Search in sources :

Example 61 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class ProgramLifecycleServiceAuthorizationTest method testProgramList.

@Test
public void testProgramList() throws Exception {
    SecurityRequestContext.setUserId(ALICE.getName());
    ApplicationId applicationId = NamespaceId.DEFAULT.app(AllProgramsApp.NAME);
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(applicationId, EnumSet.of(Action.ADMIN)).put(NamespaceId.DEFAULT.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(Action.ADMIN)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(Action.ADMIN)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME3), EnumSet.of(Action.ADMIN)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME), EnumSet.of(Action.ADMIN)).put(NamespaceId.DEFAULT.stream(AllProgramsApp.STREAM_NAME), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegesAndExpectFailedDeploy(neededPrivileges);
    // now we should be able to deploy
    AppFabricTestHelper.deployApplication(Id.Namespace.DEFAULT, AllProgramsApp.class, null, cConf);
    // no auto grant now, the list will be empty for all program types
    for (ProgramType type : ProgramType.values()) {
        if (!type.equals(ProgramType.CUSTOM_ACTION) && !type.equals(ProgramType.WEBAPP)) {
            Assert.assertTrue(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
        }
    }
    // no auto grant now, need to have privileges on the program to be able to see the programs
    authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.FLOW, AllProgramsApp.NoOpFlow.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
    authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
    authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
    authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SPARK, AllProgramsApp.NoOpSpark.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
    authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
    authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR2.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
    authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKFLOW, AllProgramsApp.NoOpWorkflow.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
    for (ProgramType type : ProgramType.values()) {
        if (!type.equals(ProgramType.CUSTOM_ACTION) && !type.equals(ProgramType.WEBAPP)) {
            Assert.assertFalse(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
            SecurityRequestContext.setUserId("bob");
            Assert.assertTrue(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
            SecurityRequestContext.setUserId("alice");
        }
    }
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) EnumSet(java.util.EnumSet) Set(java.util.Set) ProgramType(co.cask.cdap.proto.ProgramType) ApplicationId(co.cask.cdap.proto.id.ApplicationId) Test(org.junit.Test)

Example 62 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class RemotePrivilegesTestBase method testVisibility.

@Test
public void testVisibility() throws Exception {
    ApplicationId app1 = NS.app("app1");
    ProgramId program1 = app1.program(ProgramType.SERVICE, "service1");
    ApplicationId app2 = NS.app("app2");
    ProgramId program2 = app2.program(ProgramType.MAPREDUCE, "service2");
    DatasetId ds = NS.dataset("ds");
    DatasetId ds1 = NS.dataset("ds1");
    DatasetId ds2 = NS.dataset("ds2");
    StreamId stream = NS.stream("stream");
    StreamId stream1 = NS.stream("stream1");
    StreamId stream2 = NS.stream("stream2");
    // Grant privileges on non-numbered entities to ALICE
    privilegesManager.grant(Authorizable.fromEntityId(PROGRAM), ALICE, Collections.singleton(Action.EXECUTE));
    privilegesManager.grant(Authorizable.fromEntityId(ds), ALICE, EnumSet.of(Action.READ, Action.WRITE));
    privilegesManager.grant(Authorizable.fromEntityId(stream), ALICE, EnumSet.of(Action.READ));
    // Grant privileges on entities ending with 2 to BOB
    privilegesManager.grant(Authorizable.fromEntityId(program2), BOB, Collections.singleton(Action.ADMIN));
    privilegesManager.grant(Authorizable.fromEntityId(ds2), BOB, EnumSet.of(Action.READ, Action.WRITE));
    privilegesManager.grant(Authorizable.fromEntityId(stream2), BOB, EnumSet.allOf(Action.class));
    Set<? extends EntityId> allEntities = ImmutableSet.of(NS, APP, PROGRAM, ds, stream, app1, program1, ds1, stream1, app2, program2, ds2, stream2);
    Assert.assertEquals(ImmutableSet.of(NS, APP, PROGRAM, ds, stream), authorizationEnforcer.isVisible(allEntities, ALICE));
    Assert.assertEquals(ImmutableSet.of(NS, app2, program2, ds2, stream2), authorizationEnforcer.isVisible(allEntities, BOB));
    Assert.assertEquals(ImmutableSet.of(), authorizationEnforcer.isVisible(allEntities, CAROL));
    Assert.assertEquals(ImmutableSet.of(), authorizationEnforcer.isVisible(ImmutableSet.<EntityId>of(), ALICE));
    Assert.assertEquals(ImmutableSet.of(ds, APP), authorizationEnforcer.isVisible(ImmutableSet.of(ds, APP), ALICE));
    for (EntityId entityId : allEntities) {
        privilegesManager.revoke(Authorizable.fromEntityId(entityId));
    }
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) StreamId(co.cask.cdap.proto.id.StreamId) Action(co.cask.cdap.proto.security.Action) ApplicationId(co.cask.cdap.proto.id.ApplicationId) ProgramId(co.cask.cdap.proto.id.ProgramId) DatasetId(co.cask.cdap.proto.id.DatasetId) Test(org.junit.Test)

Aggregations

EntityId (co.cask.cdap.proto.id.EntityId)62 Principal (co.cask.cdap.proto.security.Principal)21 EnumSet (java.util.EnumSet)18 HashSet (java.util.HashSet)18 Set (java.util.Set)18 PartitionedFileSet (co.cask.cdap.api.dataset.lib.PartitionedFileSet)17 ImmutableSet (com.google.common.collect.ImmutableSet)17 Test (org.junit.Test)17 Action (co.cask.cdap.proto.security.Action)14 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)13 DatasetId (co.cask.cdap.proto.id.DatasetId)12 ProgramId (co.cask.cdap.proto.id.ProgramId)11 ApplicationManager (co.cask.cdap.test.ApplicationManager)11 ApplicationId (co.cask.cdap.proto.id.ApplicationId)10 StreamId (co.cask.cdap.proto.id.StreamId)9 NamespaceId (co.cask.cdap.proto.id.NamespaceId)8 PrivilegedAction (java.security.PrivilegedAction)8 KeyValueTable (co.cask.cdap.api.dataset.lib.KeyValueTable)7 NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)7 Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7