def is_enabled():
from desktop.conf import RAZ # Must be imported dynamically in order to have proper value
return ('default' in list(AWS_ACCOUNTS.keys()) and AWS_ACCOUNTS['default'].get_raw() and AWS_ACCOUNTS['default'].ACCESS_KEY_ID.get()) or \
has_iam_metadata() or \
conf_idbroker.is_idbroker_enabled('s3a') or \
RAZ.IS_ENABLED.get() or \
IS_SELF_SIGNING_ENABLED.get()
def get_credential_provider(identifier, user, version=None):
client_conf = conf.AZURE_ACCOUNTS[
identifier] if identifier in conf.AZURE_ACCOUNTS else None
return CredentialProviderIDBroker(IDBroker.from_core_site(
'azure', user)) if conf_idbroker.is_idbroker_enabled(
'azure') else CredentialProviderAD(
ActiveDirectory.from_config(client_conf, version=version))
def get_credential_provider(identifier, user, version=None):
from desktop.conf import RAZ
if RAZ.IS_ENABLED.get():
return RazCredentialProvider(username=user)
else:
client_conf = conf.AZURE_ACCOUNTS[
identifier] if identifier in conf.AZURE_ACCOUNTS else None
return CredentialProviderIDBroker(IDBroker.from_core_site('azure', user)) if conf_idbroker.is_idbroker_enabled('azure') \
else CredentialProviderAD(ActiveDirectory.from_config(client_conf, version=version))
def _init_clients():
global CLIENT_CACHE
if CLIENT_CACHE is not None:
return
CLIENT_CACHE = {} # Can't convert this to django cache, because S3FileSystem is not pickable
if conf_idbroker.is_idbroker_enabled('s3a'):
return # No default initializations when IDBroker is enabled
for identifier in list(aws_conf.AWS_ACCOUNTS.keys()):
CLIENT_CACHE[_get_cache_key(identifier)] = _make_client(identifier)
# If default configuration not initialized, initialize client connection with IAM metadata
if not CLIENT_CACHE.has_key(_get_cache_key()) and aws_conf.has_iam_metadata():
CLIENT_CACHE[_get_cache_key()] = _make_client('default')
def get_client(identifier='default', user=_DEFAULT_USER):
global CLIENT_CACHE
_init_clients()
cache_key = _get_cache_key(identifier, user) if conf_idbroker.is_idbroker_enabled('s3a') else _get_cache_key(identifier) # We don't want to cache by username when IDBroker not enabled
client = CLIENT_CACHE.get(cache_key)
if client and (client.expiration is None or client.expiration > int(current_ms_from_utc())): # expiration from IDBroker returns java timestamp in MS
return client
else:
client = _make_client(identifier, user)
CLIENT_CACHE[cache_key] = client
return client
def _get_client_cached(fs, name, user):
global CLIENT_CACHE
if CLIENT_CACHE is None:
CLIENT_CACHE = {}
cache_key = _get_cache_key(fs, name, user) if conf_idbroker.is_idbroker_enabled(fs) else _get_cache_key(fs, name) # We don't want to cache by username when IDBroker not enabled
client = CLIENT_CACHE.get(cache_key)
if client and (client.expiration is None or client.expiration > int(current_ms_from_utc())): # expiration from IDBroker returns java timestamp in MS
return client
else:
client = _make_client(fs, name, user)
CLIENT_CACHE[cache_key] = client
return client
def get_credential_provider(identifier, user):
client_conf = aws_conf.AWS_ACCOUNTS[
identifier] if identifier in aws_conf.AWS_ACCOUNTS else None
return CredentialProviderIDBroker(IDBroker.from_core_site(
's3a', user)) if conf_idbroker.is_idbroker_enabled(
's3a') else CredentialProviderConf(client_conf)
def is_abfs_enabled():
from desktop.conf import RAZ # Must be imported dynamically in order to have proper value
return ('default' in list(AZURE_ACCOUNTS.keys()) and AZURE_ACCOUNTS['default'].get_raw() and AZURE_ACCOUNTS['default'].CLIENT_ID.get() \
or (conf_idbroker.is_idbroker_enabled('azure') and has_azure_metadata())) and 'default' in list(ABFS_CLUSTERS.keys()) \
or (RAZ.IS_ENABLED.get() and 'default' in list(ABFS_CLUSTERS.keys()))
def is_adls_enabled():
return ('default' in list(AZURE_ACCOUNTS.keys()) and AZURE_ACCOUNTS['default'].get_raw() and AZURE_ACCOUNTS['default'].CLIENT_ID.get() \
or (conf_idbroker.is_idbroker_enabled('azure') and has_azure_metadata())) and 'default' in list(ADLS_CLUSTERS.keys())
def is_enabled():
return ('default' in list(AWS_ACCOUNTS.keys()) and AWS_ACCOUNTS['default'].get_raw() and AWS_ACCOUNTS['default'].ACCESS_KEY_ID.get()) or has_iam_metadata() or conf_idbroker.is_idbroker_enabled('s3a')
def update_app_permissions(**kwargs):
"""
Keep in sync apps and connectors permissions into the database table.
Map app + action to a HuePermission.
v2
Based on the connectors.
Permissions are either based on connectors instances or Hue specific actions.
Permissions can be deleted or added dynamically.
v1
This is a 'migrate' callback.
We never delete permissions automatically, because apps might come and go.
Note that signing up to the "migrate" signal is not necessarily the best thing we can do, since some apps might not
have models, but nonetheless, "migrate" is typically run when apps are installed.
"""
created_tables = connection.introspection.table_names()
if ENABLE_ORGANIZATIONS.get(
) and 'useradmin_organization' not in created_tables:
return
if u'useradmin_huepermission' in created_tables: # Check if Useradmin has been installed.
current = {}
try:
for dp in HuePermission.objects.all():
current.setdefault(dp.app, {})[dp.action] = dp
except:
LOG.exception('failed to get permissions')
return
updated = 0
uptodate = 0
added = []
if ENABLE_CONNECTORS.get():
old_apps = list(current.keys())
ConnectorPerm = collections.namedtuple('ConnectorPerm',
'name nice_name settings')
apps = [
ConnectorPerm(name=connector['name'],
nice_name=connector['nice_name'],
settings=[])
for connector in _get_installed_connectors()
]
else:
old_apps = []
apps = appmanager.DESKTOP_APPS
for app in apps:
app_name = app.name
permission_description = "Access the %s connection" % app.nice_name if ENABLE_CONNECTORS.get(
) else "Launch this application"
actions = set([("access", permission_description)])
actions.update(getattr(app.settings, "PERMISSION_ACTIONS", []))
if app_name not in current:
current[app_name] = {}
if app_name in old_apps:
old_apps.remove(app_name)
for action, description in actions:
c = current[app_name].get(action)
if c:
if c.description != description:
c.description = description
c.save()
updated += 1
else:
uptodate += 1
else:
new_dp = HuePermission(app=app_name,
action=action,
description=description)
if ENABLE_CONNECTORS.get():
new_dp.connector = Connector.objects.get(id=app_name)
new_dp.save()
added.append(new_dp)
# Only with v2
deleted, _ = HuePermission.objects.filter(app__in=old_apps).delete()
# Add all permissions to default group except some.
default_group = get_default_user_group()
if default_group:
for new_dp in added:
if not (new_dp.app == 'useradmin' and new_dp.action == 'access') and \
not (new_dp.app == 'useradmin' and new_dp.action == 'superuser') and \
not (new_dp.app == 'metastore' and new_dp.action == 'write') and \
not (new_dp.app == 'hbase' and new_dp.action == 'write') and \
not (new_dp.app == 'security' and new_dp.action == 'impersonate') and \
not (new_dp.app == 'filebrowser' and new_dp.action == 's3_access' and not is_idbroker_enabled('s3a')) and \
not (new_dp.app == 'filebrowser' and new_dp.action == 'gs_access' and not is_idbroker_enabled('gs')) and \
not (new_dp.app == 'filebrowser' and new_dp.action == 'adls_access') and \
not (new_dp.app == 'filebrowser' and new_dp.action == 'abfs_access') and \
not (new_dp.app == 'oozie' and new_dp.action == 'disable_editor_access'):
GroupPermission.objects.create(group=default_group,
hue_permission=new_dp)
available = HuePermission.objects.count()
stale = available - len(added) - updated - uptodate
if len(added) or updated or stale or deleted:
LOG.info(
"HuePermissions: %d added, %d updated, %d up to date, %d stale, %d deleted"
% (len(added), updated, uptodate, stale, deleted))
def update_app_permissions(**kwargs):
"""
Inserts missing permissions into the database table.
This is a 'syncdb' callback.
We never delete permissions automatically, because apps might come and go.
Note that signing up to the "syncdb" signal is not necessarily
the best thing we can do, since some apps might not
have models, but nonetheless, "syncdb" is typically
run when apps are installed.
"""
# Map app->action->HuePermission.
# The HuePermission model needs to be sync'd for the following code to work
# The point of 'if u'useradmin_huepermission' in connection.introspection.table_names():'
# is to check if Useradmin has been installed.
# It is okay to follow appmanager.DESKTOP_APPS before they've been sync'd
# because apps are referenced by app name in Hue permission and not by model ID.
created_tables = connection.introspection.table_names()
if u'useradmin_huepermission' in created_tables:
current = {}
try:
for dp in HuePermission.objects.all():
current.setdefault(dp.app, {})[dp.action] = dp
except:
LOG.exception('failed to get permissions')
return
updated = 0
uptodate = 0
added = []
for app_obj in appmanager.DESKTOP_APPS:
app = app_obj.name
actions = set([("access", "Launch this application")])
actions.update(getattr(app_obj.settings, "PERMISSION_ACTIONS", []))
if app not in current:
current[app] = {}
for action, description in actions:
c = current[app].get(action)
if c:
if c.description != description:
c.description = description
c.save()
updated += 1
else:
uptodate += 1
else:
new_dp = HuePermission(app=app,
action=action,
description=description)
new_dp.save()
added.append(new_dp)
# Add all hue permissions to default group.
default_group = get_default_user_group()
if default_group:
for new_dp in added:
if not (new_dp.app == 'useradmin' and new_dp.action == 'access') and \
not (new_dp.app == 'useradmin' and new_dp.action == 'superuser') and \
not (new_dp.app == 'metastore' and new_dp.action == 'write') and \
not (new_dp.app == 'hbase' and new_dp.action == 'write') and \
not (new_dp.app == 'security' and new_dp.action == 'impersonate') and \
not (new_dp.app == 'filebrowser' and new_dp.action == 's3_access' and not is_idbroker_enabled('s3a')) and \
not (new_dp.app == 'filebrowser' and new_dp.action == 'gs_access' and not is_idbroker_enabled('gs')) and \
not (new_dp.app == 'filebrowser' and new_dp.action == 'adls_access') and \
not (new_dp.app == 'filebrowser' and new_dp.action == 'abfs_access') and \
not (new_dp.app == 'oozie' and new_dp.action == 'disable_editor_access'):
GroupPermission.objects.create(group=default_group,
hue_permission=new_dp)
available = HuePermission.objects.count()
stale = available - len(added) - updated - uptodate
if len(added) or updated or stale:
LOG.info(
"HuePermissions: %d added, %d updated, %d up to date, %d stale"
% (len(added), updated, uptodate, stale))
def is_abfs_enabled():
return ('default' in list(AZURE_ACCOUNTS.keys()) and AZURE_ACCOUNTS['default'].get_raw() and AZURE_ACCOUNTS['default'].CLIENT_ID.get() or conf_idbroker.is_idbroker_enabled('azure')) and 'default' in list(ABFS_CLUSTERS.keys())
def get_credential_provider(config=None, user=_DEFAULT_USER):
return CredentialProviderIDBroker(IDBroker.from_core_site(
'gs', user)) if conf_idbroker.is_idbroker_enabled(
'gs') else CredentialProviderConf(config)
def get_credential_provider(config, user):
return CredentialProviderIDBroker(IDBroker.from_core_site('gs', user)) if conf_idbroker.is_idbroker_enabled('gs') else \
CredentialProviderConf(config)
