def serve_404_error(request, *args, **kwargs):
"""Registered handler for 404. We just return a simple error"""
access_warn(request, "404 not found")
return render_to_response("404.html", dict(uri=request.build_absolute_uri()))
return HttpResponse(
"Page not found. You are trying to access %s" % (request.build_absolute_uri(),), content_type="text/plain"
)
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get('next', '/')
login_errors = False
is_first_login_ever = first_login_ever()
if request.method == 'POST':
form = django.contrib.auth.forms.AuthenticationForm(data=request.POST)
if form.is_valid():
login(request, form.get_user())
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever:
ensure_home_directory(request.fs, request.POST.get('username'))
access_warn(request, '"%s" login ok' % (request.user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
login_errors = True
else:
form = django.contrib.auth.forms.AuthenticationForm()
request.session.set_test_cookie()
return render('login.mako', request, {
'action': urlresolvers.reverse('desktop.auth.views.dt_login'),
'form': form,
'next': redirect_to,
'first_login_ever': is_first_login_ever,
'login_errors': login_errors,
})
def kill_job(request, job):
if request.method != "POST":
raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % dict(method=request.method))
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, _('Insufficient permission'))
raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") %
dict(username=request.user.username, user=job.user))
job.kill()
cur_time = time.time()
while time.time() - cur_time < 15:
job = Job.from_id(jt=request.jt, jobid=job.jobId)
if job.status not in ["RUNNING", "QUEUED"]:
if request.REQUEST.get("next"):
return HttpResponseRedirect(request.REQUEST.get("next"))
elif request.REQUEST.get("format") == "json":
return HttpResponse(encode_json_for_js({'status': 0}), mimetype="application/json")
else:
raise MessageException("Job Killed")
time.sleep(1)
job = Job.from_id(jt=request.jt, jobid=job.jobId)
raise Exception(_("Job did not appear as killed within 15 seconds."))
def dt_login(request):
redirect_to = request.REQUEST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_names = get_backend_names()
is_active_directory = 'LdapBackend' in backend_names and ( bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()) )
if is_active_directory:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
AuthenticationForm = auth_forms.AuthenticationForm
if request.method == 'POST':
request.audit = {
'operation': 'USER_LOGIN',
'username': request.POST.get('username')
}
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever or 'AllowAllBackend' in backend_names or 'LdapBackend' in backend_names:
# Create home directory for first user.
try:
ensure_home_directory(request.fs, user.username)
except (IOError, WebHdfsException), e:
LOG.error(_('Could not create home directory.'), exc_info=e)
request.error(_('Could not create home directory.'))
if require_change_password(userprofile):
return HttpResponseRedirect(urlresolvers.reverse('useradmin.views.edit_user', kwargs={'username': user.username}))
userprofile.first_login = False
userprofile.save()
msg = 'Successful login for user: %s' % user.username
request.audit['operationText'] = msg
access_warn(request, msg)
return HttpResponseRedirect(redirect_to)
else:
request.audit['allowed'] = False
msg = 'Failed login for user: %s' % request.POST.get('username')
request.audit['operationText'] = msg
access_warn(request, msg)
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get('next', '/')
is_first_login_ever = first_login_ever()
if request.method == 'POST':
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
user = auth_form.get_user()
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever:
# Create home directory for first user.
try:
ensure_home_directory(request.fs, user.username)
except (IOError, WebHdfsException), e:
LOG.error(_('Could not create home directory.'), exc_info=e)
request.error(_('Could not create home directory.'))
access_warn(request, '"%s" login ok' % (user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
def check_request_permission(self, request):
"""Raise PopupException if request user doesn't have permission to modify workflow"""
if not request.user.is_superuser and request.user.username != self.user:
access_warn(request, _('Insufficient permission'))
raise PopupException(
_("Permission denied. User %(username)s cannot modify user %(user)s's job."
) % dict(username=request.user.username, user=self.user))
def kill_job(request, job):
if request.method != "POST":
raise Exception(
_("kill_job may only be invoked with a POST (got a %(method)s).") %
dict(method=request.method))
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, _('Insufficient permission'))
raise MessageException(
_("Permission denied. User %(username)s cannot delete user %(user)s's job."
) % dict(username=request.user.username, user=job.user))
job.kill()
cur_time = time.time()
while time.time() - cur_time < 15:
job = Job.from_id(jt=request.jt, jobid=job.jobId)
if job.status not in ["RUNNING", "QUEUED"]:
if request.REQUEST.get("next"):
return HttpResponseRedirect(request.REQUEST.get("next"))
else:
raise MessageException("Job Killed")
time.sleep(1)
job = Job.from_id(jt=request.jt, jobid=job.jobId)
raise Exception(_("Job did not appear as killed within 15 seconds"))
def kill_job(request, job):
if request.method != "POST":
raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % {'method': request.method})
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, _('Insufficient permission'))
raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % {'username': request.user.username, 'user': job.user})
job.kill()
cur_time = time.time()
api = get_api(request.user, request.jt)
while time.time() - cur_time < 15:
job = api.get_job(jobid=job.jobId)
if job.status not in ["RUNNING", "QUEUED"]:
if request.REQUEST.get("next"):
return HttpResponseRedirect(request.REQUEST.get("next"))
elif request.REQUEST.get("format") == "json":
return JsonResponse({'status': 0}, encoder=JSONEncoderForHTML)
else:
raise MessageException("Job Killed")
time.sleep(1)
raise Exception(_("Job did not appear as killed within 15 seconds."))
def _check_permission(request, owner_name, error_msg, allow_root=False):
"""Raise PopupException if user doesn't have permission to modify the design"""
if request.user.username != owner_name:
if allow_root and request.user.is_superuser:
return
access_warn(request, error_msg)
raise PopupException(_("Permission denied. You are not the owner."))
def check_request_permission(self, request):
"""Raise PopupException if request user doesn't have permission to modify workflow"""
if not request.user.is_superuser and request.user.username != self.user:
access_warn(request, _('Insufficient permission.'))
raise PopupException(
_("Permission denied. User %(username)s cannot modify user %(user)s's job."
) % dict(username=request.user.username, user=self.user))
def kill_job(request, jobid):
"""
We get here from /jobs/jobid/kill
"""
if request.method != "POST":
raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s)") % dict(method=request.method))
job = Job.from_id(jt=request.jt, jobid=jobid)
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, _('Insufficient permission'))
raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") %
dict(username=request.user.username, user=job.user))
job.kill()
cur_time = time.time()
while time.time() - cur_time < 15:
job = Job.from_id(jt=request.jt, jobid=jobid)
if job.status not in ["RUNNING", "QUEUED"]:
if request.REQUEST.get("next"):
return HttpResponseRedirect(request.REQUEST.get("next"))
else:
raise MessageException("Job Killed")
time.sleep(1)
job = Job.from_id(jt=request.jt, jobid=jobid)
raise Exception(_("Job did not appear as killed within 15 seconds"))
def _check_permission(request, owner_name, error_msg, allow_root=False):
"""Raise PopupException if user doesn't have permission to modify the design"""
if request.user.username != owner_name:
if allow_root and request.user.is_superuser:
return
access_warn(request, error_msg)
raise PopupException(_("Permission denied. You are not the owner."))
def csrf_failure(request, reason=None):
"""Registered handler for CSRF."""
access_warn(request, reason)
return render("403_csrf.mako",
request,
dict(uri=request.build_absolute_uri()),
status=403)
def serve_404_error(request, *args, **kwargs):
"""Registered handler for 404. We just return a simple error"""
access_warn(request, "404 not found")
return render("404.mako",
request,
dict(uri=request.build_absolute_uri()),
status=404)
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get('next', '/')
login_errors = False
if request.method == 'POST':
form = django.contrib.auth.forms.AuthenticationForm(data=request.POST)
if form.is_valid():
login(request, form.get_user())
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
access_warn(request, '"%s" login ok' % (request.user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
login_errors = True
else:
form = django.contrib.auth.forms.AuthenticationForm()
request.session.set_test_cookie()
backends = get_backends()
first_login_ever = False
for be in backends:
if isinstance(be, AllowFirstUserDjangoBackend) and be.is_first_login_ever():
first_login_ever = True
return render('login.mako', request, {
'action': urlresolvers.reverse('desktop.auth.views.dt_login'),
'form': form,
'next': redirect_to,
'first_login_ever': first_login_ever,
'login_errors': login_errors,
})
def kill_job(request, job):
if request.method != "POST":
raise Exception(
_("kill_job may only be invoked with a POST (got a %(method)s).") %
{'method': request.method})
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, _('Insufficient permission'))
raise MessageException(
_("Permission denied. User %(username)s cannot delete user %(user)s's job."
) % {
'username': request.user.username,
'user': job.user
})
job.kill()
cur_time = time.time()
api = get_api(request.user, request.jt)
while time.time() - cur_time < 15:
job = api.get_job(jobid=job.jobId)
if job.status not in ["RUNNING", "QUEUED"]:
if request.REQUEST.get("next"):
return HttpResponseRedirect(request.REQUEST.get("next"))
elif request.REQUEST.get("format") == "json":
return JsonResponse({'status': 0}, encoder=JSONEncoderForHTML)
else:
raise MessageException("Job Killed")
time.sleep(1)
raise Exception(_("Job did not appear as killed within 15 seconds."))
def dt_login(request):
redirect_to = request.REQUEST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_names = get_backend_names()
is_active_directory = 'LdapBackend' in backend_names and (bool(
LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()))
if is_active_directory:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
AuthenticationForm = auth_forms.AuthenticationForm
if request.method == 'POST':
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(
data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever or 'AllowAllBackend' in backend_names or 'LdapBackend' in backend_names:
# Create home directory for first user.
try:
ensure_home_directory(request.fs, user.username)
except (IOError, WebHdfsException), e:
LOG.error(_('Could not create home directory.'),
exc_info=e)
request.error(_('Could not create home directory.'))
if require_change_password(userprofile):
return HttpResponseRedirect(
urlresolvers.reverse(
'useradmin.views.edit_user',
kwargs={'username': user.username}))
userprofile.first_login = False
userprofile.save()
access_warn(request, '"%s" login ok' % (user.username, ))
return HttpResponseRedirect(redirect_to)
else:
access_warn(
request, 'Failed login for user "%s"' %
(request.POST.get('username'), ))
def oidc_failed(request):
if request.user.is_authenticated():
return HttpResponseRedirect('/')
access_warn(request, "401 Unauthorized by oidc")
return render("oidc_failed.mako",
request,
dict(uri=request.build_absolute_uri()),
status=401)
def login_ajax(request):
username = request.POST.get("username")
user = authenticate(username=username, password=request.POST.get("password"))
if user:
access_warn(request, '"%s" login ok' % (user.username,))
login(request, user)
return render_json(dict(success=True))
else:
access_warn(request, 'Failed login for user "%s"' % (username,))
return render_json(dict(success=False))
def login_ajax(request):
username = request.POST.get('username')
user = authenticate(username=username,
password=request.POST.get('password'))
if user:
access_warn(request, '"%s" login ok' % (user.username, ))
login(request, user)
return render_json(dict(success=True))
else:
access_warn(request, 'Failed login for user "%s"' % (username, ))
return render_json(dict(success=False))
def kill_job(request, job):
if request.method != "POST":
raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % {'method': request.method})
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, _('Insufficient permission'))
raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % {'username': request.user.username, 'user': job.user})
try:
job.kill()
except Exception, e:
LOGGER.exception('Killing job')
raise PopupException(e)
def kill_job(request, job):
if request.method != "POST":
raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % {'method': request.method})
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, _('Insufficient permission'))
raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % {'username': request.user.username, 'user': job.user})
try:
job.kill()
except Exception, e:
LOG.exception('Killing job')
raise PopupException(e)
def login_ajax(request):
username = request.POST.get('username')
user = authenticate(username=username,
password=request.POST.get('password'))
if user:
access_warn(request, '"%s" login ok' % (user.username,))
login(request, user)
_add_to_current_users(user, AccessInfo(request))
return render_json(dict(success=True))
else:
access_warn(request, 'Failed login for user "%s"' % (username,))
return render_json(dict(success=False))
def dt_login(request):
reload_config()
redirect_to = request.REQUEST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_name = get_backend_name()
is_active_directory = backend_name == 'LdapBackend' and ( bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()) )
if is_active_directory:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
AuthenticationForm = auth_forms.AuthenticationForm
if SINGLE_USER_MODE or request.method == 'POST':
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
if not SINGLE_USER_MODE:
auth_form = AuthenticationForm(data=request.POST)
if SINGLE_USER_MODE or auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
if not SINGLE_USER_MODE:
user = auth_form.get_user()
else:
user = authenticate(username=SINGLE_USER_MODE['user'],
password=SINGLE_USER_MODE['pass'])
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever or backend_name in ('AllowAllBackend', 'LdapBackend'):
# Create home directory for first user.
try:
ensure_home_directory(request.fs, user.username)
except (IOError, WebHdfsException), e:
LOG.error(_('Could not create home directory.'), exc_info=e)
request.error(_('Could not create home directory.'))
access_warn(request, '"%s" login ok' % (user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_name = get_backend_name()
if request.method == 'POST':
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(
data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
user = auth_form.get_user()
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever or backend_name in ('AllowAllBackend',
'LdapBackend'):
# Create home directory for first user.
try:
ensure_home_directory(request.fs, user.username)
except (IOError, WebHdfsException), e:
LOG.error(_('Could not create home directory.'),
exc_info=e)
request.error(_('Could not create home directory.'))
access_warn(request, '"%s" login ok' % (user.username, ))
return HttpResponseRedirect(redirect_to)
else:
access_warn(
request, 'Failed login for user "%s"' %
(request.POST.get('username'), ))
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get('next', '/')
if request.method == 'POST':
form = django.contrib.auth.forms.AuthenticationForm(data=request.POST)
if form.is_valid():
login(request, form.get_user())
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
access_warn(request, '"%s" login ok' % (request.user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
else:
form = django.contrib.auth.forms.AuthenticationForm()
request.session.set_test_cookie()
return render('login.mako', request, {
'action': urlresolvers.reverse('desktop.auth.views.dt_login'),
'form': form,
'next': redirect_to,
})
def delete_design(request, id):
"""
Design deletion.
The url provides the id, but we require a POST
for deletion to indicate that it's an "action".
"""
try:
jd = JobDesign.objects.get(pk=id)
except JobDesign.DoesNotExist:
return HttpResponse("Design not found.")
if jd.owner != request.user:
access_warn(request, 'Insufficient permission')
raise MessageException("Permission Denied. You are not the owner of this JobDesign.")
if request.method == 'POST':
jd.delete()
return list_designs(request)
else:
return render("confirm.html", request, dict(url=request.path, title="Delete job design?"))
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get("next", "/")
if request.method == "POST":
form = django.contrib.auth.forms.AuthenticationForm(data=request.POST)
if form.is_valid():
login(request, form.get_user())
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
access_warn(request, '"%s" login ok' % (request.user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get("username"),))
else:
form = django.contrib.auth.forms.AuthenticationForm()
request.session.set_test_cookie()
return render(
"login.mako",
request,
{"action": urlresolvers.reverse("desktop.auth.views.dt_login"), "form": form, "next": redirect_to},
)
def kill_job(request, jobid):
"""
We get here from /jobs/jobid/kill
"""
if request.method != "POST":
raise Exception("kill_job may only be invoked with a POST (got a %s)" % request.method)
job = Job.from_id(jt=request.jt, jobid=jobid)
if job.user != request.user.username and not request.user.is_superuser:
access_warn(request, 'Insufficient permission')
raise MessageException("Permission denied. User %s cannot delete user %s's job." %
(request.user.username, job.profile.user))
job.kill()
cur_time = time.time()
while time.time() - cur_time < 15:
job = Job.from_id(jt=request.jt, jobid=jobid)
if job.status not in ["RUNNING", "QUEUED"]:
return render_json({})
time.sleep(1)
job = Job.from_id(jt=request.jt, jobid=jobid)
raise Exception("Job did not appear as killed within 15 seconds")
def delete_design(request, id):
"""
Design deletion.
The url provides the id, but we require a POST
for deletion to indicate that it's an "action".
"""
try:
jd = JobDesign.objects.get(pk=id)
except JobDesign.DoesNotExist:
return HttpResponse("Design not found.")
if jd.owner != request.user:
access_warn(request, 'Insufficient permission')
raise MessageException(
"Permission Denied. You are not the owner of this JobDesign.")
if request.method == 'POST':
jd.delete()
return list_designs(request)
else:
return render("confirm.html", request,
dict(url=request.path, title="Delete job design?"))
def check_job_access_permission(request, job_id, **kwargs):
"""
Decorator ensuring that the user has access to the job submitted to Oozie.
Arg: Oozie 'workflow', 'coordinator' or 'bundle' ID.
Return: the Oozie workflow, coordinator or bundle or raise an exception
Notice: its gets an id in input and returns the full object in output (not an id).
"""
if job_id is not None:
oozie_api = get_oozie(request.user)
if job_id.endswith('W'):
get_job = oozie_api.get_job
elif job_id.endswith('C'):
get_job = oozie_api.get_coordinator
else:
get_job = oozie_api.get_bundle
try:
if job_id.endswith('C'):
oozie_job = get_job(job_id, **kwargs)
else:
oozie_job = get_job(job_id)
except RestException as ex:
msg = _("Error accessing Oozie job %s.") % (job_id,)
LOG.exception(msg)
raise PopupException(msg, detail=ex._headers.get('oozie-error-message'))
if is_admin(request.user) \
or oozie_job.user == request.user.username \
or has_dashboard_jobs_access(request.user):
return oozie_job
else:
message = _("Permission denied. %(username)s does not have the permissions to access job %(id)s.") % \
{'username': request.user.username, 'id': oozie_job.id}
access_warn(request, message)
raise PopupException(message)
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get('next', '/')
login_errors = False
is_first_login_ever = first_login_ever()
if request.method == 'POST':
form = django.contrib.auth.forms.AuthenticationForm(data=request.POST)
if form.is_valid():
login(request, form.get_user())
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever:
try:
ensure_home_directory(request.fs, request.POST.get('username'))
except (IOError, WebHdfsException), e:
LOG.error(_('Could not create home directory.'), exc_info=e)
request.error(_('Could not create home directory.'))
access_warn(request, '"%s" login ok' % (request.user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
login_errors = True
def serve_404_error(request, *args, **kwargs):
"""Registered handler for 404. We just return a simple error"""
access_warn(request, "404 not found")
return render_to_response("404.html", dict(uri=request.build_absolute_uri()))
get_job = get_oozie().get_bundle
try:
oozie_job = get_job(job_id)
except RestException, ex:
raise PopupException(_("Error accessing Oozie job %s.") % (job_id,),
detail=ex._headers['oozie-error-message'])
if request.user.is_superuser \
or oozie_job.user == request.user.username \
or has_dashboard_jobs_access(request.user):
return oozie_job
else:
message = _("Permission denied. %(username)s don't have the permissions to access job %(id)s.") % \
{'username': request.user.username, 'id': oozie_job.id}
access_warn(request, message)
raise PopupException(message)
def check_job_edition_permission(oozie_job, user):
if has_job_edition_permission(oozie_job, user):
return oozie_job
else:
message = _("Permission denied. %(username)s don't have the permissions to modify job %(id)s.") % \
{'username': user.username, 'id': oozie_job.id}
raise PopupException(message)
def has_job_edition_permission(oozie_job, user):
return user.is_superuser or oozie_job.user == user.username
def serve_404_error(request, *args, **kwargs):
"""Registered handler for 404. We just return a simple error"""
access_warn(request, "404 not found")
return render("404.mako", request, dict(uri=request.build_absolute_uri()), status=404)
def dt_login(request, from_modal=False):
redirect_to = request.GET.get('next', '/')
is_first_login_ever = first_login_ever()
backend_names = auth_forms.get_backend_names()
is_active_directory = auth_forms.is_active_directory()
is_ldap_option_selected = 'server' not in request.POST or request.POST.get('server') == 'LDAP' \
or request.POST.get('server') in auth_forms.get_ldap_server_keys()
if is_active_directory and is_ldap_option_selected:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
if 'ImpersonationBackend' in backend_names:
AuthenticationForm = ImpersonationAuthenticationForm
else:
AuthenticationForm = auth_forms.AuthenticationForm
if request.method == 'POST':
request.audit = {
'operation': 'USER_LOGIN',
'username': request.POST.get('username')
}
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(
data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm. It provides 'backends' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
try:
ensure_home_directory(request.fs, user)
except (IOError, WebHdfsException), e:
LOG.error(
'Could not create home directory at login for %s.' %
user,
exc_info=e)
if require_change_password(userprofile):
return HttpResponseRedirect(
urlresolvers.reverse(
'useradmin.views.edit_user',
kwargs={'username': user.username}))
userprofile.first_login = False
userprofile.last_activity = datetime.now()
userprofile.save()
msg = 'Successful login for user: %s' % user.username
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.GET.get('fromModal',
'false') == 'true':
return JsonResponse({'auth': True})
else:
return HttpResponseRedirect(redirect_to)
else:
request.audit['allowed'] = False
msg = 'Failed login for user: %s' % request.POST.get(
'username')
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.GET.get('fromModal',
'false') == 'true':
return JsonResponse({'auth': False})
def edit_design(request,
id=None,
type=None,
force_get=False,
clone_design=None):
"""
Edits a job submission.
This method has high-ish cyclomatic complexity, in large part,
because, when handling web forms, validation errors
on submit receive very similar treatment to a request
for the form itself.
This method does double-duty for "new" as well.
"""
assert id or type
message = request.GET.get("message")
if type:
new = True
jd = JobDesign()
form_type = interface.registry.get(type)
edit_url = urlresolvers.reverse("jobsub.new", kwargs=dict(type=type))
if form_type is None:
raise MessageException("Type %s does not exist." % repr(type))
else:
new = False
jd = JobDesign.objects.get(pk=id)
edit_url = jd.edit_url()
form_type = interface.registry.get(jd.type)
if form_type is None:
raise MessageException("Could not find form type for %s." %
str(jd))
if jd.owner != request.user:
access_warn(request, 'Insufficient permission')
raise MessageException(
"Permission Denied. You are not the owner of this JobDesign. "
"You may copy the design instead.")
if not force_get and request.method == 'POST':
metadata_form = MetadataForm(request.POST)
form = form_type()
if metadata_form.is_valid() and form.is_valid_edit(request.POST):
message = _save_design(request, jd, metadata_form, form)
if request.POST.get("save_submit") == "on":
return submit_design(request, jd.id, force_get=True)
else:
return list_designs(request, saved=jd.id)
else:
if new:
metadata_form = MetadataForm()
if clone_design:
form = form_type(string_repr=clone_design.data)
metadata_form.initial[
"name"] = "Copy of %s" % clone_design.name
metadata_form.initial["description"] = clone_design.description
else:
form = form_type()
else:
form = form_type(string_repr=jd.data)
metadata_form = MetadataForm(
dict(name=jd.name, description=jd.description))
# Present edit form for failed POST requests and edits.
newlinks = [(type,
urlresolvers.reverse("jobsub.new", kwargs=dict(type=type)))
for type in interface.registry]
request.path = edit_url
return render(
"edit.html", request, {
'newlinks': newlinks,
'metadata_form': metadata_form,
'form': form,
'edit_url': edit_url,
'message': message
})
def csrf_failure(request, reason=None):
"""Registered handler for CSRF."""
access_warn(request, reason)
return render("403_csrf.mako", request, dict(uri=request.build_absolute_uri()), status=403)
oozie_job = get_job(job_id, **kwargs)
else:
oozie_job = get_job(job_id)
except RestException, ex:
msg = _("Error accessing Oozie job %s.") % (job_id,)
LOG.exception(msg)
raise PopupException(msg, detail=ex._headers.get('oozie-error-message'))
if is_admin(request.user) \
or oozie_job.user == request.user.username \
or has_dashboard_jobs_access(request.user):
return oozie_job
else:
message = _("Permission denied. %(username)s does not have the permissions to access job %(id)s.") % \
{'username': request.user.username, 'id': oozie_job.id}
access_warn(request, message)
raise PopupException(message)
def check_job_edition_permission(oozie_job, user):
if has_job_edition_permission(oozie_job, user):
return oozie_job
else:
message = _("Permission denied. %(username)s does not have the permissions to modify job %(id)s.") % \
{'username': user.username, 'id': oozie_job.id}
raise PopupException(message)
def has_job_edition_permission(oozie_job, user):
return is_admin(user) or oozie_job.user == user.username or (oozie_job.group and user.groups.filter(name__in=oozie_job.group.split(",")).exists()) or (oozie_job.acl and user.username in oozie_job.acl.split(','))
def process_request(self, request):
"""
The process_request() method needs to communicate some state to the
process_response() method. The two options for this are to return an
HttpResponse object or to modify the META headers in the request object. In
order to ensure that all of the middleware is properly invoked, this code
currently uses the later approach. The following headers are currently used:
GSS-String:
This means that GSS authentication was successful and that we need to pass
this value for the WWW-Authenticate header in the response.
Return-401:
This means that the SPNEGO backend is in use, but we didn't get an
AUTHORIZATION header from the client. The way that the protocol works
(http://tools.ietf.org/html/rfc4559) is by having the first response to an
un-authenticated request be a 401 with the WWW-Authenticate header set to
Negotiate. This will cause the browser to re-try the request with the
AUTHORIZATION header set.
"""
view_func = resolve(request.path)[0]
if view_func in DJANGO_VIEW_AUTH_WHITELIST:
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise exceptions.ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the SpnegoUserMiddleware class.")
if 'HTTP_AUTHORIZATION' in request.META:
type, authstr = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
if type == 'Negotiate':
try:
result, context = kerberos.authGSSServerInit('HTTP')
if result != 1:
return
gssstring = ''
r = kerberos.authGSSServerStep(context, authstr)
if r == 1:
gssstring = kerberos.authGSSServerResponse(context)
request.META['GSS-String'] = 'Negotiate %s' % gssstring
else:
kerberos.authGSSServerClean(context)
return
username = kerberos.authGSSServerUserName(context)
kerberos.authGSSServerClean(context)
# In Trusted knox proxy, Hue must expect following:
# Trusted knox user: KNOX_PRINCIPAL
# Trusted knox proxy host: KNOX_PROXYHOSTS
if 'desktop.auth.backend.KnoxSpnegoDjangoBackend' in AUTH.BACKEND.get(
):
knox_verification = False
principals = self.clean_principal(
KNOX.KNOX_PRINCIPAL.get())
principal = self.clean_principal(username)
if principal.intersection(principals):
# This may contain chain of reverse proxies, e.g. knox proxy, hue load balancer
# Compare hostname on both HTTP_X_FORWARDED_HOST & KNOX_PROXYHOSTS.
# Both of these can be configured to use either hostname or IPs and we have to normalize to one or the other
req_hosts = self.clean_host(
request.META['HTTP_X_FORWARDED_HOST'])
knox_proxy = self.clean_host(
KNOX.KNOX_PROXYHOSTS.get())
if req_hosts.intersection(knox_proxy):
knox_verification = True
else:
access_warn(
request,
'Failed to verify provided host %s with %s '
% (req_hosts, knox_proxy))
else:
access_warn(
request,
'Failed to verify provided username %s with %s '
% (principal, principals))
# If knox authentication failed then generate 401 (Unauthorized error)
if not knox_verification:
request.META['Return-401'] = ''
return
if request.user.is_authenticated:
if request.user.username == self.clean_username(
username, request):
return
user = authenticate(username=username, request=request)
if user:
request.user = user
login(request, user)
msg = 'Successful login for user: %s' % request.user.username
else:
msg = 'Failed login for user: %s' % request.user.username
request.audit = {
'operation': 'USER_LOGIN',
'username': request.user.username,
'operationText': msg
}
access_warn(request, msg)
return
except:
LOG.exception(
'Unexpected error when authenticating against KDC')
return
else:
request.META['Return-401'] = ''
return
else:
if not request.user.is_authenticated:
request.META['Return-401'] = ''
return
def dt_login(request, from_modal=False):
redirect_to = request.REQUEST.get("next", "/")
is_first_login_ever = first_login_ever()
backend_names = get_backend_names()
is_active_directory = "LdapBackend" in backend_names and (
bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get())
)
if is_active_directory:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
AuthenticationForm = auth_forms.AuthenticationForm
if request.method == "POST":
request.audit = {"operation": "USER_LOGIN", "username": request.POST.get("username")}
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if is_first_login_ever or "AllowAllBackend" in backend_names or "LdapBackend" in backend_names:
# Create home directory for first user.
try:
ensure_home_directory(request.fs, user.username)
except (IOError, WebHdfsException), e:
LOG.error(_("Could not create home directory."), exc_info=e)
request.error(_("Could not create home directory."))
if require_change_password(userprofile):
return HttpResponseRedirect(
urlresolvers.reverse("useradmin.views.edit_user", kwargs={"username": user.username})
)
userprofile.first_login = False
userprofile.last_activity = datetime.now()
userprofile.save()
msg = "Successful login for user: %s" % user.username
request.audit["operationText"] = msg
access_warn(request, msg)
if from_modal or request.REQUEST.get("fromModal", "false") == "true":
return JsonResponse({"auth": True})
else:
return HttpResponseRedirect(redirect_to)
else:
request.audit["allowed"] = False
msg = "Failed login for user: %s" % request.POST.get("username")
request.audit["operationText"] = msg
access_warn(request, msg)
if from_modal or request.REQUEST.get("fromModal", "false") == "true":
return JsonResponse({"auth": False})
def dt_login(request, from_modal=False):
if request.method == 'GET':
redirect_to = request.GET.get('next', '/')
else:
redirect_to = request.POST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_names = auth_forms.get_backend_names()
is_active_directory = auth_forms.is_active_directory()
is_ldap_option_selected = 'server' not in request.POST or request.POST.get('server') == 'LDAP' \
or request.POST.get('server') in auth_forms.get_ldap_server_keys()
if is_active_directory and is_ldap_option_selected:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
if 'ImpersonationBackend' in backend_names:
AuthenticationForm = ImpersonationAuthenticationForm
else:
AuthenticationForm = auth_forms.AuthenticationForm
if request.method == 'POST':
request.audit = {
'operation': 'USER_LOGIN',
'username': request.POST.get('username')
}
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm. It provides 'backends' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
try:
ensure_home_directory(request.fs, user)
except (IOError, WebHdfsException), e:
LOG.error('Could not create home directory at login for %s.' % user, exc_info=e)
if require_change_password(userprofile):
return HttpResponseRedirect(urlresolvers.reverse('useradmin.views.edit_user', kwargs={'username': user.username}))
userprofile.first_login = False
userprofile.last_activity = datetime.now()
# This is to fix a bug in Hue 4.3
if userprofile.creation_method == UserProfile.CreationMethod.EXTERNAL:
userprofile.creation_method = UserProfile.CreationMethod.EXTERNAL.name
userprofile.save()
msg = 'Successful login for user: %s' % user.username
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.GET.get('fromModal', 'false') == 'true':
return JsonResponse({'auth': True})
else:
return HttpResponseRedirect(redirect_to)
else:
request.audit['allowed'] = False
msg = 'Failed login for user: %s' % request.POST.get('username')
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.GET.get('fromModal', 'false') == 'true':
return JsonResponse({'auth': False})
def dt_login(request, from_modal=False):
if request.method == 'GET':
redirect_to = request.GET.get('next', '/')
else:
redirect_to = request.POST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_names = auth_forms.get_backend_names()
is_active_directory = auth_forms.is_active_directory()
is_ldap_option_selected = 'server' not in request.POST or request.POST.get('server') == 'LDAP' or \
request.POST.get('server') in auth_forms.get_ldap_server_keys()
if is_active_directory and is_ldap_option_selected:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
if 'ImpersonationBackend' in backend_names:
AuthenticationForm = ImpersonationAuthenticationForm
else:
AuthenticationForm = auth_forms.AuthenticationForm
if ENABLE_ORGANIZATIONS.get():
UserCreationForm = OrganizationUserCreationForm
AuthenticationForm = OrganizationAuthenticationForm
if request.method == 'POST':
request.audit = {
'operation': 'USER_LOGIN',
'username': request.POST.get('username', request.POST.get('email'))
}
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm. It provides 'backend' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
# If Test cookie exists , it should be deleted
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if request.fs is None:
request.fs = fsmanager.get_filesystem(request.fs_ref)
try:
ensure_home_directory(request.fs, user)
except (IOError, WebHdfsException) as e:
LOG.error('Could not create home directory at login for %s.' % user, exc_info=e)
if require_change_password(userprofile):
return HttpResponseRedirect('/hue' + reverse('useradmin:useradmin.views.edit_user', kwargs={'username': user.username}))
userprofile.first_login = False
userprofile.last_activity = datetime.now()
if userprofile.creation_method == UserProfile.CreationMethod.EXTERNAL: # This is to fix a bug in Hue 4.3
userprofile.creation_method = UserProfile.CreationMethod.EXTERNAL.name
userprofile.update_data({'auth_backend': user.backend})
userprofile.save()
msg = 'Successful login for user: %s' % user.username
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.GET.get('fromModal', 'false') == 'true':
return JsonResponse({'auth': True})
else:
return HttpResponseRedirect(redirect_to)
else:
request.audit['allowed'] = False
msg = 'Failed login for user: %s' % request.POST.get('username', request.POST.get('email'))
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.GET.get('fromModal', 'false') == 'true':
return JsonResponse({'auth': False})
else:
first_user_form = None
auth_form = AuthenticationForm()
# SAML/OIDC user is already authenticated in djangosaml2.views.login
if hasattr(request, 'fs') and (
'KnoxSpnegoDjangoBackend' in backend_names or 'SpnegoDjangoBackend' in backend_names or 'OIDCBackend' in backend_names or
'SAML2Backend' in backend_names
) and request.user.is_authenticated:
if request.fs is None:
request.fs = fsmanager.get_filesystem(request.fs_ref)
try:
ensure_home_directory(request.fs, request.user)
except (IOError, WebHdfsException) as e:
LOG.error('Could not create home directory for %s user %s.' % ('OIDC' if 'OIDCBackend' in backend_names else 'SAML', request.user))
if request.user.is_authenticated and not from_modal:
return HttpResponseRedirect(redirect_to)
if is_active_directory and not is_ldap_option_selected and \
request.method == 'POST' and request.user.username != request.POST.get('username'):
# local user login failed, give the right auth_form with 'server' field
auth_form = auth_forms.LdapAuthenticationForm()
if not from_modal and SESSION.ENABLE_TEST_COOKIE.get() :
request.session.set_test_cookie()
if 'SAML2Backend' in backend_names:
request.session['samlgroup_permitted_flag'] = samlgroup_check(request)
renderable_path = 'login.mako'
if from_modal:
renderable_path = 'login_modal.mako'
response = render(renderable_path, request, {
'action': reverse('desktop_auth_views_dt_login'),
'form': first_user_form or auth_form,
'next': redirect_to,
'first_login_ever': is_first_login_ever,
'login_errors': request.method == 'POST',
'backend_names': backend_names,
'active_directory': is_active_directory,
'user': request.user
})
if not request.user.is_authenticated:
response.delete_cookie(LOAD_BALANCER_COOKIE) # Note: might be re-balanced to another Hue on login.
return response
def edit_design(request, id=None, type=None, force_get=False, clone_design=None):
"""
Edits a job submission.
This method has high-ish cyclomatic complexity, in large part,
because, when handling web forms, validation errors
on submit receive very similar treatment to a request
for the form itself.
This method does double-duty for "new" as well.
"""
assert id or type
message=request.GET.get("message")
if type:
new = True
jd = JobDesign()
form_type = interface.registry.get(type)
edit_url = urlresolvers.reverse("jobsub.new", kwargs=dict(type=type))
if form_type is None:
raise MessageException("Type %s does not exist." % repr(type))
else:
new = False
jd = JobDesign.objects.get(pk=id)
edit_url = jd.edit_url()
form_type = interface.registry.get(jd.type)
if form_type is None:
raise MessageException("Could not find form type for %s." % str(jd))
if jd.owner != request.user:
access_warn(request, 'Insufficient permission')
raise MessageException("Permission Denied. You are not the owner of this JobDesign. "
"You may copy the design instead.")
if not force_get and request.method == 'POST':
metadata_form = MetadataForm(request.POST)
form = form_type()
if metadata_form.is_valid() and form.is_valid_edit(request.POST):
message = _save_design(request, jd, metadata_form, form)
if request.POST.get("save_submit") == "on":
return submit_design(request, jd.id, force_get=True)
else:
return list_designs(request, saved=jd.id)
else:
if new:
metadata_form = MetadataForm()
if clone_design:
form = form_type(string_repr=clone_design.data)
metadata_form.initial["name"] = "Copy of %s" % clone_design.name
metadata_form.initial["description"] = clone_design.description
else:
form = form_type()
else:
form = form_type(string_repr=jd.data)
metadata_form = MetadataForm(dict(name=jd.name, description=jd.description))
# Present edit form for failed POST requests and edits.
newlinks = [ (type, urlresolvers.reverse("jobsub.new", kwargs=dict(type=type))) for type in interface.registry ]
request.path = edit_url
return render("edit.html", request, {
'newlinks': newlinks,
'metadata_form': metadata_form,
'form': form,
'edit_url': edit_url,
'message': message
})
def dt_login(request, from_modal=False):
redirect_to = request.REQUEST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_names = get_backend_names()
is_active_directory = 'LdapBackend' in backend_names and (bool(
LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()))
if is_active_directory:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
AuthenticationForm = auth_forms.AuthenticationForm
if request.method == 'POST':
request.audit = {
'operation': 'USER_LOGIN',
'username': request.POST.get('username')
}
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(
data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
auto_create_home_backends = [
'AllowAllBackend', 'LdapBackend', 'SpnegoDjangoBackend'
]
if is_first_login_ever or any(
backend in backend_names
for backend in auto_create_home_backends):
# Create home directory for first user.
try:
ensure_home_directory(request.fs, user.username)
except (IOError, WebHdfsException), e:
LOG.error(_('Could not create home directory.'),
exc_info=e)
request.error(_('Could not create home directory.'))
if require_change_password(userprofile):
return HttpResponseRedirect(
urlresolvers.reverse(
'useradmin.views.edit_user',
kwargs={'username': user.username}))
userprofile.first_login = False
userprofile.last_activity = datetime.now()
userprofile.save()
msg = 'Successful login for user: %s' % user.username
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.REQUEST.get('fromModal',
'false') == 'true':
return JsonResponse({'auth': True})
else:
return HttpResponseRedirect(redirect_to)
else:
request.audit['allowed'] = False
msg = 'Failed login for user: %s' % request.POST.get(
'username')
request.audit['operationText'] = msg
access_warn(request, msg)
if from_modal or request.REQUEST.get('fromModal',
'false') == 'true':
return JsonResponse({'auth': False})
def dt_login(request):
redirect_to = request.REQUEST.get('next', '/')
is_first_login_ever = first_login_ever()
backend_name = get_backend_name()
is_active_directory = backend_name == 'LdapBackend' and ( bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()) )
if is_active_directory:
UserCreationForm = auth_forms.LdapUserCreationForm
AuthenticationForm = auth_forms.LdapAuthenticationForm
else:
UserCreationForm = auth_forms.UserCreationForm
AuthenticationForm = auth_forms.AuthenticationForm
if request.method == 'POST':
# For first login, need to validate user info!
first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None
first_user = first_user_form and first_user_form.is_valid()
if first_user or not is_first_login_ever:
auth_form = AuthenticationForm(data=request.POST)
if auth_form.is_valid():
# Must login by using the AuthenticationForm.
# It provides 'backends' on the User object.
user = auth_form.get_user()
userprofile = get_profile(user)
login(request, user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
# For Bluemix - don't try to create HDFS home directory because we're ignoring the identity of the Hue user
#if is_first_login_ever or backend_name in ('AllowAllBackend', 'LdapBackend'):
# # Create home directory for first user.
# try:
# ensure_home_directory(request.fs, user.username)
# except (IOError, WebHdfsException), e:
# LOG.error(_('Could not create home directory.'), exc_info=e)
# request.error(_('Could not create home directory.'))
if require_change_password(userprofile):
return HttpResponseRedirect(urlresolvers.reverse('useradmin.views.edit_user', kwargs={'username': user.username}))
userprofile.first_login = False
userprofile.save()
access_warn(request, '"%s" login ok' % (user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
else:
first_user_form = None
auth_form = AuthenticationForm()
if DEMO_ENABLED.get() and not 'admin' in request.REQUEST:
user = authenticate(username='', password='')
login(request, user)
ensure_home_directory(request.fs, user.username)
return HttpResponseRedirect(redirect_to)
request.session.set_test_cookie()
return render('login.mako', request, {
'action': urlresolvers.reverse('desktop.auth.views.dt_login'),
'form': first_user_form or auth_form,
'next': redirect_to,
'first_login_ever': is_first_login_ever,
'login_errors': request.method == 'POST',
'backend_name': backend_name,
'active_directory': is_active_directory
})
def oidc_failed(request):
if request.user.is_authenticated():
return HttpResponseRedirect('/')
access_warn(request, "401 Unauthorized by oidc")
return render("oidc_failed.mako", request, dict(uri=request.build_absolute_uri()), status=401)
