public PutMetricDataResponseType putMetricData(PutMetricDataType request)
throws CloudWatchException {
PutMetricDataResponseType reply = request.getReply();
final Context ctx = Contexts.lookup();
try {
LOG.trace("put metric data called");
// IAM Action Check
checkActionPermission(PolicySpec.CLOUDWATCH_PUTMETRICDATA, ctx);
final OwnerFullName ownerFullName = ctx.getUserFullName();
final List<MetricDatum> metricData = validateMetricData(request.getMetricData());
final String namespace = validateNamespace(request.getNamespace(), true);
final Boolean isUserAccountAdmin =
Principals.isSameUser(
Principals.systemUser(), Wrappers.unwrap(Context.class, Contexts.lookup()).getUser());
LOG.trace("Namespace=" + namespace);
LOG.trace("metricData=" + metricData);
MetricType metricType = getMetricTypeFromNamespace(namespace);
if (metricType == MetricType.System && !isUserAccountAdmin) {
throw new InvalidParameterValueException(
"The value AWS/ for parameter Namespace is invalid.");
}
MetricDataQueue.getInstance()
.insertMetricData(ownerFullName.getAccountNumber(), namespace, metricData, metricType);
} catch (Exception ex) {
handleException(ex);
}
return reply;
}
public BaseMessage setUser(User user) {
if (user == null) {
this.setUser(Principals.nobodyUser());
} else {
this.userId = user.getName();
this.effectiveUserId =
user.isSystemAdmin() ? Principals.systemUser().getName() : user.getName();
}
return this;
}
/**
* Just checks the basic S3 groups for membership of the userId. Caller must ensure that the
* userId is a valid ID in the system. That is outside the scope of this method.
*
* @param userId
* @param group
* @return
*/
public static boolean isUserMember(String userId, ObjectStorageProperties.S3_GROUP group) {
if (group == null) {
return false;
}
if (ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.equals(group)) {
return true;
}
if (ObjectStorageProperties.S3_GROUP.AUTHENTICATED_USERS_GROUP.equals(group)
&& !Strings.isNullOrEmpty(userId)
&& !userId.equals(Principals.nobodyUser().getUserId())) {
return true;
}
boolean isSystemAdmin = false;
try {
isSystemAdmin =
(Principals.systemUser().getUserId().equals(userId)
|| Accounts.lookupSystemAdmin().getUserId().equals(userId));
} catch (AuthException e) {
// Fall through
LOG.debug(
"Got auth exception trying to lookup system admin user for group membership check in ec2-bundle-read",
e);
}
boolean isAWSExecReadUser = false;
try {
isAWSExecReadUser = Accounts.lookupAwsExecReadAdmin(false).getUserId().equals(userId);
} catch (AuthException e) {
// Fall through
LOG.debug(
"Got auth exception trying to lookup aws-exec-read admin user for group membership check in ec2-bundle-read",
e);
}
if (ObjectStorageProperties.S3_GROUP.AWS_EXEC_READ.equals(group) && isAWSExecReadUser) {
return true;
}
// System only (or euca/admin) in the ec2-bundle-read group
if (ObjectStorageProperties.S3_GROUP.EC2_BUNDLE_READ.equals(group) && isSystemAdmin) {
return true;
}
// System or euca/admin only in logging
if (ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.equals(group) && isSystemAdmin) {
return true;
}
return false;
}
@SuppressWarnings("unchecked")
public <TYPE extends BaseMessage> TYPE markPrivileged() {
this.effectiveUserId = Principals.systemUser().getName();
return (TYPE) this;
}