private static Boolean iamPermissionsAllow(
     final AuthContextSupplier authContext,
     final String[] requiredActions,
     final String resourceType,
     final String resourceId,
     final long resourceAllocationSize) {
   /* IAM checks: Is the user allowed within the account? */
   // the Permissions.isAuthorized() handles the default deny for each action.
   boolean iamAllow = true; // Evaluate each iam action required, all must be allowed
   for (String action : requiredActions) {
     // Any deny overrides an allow
     // Note: explicitly set resourceOwnerAccount to null here, otherwise iam will reject even if
     // the ACL checks
     // were valid, let ACLs handle cross-account access.
     iamAllow &=
         Permissions.isAuthorized(
                 PolicySpec.VENDOR_S3, resourceType, resourceId, null, action, authContext)
             && Permissions.canAllocate(
                 PolicySpec.VENDOR_S3,
                 resourceType,
                 resourceId,
                 action,
                 authContext,
                 resourceAllocationSize);
   }
   return iamAllow;
 }
  private static void checkAuthorized() throws ReportingException {
    final Context ctx = Contexts.lookup();
    final User requestUser = ctx.getUser();
    final AuthContextSupplier requestUserSupplier = ctx.getAuthContext();

    if (!requestUser.isSystemUser()
        || !Permissions.isAuthorized(
            VENDOR_REPORTING, "", "", null, getIamActionByMessageType(), requestUserSupplier)) {
      throw new ReportingException(
          HttpResponseStatus.UNAUTHORIZED, ReportingException.NOT_AUTHORIZED, "Not authorized");
    }
  }
 private void checkActionPermission(final String actionType, final Context ctx)
     throws EucalyptusCloudException {
   if (!Permissions.isAuthorized(
       PolicySpec.VENDOR_CLOUDWATCH,
       actionType,
       "",
       ctx.getAccount(),
       actionType,
       ctx.getUser())) {
     throw new EucalyptusCloudException("User does not have permission");
   }
 }
示例#4
0
    @Override
    public boolean apply(final Allocation allocInfo) throws MetadataException {
      final UserFullName ownerFullName = allocInfo.getOwnerFullName();
      final String instanceProfileArn = allocInfo.getRequest().getIamInstanceProfileArn();
      final String instanceProfileName = allocInfo.getRequest().getIamInstanceProfileName();
      if (!Strings.isNullOrEmpty(instanceProfileArn)
          || !Strings.isNullOrEmpty(instanceProfileName)) {

        final String profileAccount;
        final String profileName;
        if (!Strings.isNullOrEmpty(instanceProfileArn))
          try {
            final Ern name = Ern.parse(instanceProfileArn);
            if (!(name instanceof EuareResourceName)) {
              throw new InvalidInstanceProfileMetadataException(
                  "Invalid IAM instance profile ARN: " + instanceProfileArn);
            }
            profileAccount = name.getAccount();
            profileName = ((EuareResourceName) name).getName();

          } catch (JSONException e) {
            throw new InvalidInstanceProfileMetadataException(
                "Invalid IAM instance profile ARN: " + instanceProfileArn, e);
          }
        else {
          profileAccount = ownerFullName.getAccountNumber();
          profileName = instanceProfileName;
        }

        final InstanceProfile profile;
        try {
          profile = Accounts.lookupInstanceProfileByName(profileAccount, profileName);
        } catch (AuthException e) {
          throw new InvalidInstanceProfileMetadataException(
              "Invalid IAM instance profile: " + profileAccount + "/" + profileName, e);
        }

        if (!Strings.isNullOrEmpty(instanceProfileName)
            && !instanceProfileName.equals(profile.getName())) {
          throw new InvalidInstanceProfileMetadataException(
              String.format(
                  "Invalid IAM instance profile name '%s' for ARN: %s",
                  profileName, instanceProfileArn));
        }

        try {
          final AuthContextSupplier user = allocInfo.getAuthContext();
          if (!Permissions.isAuthorized(
              PolicySpec.VENDOR_IAM,
              PolicySpec.IAM_RESOURCE_INSTANCE_PROFILE,
              Accounts.getInstanceProfileFullName(profile),
              AccountFullName.getInstance(profile.getAccountNumber()),
              PolicySpec.IAM_LISTINSTANCEPROFILES,
              user)) {
            throw new IllegalMetadataAccessException(
                String.format(
                    "Not authorized to access instance profile with ARN %s for %s",
                    profile.getInstanceProfileArn(), ownerFullName));
          }

          final Role role = profile.getRole();
          if (role != null
              && !Permissions.isAuthorized(
                  PolicySpec.VENDOR_IAM,
                  PolicySpec.IAM_RESOURCE_ROLE,
                  Accounts.getRoleFullName(role),
                  AccountFullName.getInstance(role.getAccountNumber()),
                  PolicySpec.IAM_PASSROLE,
                  user)) {
            throw new IllegalMetadataAccessException(
                String.format(
                    "Not authorized to pass role with ARN %s for %s",
                    role.getRoleArn(), ownerFullName));
          }

          if (role != null) {
            allocInfo.setInstanceProfileArn(profile.getInstanceProfileArn());
            allocInfo.setIamInstanceProfileId(profile.getInstanceProfileId());
            allocInfo.setIamRoleArn(role.getRoleArn());
          } else {
            throw new InvalidInstanceProfileMetadataException(
                "Role not found for IAM instance profile ARN: " + profile.getInstanceProfileArn());
          }
        } catch (AuthException e) {
          throw new MetadataException("IAM instance profile error", e);
        }
      }
      return true;
    }