMSOp operation, string key)
{
if (!KMSWebApp.GetACLs().HasAccess(aclType, ugi))
{
KMSWebApp.GetUnauthorizedCallsMeter().Mark();
KMSWebApp.GetKMSAudit().Unauthorized(ugi, operation, key);
throw new AuthorizationException(string.Format((key != null) ? UnauthorizedMsgWithKey
: UnauthorizedMsgWithoutKey, ugi.GetShortUserName(), operation, key));
}
}
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
private void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi, KMS.KMSOp
operation, string key)
{
KMSWebApp.GetACLs().AssertAccess(aclType, ugi, operation, key);
}
