def filter_jobs(self, user, jobs, **kwargs):
check_permission = not SHARE_JOBS.get() and not is_admin(user)
return filter(lambda job:
not check_permission or
is_admin(user) or
job.user == user.username, jobs)
def filter_jobs(self, user, jobs, **kwargs):
check_permission = not SHARE_JOBS.get() and not is_admin(user)
return filter(lambda job:
not check_permission or
is_admin(user) or
job.user == user.username, jobs)
def get_owner_search_collections(self):
if USE_NEW_EDITOR.get():
if is_admin(self.user):
docs = Document2.objects.filter(type='search-dashboard')
else:
docs = Document2.objects.filter(type='search-dashboard', owner=self.user)
return docs
else:
if is_admin(self.user):
docs = Document.objects.filter(extra='search-dashboard')
else:
docs = Document.objects.filter(extra='search-dashboard', owner=self.user)
return [d.content_object for d in docs.order_by('-id')]
def log_view(request):
"""
We have a log handler that retains the last X characters of log messages.
If it is attached to the root logger, this view will display that history,
otherwise it will report that it can't be found.
"""
if not is_admin(request.user):
return HttpResponse(_("You must be a superuser."))
hostname = socket.gethostname()
l = logging.getLogger()
for h in l.handlers:
if isinstance(h, desktop.log.log_buffer.FixedBufferHandler):
return render(
'logs.mako', request,
dict(log=[l for l in h.buf],
query=request.GET.get("q", ""),
hostname=hostname,
is_embeddable=request.GET.get('is_embeddable', False)))
return render(
'logs.mako', request,
dict(log=[_("No logs found!")],
query='',
hostname=hostname,
is_embeddable=request.GET.get('is_embeddable', False)))
def share_document(request):
"""
Set who else or which other group can interact with the document.
Example of input: {'read': {'user_ids': [1, 2, 3], 'group_ids': [1, 2, 3]}}
"""
if not is_admin(request.user) and not ENABLE_SHARING.get():
return serve_403_error(request)
uuid = request.POST.get('uuid')
perms_dict = request.POST.get('data')
if not uuid or not perms_dict:
raise PopupException(_('share_document requires uuid and perms_dict'))
else:
perms_dict = json.loads(perms_dict)
uuid = json.loads(uuid)
doc = Document2.objects.get_by_uuid(user=request.user, uuid=uuid)
for name, perm in perms_dict.items():
users = groups = None
if perm.get('user_ids'):
users = User.objects.in_bulk(perm.get('user_ids'))
else:
users = []
if perm.get('group_ids'):
groups = Group.objects.in_bulk(perm.get('group_ids'))
else:
groups = []
doc = doc.share(request.user, name=name, users=users, groups=groups)
return JsonResponse({'status': 0, 'document': doc.to_dict()})
def _check_permission(request, owner_name, error_msg, allow_root=False):
"""Raise PopupException if user doesn't have permission to modify the design"""
if request.user.username != owner_name:
if allow_root and is_admin(request.user):
return
access_warn(request, error_msg)
raise PopupException(_("Permission denied. You are not the owner."))
def memory(request):
"""Dumps out server threads. Useful for debugging."""
if not is_admin(request.user):
return HttpResponse(_("You must be a superuser."))
if not hasattr(settings, 'MEMORY_PROFILER'):
return HttpResponse(
_("You must enable the memory profiler via the memory_profiler config in the hue.ini."
))
# type, from, to, index
command_order = {'type': 0, 'from': 1, 'to': 2, 'index': 3}
default_command = [None, None, None, None]
commands = []
for item in request.GET:
res = re.match(r'(?P<command>\w+)\.(?P<count>\d+)', item)
if res:
d = res.groupdict()
count = int(d['count'])
command = str(d['command'])
while len(commands) <= count:
commands.append(default_command[:])
commands[count][command_order.get(command)] = request.GET.get(item)
heap = settings.MEMORY_PROFILER.heap()
for command in commands:
if command[0] is not None:
heap = getattr(heap, command[0])
if command[1] is not None and command[2] is not None:
heap = heap[int(command[1]):int(command[2])]
if command[3] is not None:
heap = heap[int(command[3])]
return HttpResponse(str(heap), content_type="text/plain")
def _check_permission(request, owner_name, error_msg, allow_root=False):
"""Raise PopupException if user doesn't have permission to modify the design"""
if request.user.username != owner_name:
if allow_root and is_admin(request.user):
return
access_warn(request, error_msg)
raise PopupException(_("Permission denied. You are not the owner."))
def clean(self):
if conf.AUTH.EXPIRES_AFTER.get() > -1:
try:
user = User.objects.get(username=self.cleaned_data.get('username'))
expires_delta = datetime.timedelta(seconds=conf.AUTH.EXPIRES_AFTER.get())
if user.is_active and user.last_login + expires_delta < datetime.datetime.now():
INACTIVE_EXPIRATION_DELTA = datetime.timedelta(days=365)
if is_admin(user):
if conf.AUTH.EXPIRE_SUPERUSERS.get():
user.is_active = False
user.last_login = datetime.datetime.now() + INACTIVE_EXPIRATION_DELTA
user.save()
else:
user.is_active = False
user.last_login = datetime.datetime.now() + INACTIVE_EXPIRATION_DELTA
user.save()
if not user.is_active:
if settings.ADMINS:
raise ValidationError(mark_safe(_("Account deactivated. Please contact an <a href=\"mailto:%s\">administrator</a>.") % settings.ADMINS[0][1]))
else:
raise ValidationError(self.error_messages['inactive'])
except User.DoesNotExist:
# Skip because we couldn't find a user for that username.
# This means the user managed to get their username wrong.
pass
return self.authenticate()
def clean(self):
if conf.AUTH.EXPIRES_AFTER.get() > -1:
try:
user = User.objects.get(username=self.cleaned_data.get('username'))
expires_delta = datetime.timedelta(seconds=conf.AUTH.EXPIRES_AFTER.get())
if user.is_active and user.last_login and user.last_login + expires_delta < datetime.datetime.now():
INACTIVE_EXPIRATION_DELTA = datetime.timedelta(days=365)
if is_admin(user):
if conf.AUTH.EXPIRE_SUPERUSERS.get():
user.is_active = False
user.last_login = datetime.datetime.now() + INACTIVE_EXPIRATION_DELTA
user.save()
else:
user.is_active = False
user.last_login = datetime.datetime.now() + INACTIVE_EXPIRATION_DELTA
user.save()
if not user.is_active:
if settings.ADMINS:
raise ValidationError(mark_safe(_("Account deactivated. Please contact an <a href=\"mailto:%s\">administrator</a>.") % settings.ADMINS[0][1]))
else:
raise ValidationError(self.error_messages['inactive'])
except User.DoesNotExist:
# Skip because we couldn't find a user for that username.
# This means the user managed to get their username wrong.
pass
return self.authenticate()
def close_session(self, session):
app_name = session.get('type')
session_id = session.get('id')
source_method = session.get("sourceMethod")
if not session_id:
session = Session.objects.get_session(self.user, application=app_name)
decoded_guid = session.get_handle().sessionId.guid
session_decoded_id = unpack_guid(decoded_guid)
if source_method == "dt_logout":
LOG.debug("Closing Impala session id %s on logout for user %s" % (session_decoded_id, self.user.username))
query_server = get_query_server_config(name=app_name)
response = {'status': -1, 'message': ''}
try:
filters = {'id': session_id, 'application': query_server['server_name']}
if not is_admin(self.user):
filters['owner'] = self.user
session = Session.objects.get(**filters)
except Session.DoesNotExist:
response['message'] = _('Session does not exist or you do not have permissions to close the session.')
if session:
session = dbms.get(self.user, query_server).close_session(session)
response['status'] = 0
response['message'] = _('Session successfully closed.')
response['session'] = {'id': session_id, 'application': session.application, 'status': session.status_code}
return response
def decorate(request, *args, **kwargs):
if not is_admin(request.user) and request.user.has_hue_permission(
action="disable_editor_access", app="oozie"):
raise PopupException(
_('Missing permission to access the Oozie Editor'),
error_code=401)
return view_func(request, *args, **kwargs)
def upload_history(request):
response = {'status': -1}
if is_admin(request.user):
api = OptimizerApi(request.user)
histories = []
upload_stats = {}
if request.POST.get('sourcePlatform'):
n = min(request.POST.get('n', OPTIMIZER.QUERY_HISTORY_UPLOAD_LIMIT.get()))
source_platform = request.POST.get('sourcePlatform', 'hive')
histories = [(source_platform, Document2.objects.get_history(doc_type='query-%s' % source_platform, user=request.user)[:n])]
elif OPTIMIZER.QUERY_HISTORY_UPLOAD_LIMIT.get() > 0:
histories = [
(source_platform, Document2.objects.filter(type='query-%s' % source_platform, is_history=True, is_managed=False, is_trashed=False).order_by('-last_modified')[:OPTIMIZER.QUERY_HISTORY_UPLOAD_LIMIT.get()])
for source_platform in ['hive', 'impala']
]
for source_platform, history in histories:
queries = _convert_queries([Notebook(document=doc).get_data() for doc in history])
upload_stats[source_platform] = api.upload(data=queries, data_type='queries', source_platform=source_platform)
response['upload_history'] = upload_stats
response['status'] = 0
else:
response['message'] = _('Query history upload requires Admin privileges or feature is disabled.')
return JsonResponse(response)
def has_catalog(user):
from desktop.auth.backend import is_admin
return (
bool(get_catalog_url()) or has_navigator(user)
) and (
is_admin(user) or user.has_hue_permission(action="access", app=DJANGO_APPS[0])
)
def dump_config(request):
show_private = False
conf_dir = os.path.realpath(os.getenv("HUE_CONF_DIR", get_desktop_root("conf")))
if not is_admin(request.user):
return HttpResponse(_("You must be a superuser."))
if request.GET.get("private"):
show_private = True
app_modules = appmanager.DESKTOP_MODULES
config_modules = GLOBAL_CONFIG.get().values()
if ENABLE_CONNECTORS.get():
app_modules = [app_module for app_module in app_modules if app_module.name == 'desktop']
config_modules = [config_module for config_module in config_modules if config_module.config.key == 'desktop']
apps = sorted(app_modules, key=lambda app: app.name)
apps_names = [app.name for app in apps]
top_level = sorted(config_modules, key=lambda obj: apps_names.index(obj.config.key))
return render("dump_config.mako", request, {
'show_private': show_private,
'top_level': top_level,
'conf_dir': conf_dir,
'is_embeddable': request.GET.get('is_embeddable', False),
'apps': apps
}
)
def check_request_permission(self, request):
"""Raise PopupException if request user doesn't have permission to modify workflow"""
if not is_admin(request.user) and request.user.username != self.user:
access_warn(request, _('Insufficient permission.'))
raise PopupException(
_("Permission denied. User %(username)s cannot modify user %(user)s's job."
) % dict(username=request.user.username, user=self.user))
def authorized_get_query_history(request,
query_history_id,
owner_only=False,
must_exist=False):
if query_history_id is None and not must_exist:
return None
try:
query_history = QueryHistory.get(id=query_history_id)
except QueryHistory.DoesNotExist:
if must_exist:
raise PopupException(
_('QueryHistory %(id)s does not exist.') %
{'id': query_history_id})
else:
return None
# Some queries don't have a design so are not linked to Document Model permission
if query_history.design is None or not query_history.design.doc.exists():
if not is_admin(request.user) and request.user != query_history.owner:
raise PopupException(
_('Permission denied to read QueryHistory %(id)s') %
{'id': query_history_id})
else:
query_history.design.doc.get().can_read_or_exception(request.user)
return query_history
def has_abfs_access(user):
from desktop.conf import RAZ # Must be imported dynamically in order to have proper value
from desktop.auth.backend import is_admin
return user.is_authenticated and user.is_active and (
is_admin(user) or user.has_hue_permission(
action="abfs_access", app="filebrowser") or RAZ.IS_ENABLED.get())
def close_session(request, session_id):
app_name = get_app_name(request)
query_server = get_query_server_config(app_name)
response = {'status': -1, 'message': ''}
try:
filters = {
'id': session_id,
'application': query_server['server_name']
}
if not is_admin(request.user):
filters['owner'] = request.user
session = Session.objects.get(**filters)
except Session.DoesNotExist:
response['message'] = _(
'Session does not exist or you do not have permissions to close the session.'
)
if session:
session = dbms.get(request.user, query_server).close_session(session)
response['status'] = 0
response['message'] = _('Session successfully closed.')
response['session'] = {
'id': session_id,
'application': session.application,
'status': session.status_code
}
return JsonResponse(response)
def reset_all_debug(request):
if not is_admin(request.user):
return JsonResponse({'status': 1, 'message': _('You must be a superuser.')})
_reset_all_debug()
return JsonResponse({'status': 0, 'debug_all': False})
def _get_installed_connectors(category=None,
categories=None,
dialect=None,
interface=None,
user=None):
from desktop.auth.backend import is_admin
connectors_objects = Connector.objects.all()
if user is not None and not is_admin(user): # Apply Permissions
connectors_objects = connectors_objects.filter(
huepermission__in=user.get_permissions())
connector_instances = [{
'id': connector.id,
'nice_name': connector.name,
'description': connector.description,
'dialect': connector.dialect,
'interface': None,
'settings': json.loads(connector.settings),
'is_demo': False,
} for connector in connectors_objects]
connectors = []
for connector in connector_instances:
full_connector = _augment_connector_properties(connector)
if full_connector:
connectors.append(full_connector)
else:
LOG.warn(
'Skipping connector %(id)s as connector dialect %(dialect)s or interface %(interface)s are not installed'
% ({
'id': connector['id'],
'dialect': connector['dialect'],
'interface': connector['interface']
}))
if categories is not None:
connectors = [
connector for connector in connectors
if connector['category'] in categories
]
if category is not None:
connectors = [
connector for connector in connectors
if connector['category'] == category
]
if dialect is not None:
connectors = [
connector for connector in connectors
if connector['dialect'] == dialect
]
if interface is not None:
connectors = [
connector for connector in connectors
if connector['interface'] == interface
]
return connectors
def get_hue_config(request):
if not is_admin(request.user):
raise PopupException(_('You must be a superuser.'))
show_private = request.GET.get('private', False)
app_modules = appmanager.DESKTOP_MODULES
config_modules = GLOBAL_CONFIG.get().values()
if ENABLE_CONNECTORS.get():
app_modules = [
app_module for app_module in app_modules
if app_module.name == 'desktop'
]
config_modules = [
config_module for config_module in config_modules
if config_module.config.key == 'desktop'
]
apps = [{
'name': app.name,
'has_ui': app.menu_index != 999,
'display_name': app.display_name
} for app in sorted(app_modules, key=lambda app: app.name)]
def recurse_conf(modules):
attrs = []
for module in modules:
if not show_private and module.config.private:
continue
conf = {
'help': module.config.help or _('No help available.'),
'key': module.config.key,
'is_anonymous': is_anonymous(module.config.key)
}
if isinstance(module, BoundContainer):
conf['values'] = recurse_conf(module.get().values())
else:
conf['default'] = str(module.config.default)
if 'password' in module.config.key:
conf['value'] = '*' * 10
elif sys.version_info[0] > 2:
conf['value'] = str(module.get_raw())
else:
conf['value'] = str(module.get_raw()).decode(
'utf-8', 'replace')
attrs.append(conf)
return attrs
return JsonResponse({
'config':
sorted(recurse_conf(config_modules), key=lambda conf: conf.get('key')),
'conf_dir':
os.path.realpath(os.getenv('HUE_CONF_DIR', get_desktop_root('conf'))),
'apps':
apps
})
def process_view(self, request, view_func, view_args, view_kwargs):
"""
We also perform access logging in ``process_view()`` since we have the view function,
which tells us the log level. The downside is that we don't have the status code,
which isn't useful for status logging anyways.
"""
request.ts = time.time()
request.view_func = view_func
access_log_level = getattr(view_func, 'access_log_level', None)
# skip loop for oidc
if request.path in ['/oidc/authenticate/', '/oidc/callback/', '/oidc/logout/', '/hue/oidc_failed/']:
return None
# First, skip views not requiring login
# If the view has "opted out" of login required, skip
if hasattr(view_func, "login_notrequired"):
log_page_hit(request, view_func, level=access_log_level or logging.DEBUG)
return None
# There are certain django views which are also opt-out, but
# it would be evil to go add attributes to them
if view_func in DJANGO_VIEW_AUTH_WHITELIST:
log_page_hit(request, view_func, level=access_log_level or logging.DEBUG)
return None
# If user is logged in, check that he has permissions to access the
# app.
if request.user.is_active and request.user.is_authenticated():
AppSpecificMiddleware.augment_request_with_app(request, view_func)
# Until we get Django 1.3 and resolve returning the URL name, we just do a match of the name of the view
try:
access_view = 'access_view:%s:%s' % (request._desktop_app, resolve(request.path)[0].__name__)
except Exception, e:
access_log(request, 'error checking view perm: %s' % e, level=access_log_level)
access_view = ''
# Accessing an app can access an underlying other app.
# e.g. impala or spark uses code from beeswax and so accessing impala shows up as beeswax here.
# Here we trust the URL to be the real app we need to check the perms.
app_accessed = request._desktop_app
ui_app_accessed = get_app_name(request)
if app_accessed != ui_app_accessed and ui_app_accessed not in ('logs', 'accounts', 'login'):
app_accessed = ui_app_accessed
if app_accessed and \
app_accessed not in ("desktop", "home", "home2", "about", "hue", "editor", "notebook", "indexer", "404", "500", "403") and \
not (is_admin(request.user) or request.user.has_hue_permission(action="access", app=app_accessed) or
request.user.has_hue_permission(action=access_view, app=app_accessed)) and \
not (app_accessed == '__debug__' and desktop.conf.DJANGO_DEBUG_MODE):
access_log(request, 'permission denied', level=access_log_level)
return PopupException(
_("You do not have permission to access the %(app_name)s application.") % {'app_name': app_accessed.capitalize()}, error_code=401).response(request)
else:
if not hasattr(request, 'view_func'):
log_page_hit(request, view_func, level=access_log_level)
return None
def process_view(self, request, view_func, view_args, view_kwargs):
"""
We also perform access logging in ``process_view()`` since we have the view function,
which tells us the log level. The downside is that we don't have the status code,
which isn't useful for status logging anyways.
"""
request.ts = time.time()
request.view_func = view_func
access_log_level = getattr(view_func, 'access_log_level', None)
# skip loop for oidc
if request.path in ['/oidc/authenticate/', '/oidc/callback/', '/oidc/logout/', '/hue/oidc_failed/']:
return None
# First, skip views not requiring login
# If the view has "opted out" of login required, skip
if hasattr(view_func, "login_notrequired"):
log_page_hit(request, view_func, level=access_log_level or logging.DEBUG)
return None
# There are certain django views which are also opt-out, but
# it would be evil to go add attributes to them
if view_func in DJANGO_VIEW_AUTH_WHITELIST:
log_page_hit(request, view_func, level=access_log_level or logging.DEBUG)
return None
# If user is logged in, check that he has permissions to access the
# app.
if request.user.is_active and request.user.is_authenticated():
AppSpecificMiddleware.augment_request_with_app(request, view_func)
# Until we get Django 1.3 and resolve returning the URL name, we just do a match of the name of the view
try:
access_view = 'access_view:%s:%s' % (request._desktop_app, resolve(request.path)[0].__name__)
except Exception, e:
access_log(request, 'error checking view perm: %s' % e, level=access_log_level)
access_view = ''
# Accessing an app can access an underlying other app.
# e.g. impala or spark uses code from beeswax and so accessing impala shows up as beeswax here.
# Here we trust the URL to be the real app we need to check the perms.
app_accessed = request._desktop_app
ui_app_accessed = get_app_name(request)
if app_accessed != ui_app_accessed and ui_app_accessed not in ('logs', 'accounts', 'login'):
app_accessed = ui_app_accessed
if app_accessed and \
app_accessed not in ("desktop", "home", "home2", "about", "hue", "editor", "notebook", "indexer", "404", "500", "403") and \
not (is_admin(request.user) or request.user.has_hue_permission(action="access", app=app_accessed) or
request.user.has_hue_permission(action=access_view, app=app_accessed)) and \
not (app_accessed == '__debug__' and desktop.conf.DJANGO_DEBUG_MODE):
access_log(request, 'permission denied', level=access_log_level)
return PopupException(
_("You do not have permission to access the %(app_name)s application.") % {'app_name': app_accessed.capitalize()}, error_code=401).response(request)
else:
if not hasattr(request, 'view_func'):
log_page_hit(request, view_func, level=access_log_level)
return None
def _get_session_by_id(self, notebook, type='hive'):
session = self._get_session(notebook, type)
if session:
session_id = session.get('id')
if session_id:
filters = {'id': session_id, 'application': 'beeswax' if type == 'hive' else type}
if not is_admin(self.user):
filters['owner'] = self.user
return Session.objects.get(**filters)
def autocomplete(request, database=None, table=None, column=None, nested=None):
cluster = request.POST.get('cluster')
app_name = None if FORCE_HS2_METADATA.get() else get_app_name(request)
do_as = request.user
if (is_admin(request.user) or request.user.has_hue_permission(action="impersonate", app="security")) and 'doas' in request.GET:
do_as = User.objects.get(username=request.GET.get('doas'))
db = _get_db(user=do_as, source_type=app_name, cluster=cluster)
response = _autocomplete(db, database, table, column, nested, cluster=cluster)
return JsonResponse(response)
def autocomplete(request, database=None, table=None, column=None, nested=None):
cluster = request.POST.get('cluster')
app_name = None if FORCE_HS2_METADATA.get() else get_app_name(request)
do_as = request.user
if (is_admin(request.user) or request.user.has_hue_permission(action="impersonate", app="security")) and 'doas' in request.GET:
do_as = User.objects.get(username=request.GET.get('doas'))
db = _get_db(user=do_as, source_type=app_name, cluster=cluster)
response = _autocomplete(db, database, table, column, nested, cluster=cluster)
return JsonResponse(response)
def list_query_history(request):
"""
View the history of query (for the current user).
We get here from /beeswax/query_history?filterargs, with the options being:
page=<n> - Controls pagination. Defaults to 1.
user=<name> - Show history items from a user. Default to current user only.
Also accepts ':all' to show all history items.
type=<type> - <type> is "beeswax|impala", for design type. Default to show all.
design_id=<id> - Show history for this particular design id.
sort=<key> - Sort by the attribute <key>, which is one of:
"date", "state", "name" (design name), and "type" (design type)
Accepts the form "-date", which sort in descending order.
Default to "-date".
auto_query=<bool> - Show auto generated actions (drop table, read data, etc). Default True
"""
DEFAULT_PAGE_SIZE = 100
prefix = 'q-'
share_queries = is_admin(request.user)
querydict_query = request.GET.copy()
if not share_queries:
querydict_query[prefix + 'user'] = request.user.username
app_name = get_app_name(request)
querydict_query[prefix + 'type'] = app_name
paginator, page, filter_params = _list_query_history(
request.user, querydict_query, DEFAULT_PAGE_SIZE, prefix)
filter = request.GET.get(prefix +
'search') and request.GET.get(prefix +
'search') or ''
if request.GET.get('format') == 'json':
resp = {
'queries': [
massage_query_history_for_json(app_name, query_history)
for query_history in page.object_list
]
}
return JsonResponse(resp)
return render(
'list_history.mako', request, {
'request': request,
'page': page,
'paginator': paginator,
'filter_params': filter_params,
'share_queries': share_queries,
'prefix': prefix,
'filter': filter,
})
def _has_access(self, fs):
from desktop.auth.backend import rewrite_user # Avoid cyclic loop
try:
filebrowser_action = fs.filebrowser_action()
#if not filebrowser_action (hdfs) then handle permission via doas else check permission in hue
if not filebrowser_action:
return True
user = rewrite_user(User.objects.get(username=self.user))
return user.is_authenticated() and user.is_active and (is_admin(user) or not filebrowser_action or user.has_hue_permission(action=filebrowser_action, app="filebrowser"))
except User.DoesNotExist:
LOG.exception('proxyfs.has_access()')
return False
def threads(request):
"""Dumps out server threads. Useful for debugging."""
out = string_io()
dump_traceback(file=out)
if not is_admin(request.user):
return HttpResponse(_("You must be a superuser."))
if request.is_ajax():
return HttpResponse(out.getvalue(), content_type="text/plain")
else:
return render("threads.mako", request, {'text': out.getvalue(), 'is_embeddable': request.GET.get('is_embeddable', False)})
def _has_access(self, fs):
from desktop.auth.backend import rewrite_user # Avoid cyclic loop
try:
filebrowser_action = fs.filebrowser_action()
# If not filebrowser_action (hdfs) then handle permission via doas else check permission in hue
if not filebrowser_action:
return True
user = rewrite_user(User.objects.get(username=self.getuser()))
return user.is_authenticated() and user.is_active and (is_admin(user) or not filebrowser_action or user.has_hue_permission(action=filebrowser_action, app="filebrowser"))
except User.DoesNotExist:
LOG.exception('proxyfs.has_access()')
return False
def check_config_ajax(request):
"""Alert administrators about configuration problems."""
if not is_admin(request.user):
return HttpResponse('')
error_list = _get_config_errors(request)
if not error_list:
# Return an empty response, rather than using the mako template, for performance.
return HttpResponse('')
return render('config_alert_dock.mako',
request,
dict(error_list=error_list),
force_template=True)
def check_config(request):
"""Check config and view for the list of errors"""
if not is_admin(request.user):
return HttpResponse(_("You must be a superuser."))
context = {
'conf_dir': os.path.realpath(os.getenv("HUE_CONF_DIR", get_desktop_root("conf"))),
'error_list': _get_config_errors(request, cache=False),
}
if request.GET.get('format') == 'json':
return JsonResponse(context)
else:
return render('check_config.mako', request, context, force_template=True)
def admin_wizard(request):
if is_admin(request.user):
apps = appmanager.get_apps(request.user)
else:
apps = []
app_names = [app.name for app in sorted(apps, key=lambda app: app.menu_index)]
return render('admin_wizard.mako', request, {
'version': hue_version(),
'apps': dict([(app.name, app) for app in apps]),
'app_names': app_names,
'is_embeddable': request.GET.get('is_embeddable', False),
'collect_usage': collect_usage(),
})
def list_history(request):
"""
List the job submission history.
Normal users can only look at their own submissions.
"""
history = History.objects
if not is_admin(request.user):
history = history.filter(submitter=request.user)
history = history.order_by('-submission_date')
return render('editor/list_history.mako', request, {
'history': history,
})
def can_kill_job(self, user):
if DISABLE_KILLING_JOBS.get():
return False
if self.status.lower() not in ('running', 'pending', 'accepted'):
return False
if is_admin(user):
return True
if can_modify_job(user.username, self):
return True
return user.username == self.user
def list_history_record(request, record_id):
"""
List a job submission history.
Normal users can only look at their own jobs.
"""
history = History.objects
if not is_admin(request.user):
history.filter(submitter=request.user)
history = history.get(id=record_id)
return render('editor/list_history_record.mako', request, {
'record': history,
})
def get_config(request):
config = get_cluster_config(request.user)
config['hue_config']['is_admin'] = is_admin(request.user)
config['clusters'] = list(get_clusters(request.user).values())
config['documents'] = {
'types':
list(
Document2.objects.documents(
user=request.user).order_by().values_list(
'type', flat=True).distinct())
}
config['status'] = 0
return JsonResponse(config)
def list_history_record(request, record_id):
"""
List a job submission history.
Normal users can only look at their own jobs.
"""
history = History.objects
if not is_admin(request.user):
history.filter(submitter=request.user)
history = history.get(id=record_id)
return render('editor/list_history_record.mako', request, {
'record': history,
})
def can_kill_job(self, user):
if DISABLE_KILLING_JOBS.get():
return False
if self.status.lower() not in ('running', 'pending', 'accepted'):
return False
if is_admin(user):
return True
if can_modify_job(user.username, self):
return True
return user.username == self.user
def list_query_history(request):
"""
View the history of query (for the current user).
We get here from /beeswax/query_history?filterargs, with the options being:
page=<n> - Controls pagination. Defaults to 1.
user=<name> - Show history items from a user. Default to current user only.
Also accepts ':all' to show all history items.
type=<type> - <type> is "beeswax|impala", for design type. Default to show all.
design_id=<id> - Show history for this particular design id.
sort=<key> - Sort by the attribute <key>, which is one of:
"date", "state", "name" (design name), and "type" (design type)
Accepts the form "-date", which sort in descending order.
Default to "-date".
auto_query=<bool> - Show auto generated actions (drop table, read data, etc). Default True
"""
DEFAULT_PAGE_SIZE = 100
prefix = 'q-'
share_queries = is_admin(request.user)
querydict_query = request.GET.copy()
if not share_queries:
querydict_query[prefix + 'user'] = request.user.username
app_name = get_app_name(request)
querydict_query[prefix + 'type'] = app_name
paginator, page, filter_params = _list_query_history(request.user, querydict_query, DEFAULT_PAGE_SIZE, prefix)
filter = request.GET.get(prefix + 'search') and request.GET.get(prefix + 'search') or ''
if request.GET.get('format') == 'json':
resp = {
'queries': [massage_query_history_for_json(app_name, query_history) for query_history in page.object_list]
}
return JsonResponse(resp)
return render('list_history.mako', request, {
'request': request,
'page': page,
'paginator': paginator,
'filter_params': filter_params,
'share_queries': share_queries,
'prefix': prefix,
'filter': filter,
})
def delete(request, id, path):
if not is_admin(request.user):
raise PopupException(_('You are not a superuser'))
cluster = get_cluster_or_404(id)
redir = {}
if request.method == 'POST':
zk = ZooKeeper(cluster['rest_url'])
try:
zk.recursive_delete(path)
except ZooKeeper.NotFound:
pass
redir = {
'redirect': reverse('zookeeper:tree', kwargs={'id':id, 'path': path[:path.rindex('/')] or '/'})
}
return JsonResponse(redir)
def edit_as_text(request, id, path):
cluster = get_cluster_or_404(id)
zk = ZooKeeper(cluster['rest_url'])
node = zk.get(path)
if request.method == 'POST':
if not is_admin(request.user):
raise PopupException(_('You are not a superuser'))
form = EditZNodeForm(request.POST)
if form.is_valid():
zk.set(path, form.cleaned_data['data'])
return tree(request, id, path)
else:
form = EditZNodeForm(dict(data=node.get('data64', '').decode('base64').strip(), version=node.get('version', '-1')))
return render('edit.mako', request, {'cluster': cluster, 'path': path, 'form': form, 'clusters': CLUSTERS.get(),})
def create(request, id, path):
if not is_admin(request.user):
raise PopupException(_('You are not a superuser'))
cluster = get_cluster_or_404(id)
if request.method == 'POST':
form = CreateZNodeForm(request.POST)
if form.is_valid():
zk = ZooKeeper(cluster['rest_url'])
full_path = ("%s/%s" % (path, form.cleaned_data['name'])).replace('//', '/')
zk.create(full_path, form.cleaned_data['data'], sequence = form.cleaned_data['sequence'])
return tree(request, id, path)
else:
form = CreateZNodeForm()
return render('create.mako', request, {'cluster': cluster, 'path': path, 'form': form, 'clusters': CLUSTERS.get(),})
def install_examples(request):
result = {'status': -1, 'message': ''}
if not is_admin(request.user):
return PopupException(_("You must be a superuser."))
if request.method != 'POST':
result['message'] = _('A POST request is required.')
else:
try:
data = request.POST.get('data')
indexer_setup.Command().handle(data=data)
if 'log_analytics_demo' == data: # Hue documents installed only one time
search_setup.Command().handle()
result['status'] = 0
except Exception, e:
LOG.exception(e)
result['message'] = str(e)
def check_job_permission(view_func):
"""
Ensure that the user has access to the job.
Assumes that the wrapped function takes a 'jobid' param named 'job'.
"""
def decorate(request, *args, **kwargs):
jobid = kwargs['job']
try:
job = get_job(request, job_id=jobid)
except ApplicationNotRunning, e:
LOG.warn('Job %s has not yet been accepted by the RM, will poll for status.' % jobid)
return job_not_assigned(request, jobid, request.path)
if not SHARE_JOBS.get() and not is_admin(request.user) \
and job.user != request.user.username and not can_view_job(request.user.username, job):
raise PopupException(_("You don't have permission to access job %(id)s.") % {'id': jobid})
kwargs['job'] = job
return view_func(request, *args, **kwargs)
def authorized_get_query_history(request, query_history_id, owner_only=False, must_exist=False):
if query_history_id is None and not must_exist:
return None
try:
query_history = QueryHistory.get(id=query_history_id)
except QueryHistory.DoesNotExist:
if must_exist:
raise PopupException(_('QueryHistory %(id)s does not exist.') % {'id': query_history_id})
else:
return None
# Some queries don't have a design so are not linked to Document Model permission
if query_history.design is None or not query_history.design.doc.exists():
if not is_admin(request.user) and request.user != query_history.owner:
raise PopupException(_('Permission denied to read QueryHistory %(id)s') % {'id': query_history_id})
else:
query_history.design.doc.get().can_read_or_exception(request.user)
return query_history
def close_session(request, session_id):
app_name = get_app_name(request)
query_server = get_query_server_config(app_name)
response = {'status': -1, 'message': ''}
try:
filters = {'id': session_id, 'application': query_server['server_name']}
if not is_admin(request.user):
filters['owner'] = request.user
session = Session.objects.get(**filters)
except Session.DoesNotExist:
response['message'] = _('Session does not exist or you do not have permissions to close the session.')
if session:
session = dbms.get(request.user, query_server).close_session(session)
response['status'] = 0
response['message'] = _('Session successfully closed.')
response['session'] = {'id': session_id, 'application': session.application, 'status': session.status_code}
return JsonResponse(response)
def admin_stats(request):
if is_admin(user=request.user):
return JsonResponse({
'admin_stats': Analytics.admin_stats()
})
def _has_impersonation_perm(user): return is_admin(user) or user.has_hue_permission(action="impersonate", app="security")
def has_job_edition_permission(oozie_job, user): return is_admin(user) or oozie_job.user == user.username
elif job_id.endswith('C'):
get_job = oozie_api.get_coordinator
else:
get_job = oozie_api.get_bundle
try:
if job_id.endswith('C'):
oozie_job = get_job(job_id, **kwargs)
else:
oozie_job = get_job(job_id)
except RestException, ex:
msg = _("Error accessing Oozie job %s.") % (job_id,)
LOG.exception(msg)
raise PopupException(msg, detail=ex._headers.get('oozie-error-message'))
if is_admin(request.user) \
or oozie_job.user == request.user.username \
or has_dashboard_jobs_access(request.user):
return oozie_job
else:
message = _("Permission denied. %(username)s does not have the permissions to access job %(id)s.") % \
{'username': request.user.username, 'id': oozie_job.id}
access_warn(request, message)
raise PopupException(message)
def check_job_edition_permission(oozie_job, user):
if has_job_edition_permission(oozie_job, user):
return oozie_job
else:
message = _("Permission denied. %(username)s does not have the permissions to modify job %(id)s.") % \
def has_job_edition_permission(oozie_job, user):
return is_admin(user) or oozie_job.user == user.username or (oozie_job.group and user.groups.filter(name=oozie_job.group).exists()) or (oozie_job.acl and user.username in oozie_job.acl.split(','))
def has_dashboard_jobs_access(user): return is_admin(user) or user.has_hue_permission(action="dashboard_jobs_access", app=DJANGO_APPS[0])
def decorate(request, *args, **kwargs):
if not is_admin(request.user) and request.user.has_hue_permission(action="disable_editor_access", app="oozie"):
raise PopupException(_('Missing permission to access the Oozie Editor'), error_code=401)
return view_func(request, *args, **kwargs)
def index(request):
if is_admin(user=request.user):
return render("analytics.mako", request, {})
