Example 1 with SecurityRole
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class JcrSecurityRoleProviderTest method testCreateRole.
@Test
public void testCreateRole() {
String name = metadata.commit(() -> {
SecurityRole role = createRole("feedEditor", "Editor", "Can edit feeds", FeedAccessControl.EDIT_DETAILS, FeedAccessControl.ENABLE_DISABLE, FeedAccessControl.EXPORT);
assertThat(role).isNotNull().extracting("systemName", "title", "description").contains("feedEditor", "Editor", "Can edit feeds");
assertThat(role.getAllowedActions().getAvailableActions().stream().flatMap(action -> action.stream())).extracting("systemName").contains(FeedAccessControl.ACCESS_DETAILS.getSystemName(), FeedAccessControl.EDIT_DETAILS.getSystemName(), FeedAccessControl.ENABLE_DISABLE.getSystemName(), FeedAccessControl.EXPORT.getSystemName());
return role.getSystemName();
}, MetadataAccess.SERVICE);
}
Also used :
DirtiesContext(org.springframework.test.annotation.DirtiesContext)
ModeShapeEngineConfig(com.thinkbiganalytics.metadata.modeshape.ModeShapeEngineConfig)
Action(com.thinkbiganalytics.security.action.Action)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
RunWith(org.junit.runner.RunWith)
JcrActionTreeBuilder(com.thinkbiganalytics.metadata.modeshape.security.action.JcrActionTreeBuilder)
AllowedActions(com.thinkbiganalytics.security.action.AllowedActions)
JcrTool(com.thinkbiganalytics.metadata.modeshape.support.JcrTool)
Inject(javax.inject.Inject)
SpringJUnit4ClassRunner(org.springframework.test.context.junit4.SpringJUnit4ClassRunner)
SecurityRole(com.thinkbiganalytics.security.role.SecurityRole)
FeedAccessControl(com.thinkbiganalytics.metadata.api.feed.security.FeedAccessControl)
Node(javax.jcr.Node)
JcrTestConfig(com.thinkbiganalytics.metadata.modeshape.JcrTestConfig)
MetadataAccess(com.thinkbiganalytics.metadata.api.MetadataAccess)
Before(org.junit.Before)
ImmutableAllowedActions(com.thinkbiganalytics.security.role.ImmutableAllowedActions)
ModeShapeAuthConfig(com.thinkbiganalytics.metadata.modeshape.security.ModeShapeAuthConfig)
ClassMode(org.springframework.test.annotation.DirtiesContext.ClassMode)
Test(org.junit.Test)
SecurityRoleProvider(com.thinkbiganalytics.security.role.SecurityRoleProvider)
List(java.util.List)
SpringApplicationConfiguration(org.springframework.boot.test.SpringApplicationConfiguration)
Optional(java.util.Optional)
JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions)
JcrUtil(com.thinkbiganalytics.metadata.modeshape.support.JcrUtil)
JcrMetadataAccess(com.thinkbiganalytics.metadata.modeshape.JcrMetadataAccess)
SecurityRole(com.thinkbiganalytics.security.role.SecurityRole)
Test(org.junit.Test)
Example 2 with SecurityRole
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class JcrProjectProvider method createProject.
/**
* Creates a new user with the specified name.
*
* @param name the name of the Project
* @param ensure {@code true} to return the Project if it already exists, or {@code false} to throw an exception
* @return the Project
* @throws MetadataRepositoryException if the user could not be created
*/
@Nonnull
private Project createProject(@Nonnull final String name, final boolean ensure) {
final Session session = getSession();
final String projPath = ProjectPaths.projectPath(name).toString();
logger.debug("workspace= {}", session.getWorkspace().getName());
try {
Node projNode = session.getRootNode().getNode(ProjectPaths.PROJECTS.toString());
if (session.getRootNode().hasNode(projPath)) {
if (ensure) {
return JcrUtil.getJcrObject(projNode, name, JcrProject.class);
} else {
// TODO specialize me..
throw new RuntimeException(projPath);
}
} else {
// project does not yet exist
JcrProject newProject = JcrUtil.getOrCreateNode(projNode, name, JcrProject.NODE_TYPE, JcrProject.class);
// grant (or deny) current user access to the project he is creating
if (this.accessController.isEntityAccessControlled()) {
List<SecurityRole> roles = this.roleProvider.getEntityRoles(SecurityRole.PROJECT);
this.actionsProvider.getAvailableActions(AllowedActions.PROJECTS).ifPresent(actions -> newProject.enableAccessControl((JcrAllowedActions) actions, JcrMetadataAccess.getActiveUser(), roles));
} else {
this.actionsProvider.getAvailableActions(AllowedActions.PROJECTS).ifPresent(actions -> newProject.disableAccessControl((JcrAllowedActions) actions, JcrMetadataAccess.getActiveUser()));
}
return newProject;
}
} catch (RepositoryException e) {
throw new MetadataRepositoryException("Failed attempting to create a new Project with name: " + name, e);
}
}
Also used :
JcrProject(com.thinkbiganalytics.metadata.modeshape.project.JcrProject)
MetadataRepositoryException(com.thinkbiganalytics.metadata.modeshape.MetadataRepositoryException)
SecurityRole(com.thinkbiganalytics.security.role.SecurityRole)
JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions)
Node(javax.jcr.Node)
MetadataRepositoryException(com.thinkbiganalytics.metadata.modeshape.MetadataRepositoryException)
RepositoryException(javax.jcr.RepositoryException)
Session(javax.jcr.Session)
Nonnull(javax.annotation.Nonnull)
Example 3 with SecurityRole
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class CheckEntityAccessControlAction method ensureTemplateAccessControl.
private void ensureTemplateAccessControl() {
List<FeedManagerTemplate> templates = feedManagerTemplateProvider.findAll();
if (templates != null) {
List<SecurityRole> roles = this.roleProvider.getEntityRoles(SecurityRole.TEMPLATE);
Optional<AllowedActions> allowedActions = this.actionsProvider.getAvailableActions(AllowedActions.TEMPLATE);
templates.stream().forEach(template -> {
Principal owner = template.getOwner() != null ? template.getOwner() : JcrMetadataAccess.getActiveUser();
allowedActions.ifPresent(actions -> ((JcrFeedTemplate) template).enableAccessControl((JcrAllowedActions) actions, owner, roles));
});
}
}
Also used :
SecurityRole(com.thinkbiganalytics.security.role.SecurityRole)
JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions)
AllowedActions(com.thinkbiganalytics.security.action.AllowedActions)
JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions)
FeedManagerTemplate(com.thinkbiganalytics.metadata.api.template.FeedManagerTemplate)
Principal(java.security.Principal)
Example 4 with SecurityRole
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class CheckEntityAccessControlAction method createDefaultRoles.
private void createDefaultRoles() {
// Create default roles
SecurityRole feedEditor = createDefaultRole(SecurityRole.FEED, "editor", "Editor", "Allows a user to edit, enable/disable, start, delete and export feed. Allows access to job operations for feed. " + "If role inherited via a category, allows these operations for feeds under that category.", FeedAccessControl.EDIT_DETAILS, FeedAccessControl.DELETE, FeedAccessControl.ACCESS_OPS, FeedAccessControl.ENABLE_DISABLE, FeedAccessControl.START, FeedAccessControl.EXPORT);
// admin can do everything the editor does + change perms
createDefaultRole(SecurityRole.FEED, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", feedEditor, FeedAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.FEED, "readOnly", "Read-Only", "Allows a user to view the feed and access job operations", FeedAccessControl.ACCESS_DETAILS, FeedAccessControl.ACCESS_OPS);
SecurityRole templateEditor = createDefaultRole(SecurityRole.TEMPLATE, "editor", "Editor", "Allows a user to edit,export a template", TemplateAccessControl.ACCESS_TEMPLATE, TemplateAccessControl.EDIT_TEMPLATE, TemplateAccessControl.DELETE, TemplateAccessControl.CREATE_FEED, TemplateAccessControl.EXPORT);
createDefaultRole(SecurityRole.TEMPLATE, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", templateEditor, TemplateAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.TEMPLATE, "readOnly", "Read-Only", "Allows a user to view the template", TemplateAccessControl.ACCESS_TEMPLATE);
SecurityRole categoryEditor = createDefaultRole(SecurityRole.CATEGORY, "editor", "Editor", "Allows a user to edit, export and delete category. Allows creating feeds under the category", CategoryAccessControl.ACCESS_CATEGORY, CategoryAccessControl.EDIT_DETAILS, CategoryAccessControl.EDIT_SUMMARY, CategoryAccessControl.CREATE_FEED, CategoryAccessControl.DELETE);
createDefaultRole(SecurityRole.CATEGORY, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", categoryEditor, CategoryAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.CATEGORY, "readOnly", "Read-Only", "Allows a user to view the category", CategoryAccessControl.ACCESS_CATEGORY);
createDefaultRole(SecurityRole.CATEGORY, "feedCreator", "Feed Creator", "Allows a user to create a new feed using this category", CategoryAccessControl.ACCESS_DETAILS, CategoryAccessControl.CREATE_FEED);
final SecurityRole datasourceEditor = createDefaultRole(SecurityRole.DATASOURCE, "editor", "Editor", "Allows a user to edit,delete datasources", DatasourceAccessControl.ACCESS_DATASOURCE, DatasourceAccessControl.EDIT_DETAILS, DatasourceAccessControl.EDIT_SUMMARY, DatasourceAccessControl.DELETE);
createDefaultRole(SecurityRole.DATASOURCE, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", datasourceEditor, DatasourceAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.DATASOURCE, "readOnly", "Read-Only", "Allows a user to view the datasource", DatasourceAccessControl.ACCESS_DATASOURCE);
final SecurityRole projectEditor = createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_EDITOR, "Editor", "Allows a user to edit, delete projects", ProjectAccessControl.ACCESS_PROJECT, ProjectAccessControl.EDIT_PROJECT, ProjectAccessControl.DELETE_PROJECT);
createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_ADMIN, "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", projectEditor, ProjectAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_READER, "Read-Only", "Allows a user to view the project", ProjectAccessControl.ACCESS_PROJECT);
}
Also used :
SecurityRole(com.thinkbiganalytics.security.role.SecurityRole)
Example 5 with SecurityRole
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class JcrDatasourceProvider method ensureDatasourceDetails.
@Override
public <D extends DatasourceDetails> Optional<D> ensureDatasourceDetails(@Nonnull final Datasource.ID id, @Nonnull final Class<D> type) {
try {
// Ensure the data source exists
final Optional<JcrUserDatasource> parent = Optional.ofNullable(getDatasource(id)).filter(JcrUserDatasource.class::isInstance).map(JcrUserDatasource.class::cast);
if (!parent.isPresent()) {
return Optional.empty();
}
// Create the details
final Class<? extends JcrDatasourceDetails> implType = JcrUserDatasource.resolveDetailsClass(type);
final boolean isNew = !hasEntityNode(parent.get().getPath(), JcrUserDatasource.DETAILS);
final Node node = findOrCreateEntityNode(parent.get().getPath(), JcrUserDatasource.DETAILS, implType);
@SuppressWarnings("unchecked") final D details = (D) JcrUtil.createJcrObject(node, implType);
// Re-assign permissions to data source
if (isNew) {
final UsernamePrincipal owner = parent.map(JcrUserDatasource::getOwner).map(Principal::getName).map(UsernamePrincipal::new).orElse(JcrMetadataAccess.getActiveUser());
if (accessController.isEntityAccessControlled()) {
final List<SecurityRole> roles = roleProvider.getEntityRoles(SecurityRole.DATASOURCE);
actionsProvider.getAvailableActions(AllowedActions.DATASOURCE).ifPresent(actions -> parent.get().enableAccessControl((JcrAllowedActions) actions, owner, roles));
} else {
actionsProvider.getAvailableActions(AllowedActions.DATASOURCE).ifPresent(actions -> parent.get().disableAccessControl((JcrAllowedActions) actions, owner));
}
}
return Optional.of(details);
} catch (final IllegalArgumentException e) {
throw new MetadataException("Unable to create datasource details: " + type, e);
}
}
Also used :
SecurityRole(com.thinkbiganalytics.security.role.SecurityRole)
Node(javax.jcr.Node)
MetadataException(com.thinkbiganalytics.metadata.api.MetadataException)
UsernamePrincipal(com.thinkbiganalytics.security.UsernamePrincipal)
JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions)
UsernamePrincipal(com.thinkbiganalytics.security.UsernamePrincipal)
Principal(java.security.Principal)
Aggregations
SecurityRole (com.thinkbiganalytics.security.role.SecurityRole)11
JcrAllowedActions (com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions)9
AllowedActions (com.thinkbiganalytics.security.action.AllowedActions)5
Principal (java.security.Principal)5
Node (javax.jcr.Node)5
MetadataRepositoryException (com.thinkbiganalytics.metadata.modeshape.MetadataRepositoryException)3
RepositoryException (javax.jcr.RepositoryException)3
MetadataException (com.thinkbiganalytics.metadata.api.MetadataException)2
JcrCategory (com.thinkbiganalytics.metadata.modeshape.category.JcrCategory)2
JcrTool (com.thinkbiganalytics.metadata.modeshape.support.JcrTool)2
MetadataAccess (com.thinkbiganalytics.metadata.api.MetadataAccess)1
Category (com.thinkbiganalytics.metadata.api.category.Category)1
CategoryNotFoundException (com.thinkbiganalytics.metadata.api.category.CategoryNotFoundException)1
Feed (com.thinkbiganalytics.metadata.api.feed.Feed)1
FeedAccessControl (com.thinkbiganalytics.metadata.api.feed.security.FeedAccessControl)1
FeedManagerTemplate (com.thinkbiganalytics.metadata.api.template.FeedManagerTemplate)1
JcrMetadataAccess (com.thinkbiganalytics.metadata.modeshape.JcrMetadataAccess)1
JcrTestConfig (com.thinkbiganalytics.metadata.modeshape.JcrTestConfig)1
ModeShapeEngineConfig (com.thinkbiganalytics.metadata.modeshape.ModeShapeEngineConfig)1
JcrFeed (com.thinkbiganalytics.metadata.modeshape.feed.JcrFeed)1
