public PutMetricDataResponseType putMetricData(PutMetricDataType request)
      throws CloudWatchException {
    PutMetricDataResponseType reply = request.getReply();
    final Context ctx = Contexts.lookup();

    try {
      LOG.trace("put metric data called");
      // IAM Action Check
      checkActionPermission(PolicySpec.CLOUDWATCH_PUTMETRICDATA, ctx);

      final OwnerFullName ownerFullName = ctx.getUserFullName();
      final List<MetricDatum> metricData = validateMetricData(request.getMetricData());
      final String namespace = validateNamespace(request.getNamespace(), true);
      final Boolean isUserAccountAdmin =
          Principals.isSameUser(
              Principals.systemUser(), Wrappers.unwrap(Context.class, Contexts.lookup()).getUser());
      LOG.trace("Namespace=" + namespace);
      LOG.trace("metricData=" + metricData);
      MetricType metricType = getMetricTypeFromNamespace(namespace);
      if (metricType == MetricType.System && !isUserAccountAdmin) {
        throw new InvalidParameterValueException(
            "The value AWS/ for parameter Namespace is invalid.");
      }
      MetricDataQueue.getInstance()
          .insertMetricData(ownerFullName.getAccountNumber(), namespace, metricData, metricType);
    } catch (Exception ex) {
      handleException(ex);
    }
    return reply;
  }
Exemple #2
0
 public BaseMessage setUser(User user) {
   if (user == null) {
     this.setUser(Principals.nobodyUser());
   } else {
     this.userId = user.getName();
     this.effectiveUserId =
         user.isSystemAdmin() ? Principals.systemUser().getName() : user.getName();
   }
   return this;
 }
Exemple #3
0
  /**
   * Just checks the basic S3 groups for membership of the userId. Caller must ensure that the
   * userId is a valid ID in the system. That is outside the scope of this method.
   *
   * @param userId
   * @param group
   * @return
   */
  public static boolean isUserMember(String userId, ObjectStorageProperties.S3_GROUP group) {
    if (group == null) {
      return false;
    }

    if (ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.equals(group)) {
      return true;
    }

    if (ObjectStorageProperties.S3_GROUP.AUTHENTICATED_USERS_GROUP.equals(group)
        && !Strings.isNullOrEmpty(userId)
        && !userId.equals(Principals.nobodyUser().getUserId())) {
      return true;
    }

    boolean isSystemAdmin = false;
    try {
      isSystemAdmin =
          (Principals.systemUser().getUserId().equals(userId)
              || Accounts.lookupSystemAdmin().getUserId().equals(userId));
    } catch (AuthException e) {
      // Fall through
      LOG.debug(
          "Got auth exception trying to lookup system admin user for group membership check in ec2-bundle-read",
          e);
    }

    boolean isAWSExecReadUser = false;
    try {
      isAWSExecReadUser = Accounts.lookupAwsExecReadAdmin(false).getUserId().equals(userId);
    } catch (AuthException e) {
      // Fall through
      LOG.debug(
          "Got auth exception trying to lookup aws-exec-read admin user for group membership check in ec2-bundle-read",
          e);
    }

    if (ObjectStorageProperties.S3_GROUP.AWS_EXEC_READ.equals(group) && isAWSExecReadUser) {
      return true;
    }

    // System only (or euca/admin) in the ec2-bundle-read group
    if (ObjectStorageProperties.S3_GROUP.EC2_BUNDLE_READ.equals(group) && isSystemAdmin) {
      return true;
    }

    // System or euca/admin only in logging
    if (ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.equals(group) && isSystemAdmin) {
      return true;
    }

    return false;
  }
Exemple #4
0
 @SuppressWarnings("unchecked")
 public <TYPE extends BaseMessage> TYPE markPrivileged() {
   this.effectiveUserId = Principals.systemUser().getName();
   return (TYPE) this;
 }