def serve_404_error(request, *args, **kwargs): """Registered handler for 404. We just return a simple error""" access_warn(request, "404 not found") return render_to_response("404.html", dict(uri=request.build_absolute_uri())) return HttpResponse( "Page not found. You are trying to access %s" % (request.build_absolute_uri(),), content_type="text/plain" )
def dt_login(request): """Used by the non-jframe login""" redirect_to = request.REQUEST.get('next', '/') login_errors = False is_first_login_ever = first_login_ever() if request.method == 'POST': form = django.contrib.auth.forms.AuthenticationForm(data=request.POST) if form.is_valid(): login(request, form.get_user()) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever: ensure_home_directory(request.fs, request.POST.get('username')) access_warn(request, '"%s" login ok' % (request.user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),)) login_errors = True else: form = django.contrib.auth.forms.AuthenticationForm() request.session.set_test_cookie() return render('login.mako', request, { 'action': urlresolvers.reverse('desktop.auth.views.dt_login'), 'form': form, 'next': redirect_to, 'first_login_ever': is_first_login_ever, 'login_errors': login_errors, })
def kill_job(request, job): if request.method != "POST": raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % dict(method=request.method)) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, _('Insufficient permission')) raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % dict(username=request.user.username, user=job.user)) job.kill() cur_time = time.time() while time.time() - cur_time < 15: job = Job.from_id(jt=request.jt, jobid=job.jobId) if job.status not in ["RUNNING", "QUEUED"]: if request.REQUEST.get("next"): return HttpResponseRedirect(request.REQUEST.get("next")) elif request.REQUEST.get("format") == "json": return HttpResponse(encode_json_for_js({'status': 0}), mimetype="application/json") else: raise MessageException("Job Killed") time.sleep(1) job = Job.from_id(jt=request.jt, jobid=job.jobId) raise Exception(_("Job did not appear as killed within 15 seconds."))
def dt_login(request): redirect_to = request.REQUEST.get('next', '/') is_first_login_ever = first_login_ever() backend_names = get_backend_names() is_active_directory = 'LdapBackend' in backend_names and ( bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()) ) if is_active_directory: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm AuthenticationForm = auth_forms.AuthenticationForm if request.method == 'POST': request.audit = { 'operation': 'USER_LOGIN', 'username': request.POST.get('username') } # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever or 'AllowAllBackend' in backend_names or 'LdapBackend' in backend_names: # Create home directory for first user. try: ensure_home_directory(request.fs, user.username) except (IOError, WebHdfsException), e: LOG.error(_('Could not create home directory.'), exc_info=e) request.error(_('Could not create home directory.')) if require_change_password(userprofile): return HttpResponseRedirect(urlresolvers.reverse('useradmin.views.edit_user', kwargs={'username': user.username})) userprofile.first_login = False userprofile.save() msg = 'Successful login for user: %s' % user.username request.audit['operationText'] = msg access_warn(request, msg) return HttpResponseRedirect(redirect_to) else: request.audit['allowed'] = False msg = 'Failed login for user: %s' % request.POST.get('username') request.audit['operationText'] = msg access_warn(request, msg)
def dt_login(request): """Used by the non-jframe login""" redirect_to = request.REQUEST.get('next', '/') is_first_login_ever = first_login_ever() if request.method == 'POST': # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. user = auth_form.get_user() login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever: # Create home directory for first user. try: ensure_home_directory(request.fs, user.username) except (IOError, WebHdfsException), e: LOG.error(_('Could not create home directory.'), exc_info=e) request.error(_('Could not create home directory.')) access_warn(request, '"%s" login ok' % (user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
def check_request_permission(self, request): """Raise PopupException if request user doesn't have permission to modify workflow""" if not request.user.is_superuser and request.user.username != self.user: access_warn(request, _('Insufficient permission')) raise PopupException( _("Permission denied. User %(username)s cannot modify user %(user)s's job." ) % dict(username=request.user.username, user=self.user))
def kill_job(request, job): if request.method != "POST": raise Exception( _("kill_job may only be invoked with a POST (got a %(method)s).") % dict(method=request.method)) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, _('Insufficient permission')) raise MessageException( _("Permission denied. User %(username)s cannot delete user %(user)s's job." ) % dict(username=request.user.username, user=job.user)) job.kill() cur_time = time.time() while time.time() - cur_time < 15: job = Job.from_id(jt=request.jt, jobid=job.jobId) if job.status not in ["RUNNING", "QUEUED"]: if request.REQUEST.get("next"): return HttpResponseRedirect(request.REQUEST.get("next")) else: raise MessageException("Job Killed") time.sleep(1) job = Job.from_id(jt=request.jt, jobid=job.jobId) raise Exception(_("Job did not appear as killed within 15 seconds"))
def kill_job(request, job): if request.method != "POST": raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % {'method': request.method}) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, _('Insufficient permission')) raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % {'username': request.user.username, 'user': job.user}) job.kill() cur_time = time.time() api = get_api(request.user, request.jt) while time.time() - cur_time < 15: job = api.get_job(jobid=job.jobId) if job.status not in ["RUNNING", "QUEUED"]: if request.REQUEST.get("next"): return HttpResponseRedirect(request.REQUEST.get("next")) elif request.REQUEST.get("format") == "json": return JsonResponse({'status': 0}, encoder=JSONEncoderForHTML) else: raise MessageException("Job Killed") time.sleep(1) raise Exception(_("Job did not appear as killed within 15 seconds."))
def _check_permission(request, owner_name, error_msg, allow_root=False): """Raise PopupException if user doesn't have permission to modify the design""" if request.user.username != owner_name: if allow_root and request.user.is_superuser: return access_warn(request, error_msg) raise PopupException(_("Permission denied. You are not the owner."))
def check_request_permission(self, request): """Raise PopupException if request user doesn't have permission to modify workflow""" if not request.user.is_superuser and request.user.username != self.user: access_warn(request, _('Insufficient permission.')) raise PopupException( _("Permission denied. User %(username)s cannot modify user %(user)s's job." ) % dict(username=request.user.username, user=self.user))
def kill_job(request, jobid): """ We get here from /jobs/jobid/kill """ if request.method != "POST": raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s)") % dict(method=request.method)) job = Job.from_id(jt=request.jt, jobid=jobid) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, _('Insufficient permission')) raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % dict(username=request.user.username, user=job.user)) job.kill() cur_time = time.time() while time.time() - cur_time < 15: job = Job.from_id(jt=request.jt, jobid=jobid) if job.status not in ["RUNNING", "QUEUED"]: if request.REQUEST.get("next"): return HttpResponseRedirect(request.REQUEST.get("next")) else: raise MessageException("Job Killed") time.sleep(1) job = Job.from_id(jt=request.jt, jobid=jobid) raise Exception(_("Job did not appear as killed within 15 seconds"))
def csrf_failure(request, reason=None): """Registered handler for CSRF.""" access_warn(request, reason) return render("403_csrf.mako", request, dict(uri=request.build_absolute_uri()), status=403)
def serve_404_error(request, *args, **kwargs): """Registered handler for 404. We just return a simple error""" access_warn(request, "404 not found") return render("404.mako", request, dict(uri=request.build_absolute_uri()), status=404)
def dt_login(request): """Used by the non-jframe login""" redirect_to = request.REQUEST.get('next', '/') login_errors = False if request.method == 'POST': form = django.contrib.auth.forms.AuthenticationForm(data=request.POST) if form.is_valid(): login(request, form.get_user()) if request.session.test_cookie_worked(): request.session.delete_test_cookie() access_warn(request, '"%s" login ok' % (request.user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),)) login_errors = True else: form = django.contrib.auth.forms.AuthenticationForm() request.session.set_test_cookie() backends = get_backends() first_login_ever = False for be in backends: if isinstance(be, AllowFirstUserDjangoBackend) and be.is_first_login_ever(): first_login_ever = True return render('login.mako', request, { 'action': urlresolvers.reverse('desktop.auth.views.dt_login'), 'form': form, 'next': redirect_to, 'first_login_ever': first_login_ever, 'login_errors': login_errors, })
def kill_job(request, job): if request.method != "POST": raise Exception( _("kill_job may only be invoked with a POST (got a %(method)s).") % {'method': request.method}) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, _('Insufficient permission')) raise MessageException( _("Permission denied. User %(username)s cannot delete user %(user)s's job." ) % { 'username': request.user.username, 'user': job.user }) job.kill() cur_time = time.time() api = get_api(request.user, request.jt) while time.time() - cur_time < 15: job = api.get_job(jobid=job.jobId) if job.status not in ["RUNNING", "QUEUED"]: if request.REQUEST.get("next"): return HttpResponseRedirect(request.REQUEST.get("next")) elif request.REQUEST.get("format") == "json": return JsonResponse({'status': 0}, encoder=JSONEncoderForHTML) else: raise MessageException("Job Killed") time.sleep(1) raise Exception(_("Job did not appear as killed within 15 seconds."))
def dt_login(request): redirect_to = request.REQUEST.get('next', '/') is_first_login_ever = first_login_ever() backend_names = get_backend_names() is_active_directory = 'LdapBackend' in backend_names and (bool( LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get())) if is_active_directory: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm AuthenticationForm = auth_forms.AuthenticationForm if request.method == 'POST': # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm( data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever or 'AllowAllBackend' in backend_names or 'LdapBackend' in backend_names: # Create home directory for first user. try: ensure_home_directory(request.fs, user.username) except (IOError, WebHdfsException), e: LOG.error(_('Could not create home directory.'), exc_info=e) request.error(_('Could not create home directory.')) if require_change_password(userprofile): return HttpResponseRedirect( urlresolvers.reverse( 'useradmin.views.edit_user', kwargs={'username': user.username})) userprofile.first_login = False userprofile.save() access_warn(request, '"%s" login ok' % (user.username, )) return HttpResponseRedirect(redirect_to) else: access_warn( request, 'Failed login for user "%s"' % (request.POST.get('username'), ))
def oidc_failed(request): if request.user.is_authenticated(): return HttpResponseRedirect('/') access_warn(request, "401 Unauthorized by oidc") return render("oidc_failed.mako", request, dict(uri=request.build_absolute_uri()), status=401)
def login_ajax(request): username = request.POST.get("username") user = authenticate(username=username, password=request.POST.get("password")) if user: access_warn(request, '"%s" login ok' % (user.username,)) login(request, user) return render_json(dict(success=True)) else: access_warn(request, 'Failed login for user "%s"' % (username,)) return render_json(dict(success=False))
def login_ajax(request): username = request.POST.get('username') user = authenticate(username=username, password=request.POST.get('password')) if user: access_warn(request, '"%s" login ok' % (user.username, )) login(request, user) return render_json(dict(success=True)) else: access_warn(request, 'Failed login for user "%s"' % (username, )) return render_json(dict(success=False))
def kill_job(request, job): if request.method != "POST": raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % {'method': request.method}) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, _('Insufficient permission')) raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % {'username': request.user.username, 'user': job.user}) try: job.kill() except Exception, e: LOGGER.exception('Killing job') raise PopupException(e)
def kill_job(request, job): if request.method != "POST": raise Exception(_("kill_job may only be invoked with a POST (got a %(method)s).") % {'method': request.method}) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, _('Insufficient permission')) raise MessageException(_("Permission denied. User %(username)s cannot delete user %(user)s's job.") % {'username': request.user.username, 'user': job.user}) try: job.kill() except Exception, e: LOG.exception('Killing job') raise PopupException(e)
def login_ajax(request): username = request.POST.get('username') user = authenticate(username=username, password=request.POST.get('password')) if user: access_warn(request, '"%s" login ok' % (user.username,)) login(request, user) _add_to_current_users(user, AccessInfo(request)) return render_json(dict(success=True)) else: access_warn(request, 'Failed login for user "%s"' % (username,)) return render_json(dict(success=False))
def dt_login(request): reload_config() redirect_to = request.REQUEST.get('next', '/') is_first_login_ever = first_login_ever() backend_name = get_backend_name() is_active_directory = backend_name == 'LdapBackend' and ( bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()) ) if is_active_directory: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm AuthenticationForm = auth_forms.AuthenticationForm if SINGLE_USER_MODE or request.method == 'POST': # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: if not SINGLE_USER_MODE: auth_form = AuthenticationForm(data=request.POST) if SINGLE_USER_MODE or auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. if not SINGLE_USER_MODE: user = auth_form.get_user() else: user = authenticate(username=SINGLE_USER_MODE['user'], password=SINGLE_USER_MODE['pass']) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever or backend_name in ('AllowAllBackend', 'LdapBackend'): # Create home directory for first user. try: ensure_home_directory(request.fs, user.username) except (IOError, WebHdfsException), e: LOG.error(_('Could not create home directory.'), exc_info=e) request.error(_('Could not create home directory.')) access_warn(request, '"%s" login ok' % (user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
def dt_login(request): """Used by the non-jframe login""" redirect_to = request.REQUEST.get('next', '/') is_first_login_ever = first_login_ever() backend_name = get_backend_name() if request.method == 'POST': # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm( data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. user = auth_form.get_user() login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever or backend_name in ('AllowAllBackend', 'LdapBackend'): # Create home directory for first user. try: ensure_home_directory(request.fs, user.username) except (IOError, WebHdfsException), e: LOG.error(_('Could not create home directory.'), exc_info=e) request.error(_('Could not create home directory.')) access_warn(request, '"%s" login ok' % (user.username, )) return HttpResponseRedirect(redirect_to) else: access_warn( request, 'Failed login for user "%s"' % (request.POST.get('username'), ))
def dt_login(request): """Used by the non-jframe login""" redirect_to = request.REQUEST.get('next', '/') if request.method == 'POST': form = django.contrib.auth.forms.AuthenticationForm(data=request.POST) if form.is_valid(): login(request, form.get_user()) if request.session.test_cookie_worked(): request.session.delete_test_cookie() access_warn(request, '"%s" login ok' % (request.user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),)) else: form = django.contrib.auth.forms.AuthenticationForm() request.session.set_test_cookie() return render('login.mako', request, { 'action': urlresolvers.reverse('desktop.auth.views.dt_login'), 'form': form, 'next': redirect_to, })
def delete_design(request, id): """ Design deletion. The url provides the id, but we require a POST for deletion to indicate that it's an "action". """ try: jd = JobDesign.objects.get(pk=id) except JobDesign.DoesNotExist: return HttpResponse("Design not found.") if jd.owner != request.user: access_warn(request, 'Insufficient permission') raise MessageException("Permission Denied. You are not the owner of this JobDesign.") if request.method == 'POST': jd.delete() return list_designs(request) else: return render("confirm.html", request, dict(url=request.path, title="Delete job design?"))
def dt_login(request): """Used by the non-jframe login""" redirect_to = request.REQUEST.get("next", "/") if request.method == "POST": form = django.contrib.auth.forms.AuthenticationForm(data=request.POST) if form.is_valid(): login(request, form.get_user()) if request.session.test_cookie_worked(): request.session.delete_test_cookie() access_warn(request, '"%s" login ok' % (request.user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get("username"),)) else: form = django.contrib.auth.forms.AuthenticationForm() request.session.set_test_cookie() return render( "login.mako", request, {"action": urlresolvers.reverse("desktop.auth.views.dt_login"), "form": form, "next": redirect_to}, )
def kill_job(request, jobid): """ We get here from /jobs/jobid/kill """ if request.method != "POST": raise Exception("kill_job may only be invoked with a POST (got a %s)" % request.method) job = Job.from_id(jt=request.jt, jobid=jobid) if job.user != request.user.username and not request.user.is_superuser: access_warn(request, 'Insufficient permission') raise MessageException("Permission denied. User %s cannot delete user %s's job." % (request.user.username, job.profile.user)) job.kill() cur_time = time.time() while time.time() - cur_time < 15: job = Job.from_id(jt=request.jt, jobid=jobid) if job.status not in ["RUNNING", "QUEUED"]: return render_json({}) time.sleep(1) job = Job.from_id(jt=request.jt, jobid=jobid) raise Exception("Job did not appear as killed within 15 seconds")
def delete_design(request, id): """ Design deletion. The url provides the id, but we require a POST for deletion to indicate that it's an "action". """ try: jd = JobDesign.objects.get(pk=id) except JobDesign.DoesNotExist: return HttpResponse("Design not found.") if jd.owner != request.user: access_warn(request, 'Insufficient permission') raise MessageException( "Permission Denied. You are not the owner of this JobDesign.") if request.method == 'POST': jd.delete() return list_designs(request) else: return render("confirm.html", request, dict(url=request.path, title="Delete job design?"))
def check_job_access_permission(request, job_id, **kwargs): """ Decorator ensuring that the user has access to the job submitted to Oozie. Arg: Oozie 'workflow', 'coordinator' or 'bundle' ID. Return: the Oozie workflow, coordinator or bundle or raise an exception Notice: its gets an id in input and returns the full object in output (not an id). """ if job_id is not None: oozie_api = get_oozie(request.user) if job_id.endswith('W'): get_job = oozie_api.get_job elif job_id.endswith('C'): get_job = oozie_api.get_coordinator else: get_job = oozie_api.get_bundle try: if job_id.endswith('C'): oozie_job = get_job(job_id, **kwargs) else: oozie_job = get_job(job_id) except RestException as ex: msg = _("Error accessing Oozie job %s.") % (job_id,) LOG.exception(msg) raise PopupException(msg, detail=ex._headers.get('oozie-error-message')) if is_admin(request.user) \ or oozie_job.user == request.user.username \ or has_dashboard_jobs_access(request.user): return oozie_job else: message = _("Permission denied. %(username)s does not have the permissions to access job %(id)s.") % \ {'username': request.user.username, 'id': oozie_job.id} access_warn(request, message) raise PopupException(message)
def dt_login(request): """Used by the non-jframe login""" redirect_to = request.REQUEST.get('next', '/') login_errors = False is_first_login_ever = first_login_ever() if request.method == 'POST': form = django.contrib.auth.forms.AuthenticationForm(data=request.POST) if form.is_valid(): login(request, form.get_user()) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever: try: ensure_home_directory(request.fs, request.POST.get('username')) except (IOError, WebHdfsException), e: LOG.error(_('Could not create home directory.'), exc_info=e) request.error(_('Could not create home directory.')) access_warn(request, '"%s" login ok' % (request.user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),)) login_errors = True
def serve_404_error(request, *args, **kwargs): """Registered handler for 404. We just return a simple error""" access_warn(request, "404 not found") return render_to_response("404.html", dict(uri=request.build_absolute_uri()))
get_job = get_oozie().get_bundle try: oozie_job = get_job(job_id) except RestException, ex: raise PopupException(_("Error accessing Oozie job %s.") % (job_id,), detail=ex._headers['oozie-error-message']) if request.user.is_superuser \ or oozie_job.user == request.user.username \ or has_dashboard_jobs_access(request.user): return oozie_job else: message = _("Permission denied. %(username)s don't have the permissions to access job %(id)s.") % \ {'username': request.user.username, 'id': oozie_job.id} access_warn(request, message) raise PopupException(message) def check_job_edition_permission(oozie_job, user): if has_job_edition_permission(oozie_job, user): return oozie_job else: message = _("Permission denied. %(username)s don't have the permissions to modify job %(id)s.") % \ {'username': user.username, 'id': oozie_job.id} raise PopupException(message) def has_job_edition_permission(oozie_job, user): return user.is_superuser or oozie_job.user == user.username
def dt_login(request, from_modal=False): redirect_to = request.GET.get('next', '/') is_first_login_ever = first_login_ever() backend_names = auth_forms.get_backend_names() is_active_directory = auth_forms.is_active_directory() is_ldap_option_selected = 'server' not in request.POST or request.POST.get('server') == 'LDAP' \ or request.POST.get('server') in auth_forms.get_ldap_server_keys() if is_active_directory and is_ldap_option_selected: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm if 'ImpersonationBackend' in backend_names: AuthenticationForm = ImpersonationAuthenticationForm else: AuthenticationForm = auth_forms.AuthenticationForm if request.method == 'POST': request.audit = { 'operation': 'USER_LOGIN', 'username': request.POST.get('username') } # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm( data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. It provides 'backends' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() try: ensure_home_directory(request.fs, user) except (IOError, WebHdfsException), e: LOG.error( 'Could not create home directory at login for %s.' % user, exc_info=e) if require_change_password(userprofile): return HttpResponseRedirect( urlresolvers.reverse( 'useradmin.views.edit_user', kwargs={'username': user.username})) userprofile.first_login = False userprofile.last_activity = datetime.now() userprofile.save() msg = 'Successful login for user: %s' % user.username request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.GET.get('fromModal', 'false') == 'true': return JsonResponse({'auth': True}) else: return HttpResponseRedirect(redirect_to) else: request.audit['allowed'] = False msg = 'Failed login for user: %s' % request.POST.get( 'username') request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.GET.get('fromModal', 'false') == 'true': return JsonResponse({'auth': False})
def edit_design(request, id=None, type=None, force_get=False, clone_design=None): """ Edits a job submission. This method has high-ish cyclomatic complexity, in large part, because, when handling web forms, validation errors on submit receive very similar treatment to a request for the form itself. This method does double-duty for "new" as well. """ assert id or type message = request.GET.get("message") if type: new = True jd = JobDesign() form_type = interface.registry.get(type) edit_url = urlresolvers.reverse("jobsub.new", kwargs=dict(type=type)) if form_type is None: raise MessageException("Type %s does not exist." % repr(type)) else: new = False jd = JobDesign.objects.get(pk=id) edit_url = jd.edit_url() form_type = interface.registry.get(jd.type) if form_type is None: raise MessageException("Could not find form type for %s." % str(jd)) if jd.owner != request.user: access_warn(request, 'Insufficient permission') raise MessageException( "Permission Denied. You are not the owner of this JobDesign. " "You may copy the design instead.") if not force_get and request.method == 'POST': metadata_form = MetadataForm(request.POST) form = form_type() if metadata_form.is_valid() and form.is_valid_edit(request.POST): message = _save_design(request, jd, metadata_form, form) if request.POST.get("save_submit") == "on": return submit_design(request, jd.id, force_get=True) else: return list_designs(request, saved=jd.id) else: if new: metadata_form = MetadataForm() if clone_design: form = form_type(string_repr=clone_design.data) metadata_form.initial[ "name"] = "Copy of %s" % clone_design.name metadata_form.initial["description"] = clone_design.description else: form = form_type() else: form = form_type(string_repr=jd.data) metadata_form = MetadataForm( dict(name=jd.name, description=jd.description)) # Present edit form for failed POST requests and edits. newlinks = [(type, urlresolvers.reverse("jobsub.new", kwargs=dict(type=type))) for type in interface.registry] request.path = edit_url return render( "edit.html", request, { 'newlinks': newlinks, 'metadata_form': metadata_form, 'form': form, 'edit_url': edit_url, 'message': message })
oozie_job = get_job(job_id, **kwargs) else: oozie_job = get_job(job_id) except RestException, ex: msg = _("Error accessing Oozie job %s.") % (job_id,) LOG.exception(msg) raise PopupException(msg, detail=ex._headers.get('oozie-error-message')) if is_admin(request.user) \ or oozie_job.user == request.user.username \ or has_dashboard_jobs_access(request.user): return oozie_job else: message = _("Permission denied. %(username)s does not have the permissions to access job %(id)s.") % \ {'username': request.user.username, 'id': oozie_job.id} access_warn(request, message) raise PopupException(message) def check_job_edition_permission(oozie_job, user): if has_job_edition_permission(oozie_job, user): return oozie_job else: message = _("Permission denied. %(username)s does not have the permissions to modify job %(id)s.") % \ {'username': user.username, 'id': oozie_job.id} raise PopupException(message) def has_job_edition_permission(oozie_job, user): return is_admin(user) or oozie_job.user == user.username or (oozie_job.group and user.groups.filter(name__in=oozie_job.group.split(",")).exists()) or (oozie_job.acl and user.username in oozie_job.acl.split(','))
def process_request(self, request): """ The process_request() method needs to communicate some state to the process_response() method. The two options for this are to return an HttpResponse object or to modify the META headers in the request object. In order to ensure that all of the middleware is properly invoked, this code currently uses the later approach. The following headers are currently used: GSS-String: This means that GSS authentication was successful and that we need to pass this value for the WWW-Authenticate header in the response. Return-401: This means that the SPNEGO backend is in use, but we didn't get an AUTHORIZATION header from the client. The way that the protocol works (http://tools.ietf.org/html/rfc4559) is by having the first response to an un-authenticated request be a 401 with the WWW-Authenticate header set to Negotiate. This will cause the browser to re-try the request with the AUTHORIZATION header set. """ view_func = resolve(request.path)[0] if view_func in DJANGO_VIEW_AUTH_WHITELIST: return # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise exceptions.ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE_CLASSES setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the SpnegoUserMiddleware class.") if 'HTTP_AUTHORIZATION' in request.META: type, authstr = request.META['HTTP_AUTHORIZATION'].split(' ', 1) if type == 'Negotiate': try: result, context = kerberos.authGSSServerInit('HTTP') if result != 1: return gssstring = '' r = kerberos.authGSSServerStep(context, authstr) if r == 1: gssstring = kerberos.authGSSServerResponse(context) request.META['GSS-String'] = 'Negotiate %s' % gssstring else: kerberos.authGSSServerClean(context) return username = kerberos.authGSSServerUserName(context) kerberos.authGSSServerClean(context) # In Trusted knox proxy, Hue must expect following: # Trusted knox user: KNOX_PRINCIPAL # Trusted knox proxy host: KNOX_PROXYHOSTS if 'desktop.auth.backend.KnoxSpnegoDjangoBackend' in AUTH.BACKEND.get( ): knox_verification = False principals = self.clean_principal( KNOX.KNOX_PRINCIPAL.get()) principal = self.clean_principal(username) if principal.intersection(principals): # This may contain chain of reverse proxies, e.g. knox proxy, hue load balancer # Compare hostname on both HTTP_X_FORWARDED_HOST & KNOX_PROXYHOSTS. # Both of these can be configured to use either hostname or IPs and we have to normalize to one or the other req_hosts = self.clean_host( request.META['HTTP_X_FORWARDED_HOST']) knox_proxy = self.clean_host( KNOX.KNOX_PROXYHOSTS.get()) if req_hosts.intersection(knox_proxy): knox_verification = True else: access_warn( request, 'Failed to verify provided host %s with %s ' % (req_hosts, knox_proxy)) else: access_warn( request, 'Failed to verify provided username %s with %s ' % (principal, principals)) # If knox authentication failed then generate 401 (Unauthorized error) if not knox_verification: request.META['Return-401'] = '' return if request.user.is_authenticated: if request.user.username == self.clean_username( username, request): return user = authenticate(username=username, request=request) if user: request.user = user login(request, user) msg = 'Successful login for user: %s' % request.user.username else: msg = 'Failed login for user: %s' % request.user.username request.audit = { 'operation': 'USER_LOGIN', 'username': request.user.username, 'operationText': msg } access_warn(request, msg) return except: LOG.exception( 'Unexpected error when authenticating against KDC') return else: request.META['Return-401'] = '' return else: if not request.user.is_authenticated: request.META['Return-401'] = '' return
def dt_login(request, from_modal=False): redirect_to = request.REQUEST.get("next", "/") is_first_login_ever = first_login_ever() backend_names = get_backend_names() is_active_directory = "LdapBackend" in backend_names and ( bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()) ) if is_active_directory: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm AuthenticationForm = auth_forms.AuthenticationForm if request.method == "POST": request.audit = {"operation": "USER_LOGIN", "username": request.POST.get("username")} # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if is_first_login_ever or "AllowAllBackend" in backend_names or "LdapBackend" in backend_names: # Create home directory for first user. try: ensure_home_directory(request.fs, user.username) except (IOError, WebHdfsException), e: LOG.error(_("Could not create home directory."), exc_info=e) request.error(_("Could not create home directory.")) if require_change_password(userprofile): return HttpResponseRedirect( urlresolvers.reverse("useradmin.views.edit_user", kwargs={"username": user.username}) ) userprofile.first_login = False userprofile.last_activity = datetime.now() userprofile.save() msg = "Successful login for user: %s" % user.username request.audit["operationText"] = msg access_warn(request, msg) if from_modal or request.REQUEST.get("fromModal", "false") == "true": return JsonResponse({"auth": True}) else: return HttpResponseRedirect(redirect_to) else: request.audit["allowed"] = False msg = "Failed login for user: %s" % request.POST.get("username") request.audit["operationText"] = msg access_warn(request, msg) if from_modal or request.REQUEST.get("fromModal", "false") == "true": return JsonResponse({"auth": False})
def dt_login(request, from_modal=False): if request.method == 'GET': redirect_to = request.GET.get('next', '/') else: redirect_to = request.POST.get('next', '/') is_first_login_ever = first_login_ever() backend_names = auth_forms.get_backend_names() is_active_directory = auth_forms.is_active_directory() is_ldap_option_selected = 'server' not in request.POST or request.POST.get('server') == 'LDAP' \ or request.POST.get('server') in auth_forms.get_ldap_server_keys() if is_active_directory and is_ldap_option_selected: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm if 'ImpersonationBackend' in backend_names: AuthenticationForm = ImpersonationAuthenticationForm else: AuthenticationForm = auth_forms.AuthenticationForm if request.method == 'POST': request.audit = { 'operation': 'USER_LOGIN', 'username': request.POST.get('username') } # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. It provides 'backends' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() try: ensure_home_directory(request.fs, user) except (IOError, WebHdfsException), e: LOG.error('Could not create home directory at login for %s.' % user, exc_info=e) if require_change_password(userprofile): return HttpResponseRedirect(urlresolvers.reverse('useradmin.views.edit_user', kwargs={'username': user.username})) userprofile.first_login = False userprofile.last_activity = datetime.now() # This is to fix a bug in Hue 4.3 if userprofile.creation_method == UserProfile.CreationMethod.EXTERNAL: userprofile.creation_method = UserProfile.CreationMethod.EXTERNAL.name userprofile.save() msg = 'Successful login for user: %s' % user.username request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.GET.get('fromModal', 'false') == 'true': return JsonResponse({'auth': True}) else: return HttpResponseRedirect(redirect_to) else: request.audit['allowed'] = False msg = 'Failed login for user: %s' % request.POST.get('username') request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.GET.get('fromModal', 'false') == 'true': return JsonResponse({'auth': False})
def dt_login(request, from_modal=False): if request.method == 'GET': redirect_to = request.GET.get('next', '/') else: redirect_to = request.POST.get('next', '/') is_first_login_ever = first_login_ever() backend_names = auth_forms.get_backend_names() is_active_directory = auth_forms.is_active_directory() is_ldap_option_selected = 'server' not in request.POST or request.POST.get('server') == 'LDAP' or \ request.POST.get('server') in auth_forms.get_ldap_server_keys() if is_active_directory and is_ldap_option_selected: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm if 'ImpersonationBackend' in backend_names: AuthenticationForm = ImpersonationAuthenticationForm else: AuthenticationForm = auth_forms.AuthenticationForm if ENABLE_ORGANIZATIONS.get(): UserCreationForm = OrganizationUserCreationForm AuthenticationForm = OrganizationAuthenticationForm if request.method == 'POST': request.audit = { 'operation': 'USER_LOGIN', 'username': request.POST.get('username', request.POST.get('email')) } # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. It provides 'backend' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) # If Test cookie exists , it should be deleted if request.session.test_cookie_worked(): request.session.delete_test_cookie() if request.fs is None: request.fs = fsmanager.get_filesystem(request.fs_ref) try: ensure_home_directory(request.fs, user) except (IOError, WebHdfsException) as e: LOG.error('Could not create home directory at login for %s.' % user, exc_info=e) if require_change_password(userprofile): return HttpResponseRedirect('/hue' + reverse('useradmin:useradmin.views.edit_user', kwargs={'username': user.username})) userprofile.first_login = False userprofile.last_activity = datetime.now() if userprofile.creation_method == UserProfile.CreationMethod.EXTERNAL: # This is to fix a bug in Hue 4.3 userprofile.creation_method = UserProfile.CreationMethod.EXTERNAL.name userprofile.update_data({'auth_backend': user.backend}) userprofile.save() msg = 'Successful login for user: %s' % user.username request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.GET.get('fromModal', 'false') == 'true': return JsonResponse({'auth': True}) else: return HttpResponseRedirect(redirect_to) else: request.audit['allowed'] = False msg = 'Failed login for user: %s' % request.POST.get('username', request.POST.get('email')) request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.GET.get('fromModal', 'false') == 'true': return JsonResponse({'auth': False}) else: first_user_form = None auth_form = AuthenticationForm() # SAML/OIDC user is already authenticated in djangosaml2.views.login if hasattr(request, 'fs') and ( 'KnoxSpnegoDjangoBackend' in backend_names or 'SpnegoDjangoBackend' in backend_names or 'OIDCBackend' in backend_names or 'SAML2Backend' in backend_names ) and request.user.is_authenticated: if request.fs is None: request.fs = fsmanager.get_filesystem(request.fs_ref) try: ensure_home_directory(request.fs, request.user) except (IOError, WebHdfsException) as e: LOG.error('Could not create home directory for %s user %s.' % ('OIDC' if 'OIDCBackend' in backend_names else 'SAML', request.user)) if request.user.is_authenticated and not from_modal: return HttpResponseRedirect(redirect_to) if is_active_directory and not is_ldap_option_selected and \ request.method == 'POST' and request.user.username != request.POST.get('username'): # local user login failed, give the right auth_form with 'server' field auth_form = auth_forms.LdapAuthenticationForm() if not from_modal and SESSION.ENABLE_TEST_COOKIE.get() : request.session.set_test_cookie() if 'SAML2Backend' in backend_names: request.session['samlgroup_permitted_flag'] = samlgroup_check(request) renderable_path = 'login.mako' if from_modal: renderable_path = 'login_modal.mako' response = render(renderable_path, request, { 'action': reverse('desktop_auth_views_dt_login'), 'form': first_user_form or auth_form, 'next': redirect_to, 'first_login_ever': is_first_login_ever, 'login_errors': request.method == 'POST', 'backend_names': backend_names, 'active_directory': is_active_directory, 'user': request.user }) if not request.user.is_authenticated: response.delete_cookie(LOAD_BALANCER_COOKIE) # Note: might be re-balanced to another Hue on login. return response
def edit_design(request, id=None, type=None, force_get=False, clone_design=None): """ Edits a job submission. This method has high-ish cyclomatic complexity, in large part, because, when handling web forms, validation errors on submit receive very similar treatment to a request for the form itself. This method does double-duty for "new" as well. """ assert id or type message=request.GET.get("message") if type: new = True jd = JobDesign() form_type = interface.registry.get(type) edit_url = urlresolvers.reverse("jobsub.new", kwargs=dict(type=type)) if form_type is None: raise MessageException("Type %s does not exist." % repr(type)) else: new = False jd = JobDesign.objects.get(pk=id) edit_url = jd.edit_url() form_type = interface.registry.get(jd.type) if form_type is None: raise MessageException("Could not find form type for %s." % str(jd)) if jd.owner != request.user: access_warn(request, 'Insufficient permission') raise MessageException("Permission Denied. You are not the owner of this JobDesign. " "You may copy the design instead.") if not force_get and request.method == 'POST': metadata_form = MetadataForm(request.POST) form = form_type() if metadata_form.is_valid() and form.is_valid_edit(request.POST): message = _save_design(request, jd, metadata_form, form) if request.POST.get("save_submit") == "on": return submit_design(request, jd.id, force_get=True) else: return list_designs(request, saved=jd.id) else: if new: metadata_form = MetadataForm() if clone_design: form = form_type(string_repr=clone_design.data) metadata_form.initial["name"] = "Copy of %s" % clone_design.name metadata_form.initial["description"] = clone_design.description else: form = form_type() else: form = form_type(string_repr=jd.data) metadata_form = MetadataForm(dict(name=jd.name, description=jd.description)) # Present edit form for failed POST requests and edits. newlinks = [ (type, urlresolvers.reverse("jobsub.new", kwargs=dict(type=type))) for type in interface.registry ] request.path = edit_url return render("edit.html", request, { 'newlinks': newlinks, 'metadata_form': metadata_form, 'form': form, 'edit_url': edit_url, 'message': message })
def dt_login(request, from_modal=False): redirect_to = request.REQUEST.get('next', '/') is_first_login_ever = first_login_ever() backend_names = get_backend_names() is_active_directory = 'LdapBackend' in backend_names and (bool( LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get())) if is_active_directory: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm AuthenticationForm = auth_forms.AuthenticationForm if request.method == 'POST': request.audit = { 'operation': 'USER_LOGIN', 'username': request.POST.get('username') } # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm( data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() auto_create_home_backends = [ 'AllowAllBackend', 'LdapBackend', 'SpnegoDjangoBackend' ] if is_first_login_ever or any( backend in backend_names for backend in auto_create_home_backends): # Create home directory for first user. try: ensure_home_directory(request.fs, user.username) except (IOError, WebHdfsException), e: LOG.error(_('Could not create home directory.'), exc_info=e) request.error(_('Could not create home directory.')) if require_change_password(userprofile): return HttpResponseRedirect( urlresolvers.reverse( 'useradmin.views.edit_user', kwargs={'username': user.username})) userprofile.first_login = False userprofile.last_activity = datetime.now() userprofile.save() msg = 'Successful login for user: %s' % user.username request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.REQUEST.get('fromModal', 'false') == 'true': return JsonResponse({'auth': True}) else: return HttpResponseRedirect(redirect_to) else: request.audit['allowed'] = False msg = 'Failed login for user: %s' % request.POST.get( 'username') request.audit['operationText'] = msg access_warn(request, msg) if from_modal or request.REQUEST.get('fromModal', 'false') == 'true': return JsonResponse({'auth': False})
def dt_login(request): redirect_to = request.REQUEST.get('next', '/') is_first_login_ever = first_login_ever() backend_name = get_backend_name() is_active_directory = backend_name == 'LdapBackend' and ( bool(LDAP.NT_DOMAIN.get()) or bool(LDAP.LDAP_SERVERS.get()) ) if is_active_directory: UserCreationForm = auth_forms.LdapUserCreationForm AuthenticationForm = auth_forms.LdapAuthenticationForm else: UserCreationForm = auth_forms.UserCreationForm AuthenticationForm = auth_forms.AuthenticationForm if request.method == 'POST': # For first login, need to validate user info! first_user_form = is_first_login_ever and UserCreationForm(data=request.POST) or None first_user = first_user_form and first_user_form.is_valid() if first_user or not is_first_login_ever: auth_form = AuthenticationForm(data=request.POST) if auth_form.is_valid(): # Must login by using the AuthenticationForm. # It provides 'backends' on the User object. user = auth_form.get_user() userprofile = get_profile(user) login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() # For Bluemix - don't try to create HDFS home directory because we're ignoring the identity of the Hue user #if is_first_login_ever or backend_name in ('AllowAllBackend', 'LdapBackend'): # # Create home directory for first user. # try: # ensure_home_directory(request.fs, user.username) # except (IOError, WebHdfsException), e: # LOG.error(_('Could not create home directory.'), exc_info=e) # request.error(_('Could not create home directory.')) if require_change_password(userprofile): return HttpResponseRedirect(urlresolvers.reverse('useradmin.views.edit_user', kwargs={'username': user.username})) userprofile.first_login = False userprofile.save() access_warn(request, '"%s" login ok' % (user.username,)) return HttpResponseRedirect(redirect_to) else: access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),)) else: first_user_form = None auth_form = AuthenticationForm() if DEMO_ENABLED.get() and not 'admin' in request.REQUEST: user = authenticate(username='', password='') login(request, user) ensure_home_directory(request.fs, user.username) return HttpResponseRedirect(redirect_to) request.session.set_test_cookie() return render('login.mako', request, { 'action': urlresolvers.reverse('desktop.auth.views.dt_login'), 'form': first_user_form or auth_form, 'next': redirect_to, 'first_login_ever': is_first_login_ever, 'login_errors': request.method == 'POST', 'backend_name': backend_name, 'active_directory': is_active_directory })