Example 16 with EntityId
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationTest method testAddDropPartitions.
@Test
public void testAddDropPartitions() throws Exception {
createAuthNamespace();
ApplicationId appId = AUTH_NAMESPACE.app(PartitionTestApp.class.getSimpleName());
DatasetId datasetId = AUTH_NAMESPACE.dataset(PartitionTestApp.PFS_NAME);
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(PartitionTestApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(datasetId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(PartitionedFileSet.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
ProgramId programId = appId.program(ProgramType.SERVICE, PartitionTestApp.PFS_SERVICE_NAME);
grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE));
cleanUpEntities.add(programId);
grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.READ));
cleanUpEntities.add(datasetId);
ApplicationManager appMgr = deployApplication(AUTH_NAMESPACE, PartitionTestApp.class);
SecurityRequestContext.setUserId(BOB.getName());
String partition = "p1";
String subPartition = "1";
String text = "some random text for pfs";
ServiceManager pfsService = appMgr.getServiceManager(PartitionTestApp.PFS_SERVICE_NAME);
pfsService.start();
pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);
URL pfsURL = pfsService.getServiceURL();
String apiPath = String.format("partitions/%s/subpartitions/%s", partition, subPartition);
URL url = new URL(pfsURL, apiPath);
HttpRequest request;
HttpResponse response;
try {
request = HttpRequest.post(url).withBody(text).build();
response = HttpRequests.execute(request);
// should fail because bob does not have write privileges on the dataset
Assert.assertEquals(500, response.getResponseCode());
} finally {
pfsService.stop();
pfsService.waitForRun(ProgramRunStatus.KILLED, 1, TimeUnit.MINUTES);
}
// grant read and write on dataset and restart
grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.WRITE, Action.READ));
pfsService.start();
pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);
pfsURL = pfsService.getServiceURL();
url = new URL(pfsURL, apiPath);
try {
request = HttpRequest.post(url).withBody(text).build();
response = HttpRequests.execute(request);
// should succeed now because bob was granted write privileges on the dataset
Assert.assertEquals(200, response.getResponseCode());
// make sure that the partition was added
request = HttpRequest.get(url).build();
response = HttpRequests.execute(request);
Assert.assertEquals(200, response.getResponseCode());
Assert.assertEquals(text, response.getResponseBodyAsString());
// drop the partition
request = HttpRequest.delete(url).build();
response = HttpRequests.execute(request);
Assert.assertEquals(200, response.getResponseCode());
} finally {
pfsService.stop();
pfsService.waitForRuns(ProgramRunStatus.KILLED, 2, 1, TimeUnit.MINUTES);
SecurityRequestContext.setUserId(ALICE.getName());
}
}
Also used :
HttpRequest(co.cask.common.http.HttpRequest)
PrivilegedAction(java.security.PrivilegedAction)
Action(co.cask.cdap.proto.security.Action)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
HttpResponse(co.cask.common.http.HttpResponse)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
ProgramId(co.cask.cdap.proto.id.ProgramId)
URL(java.net.URL)
DatasetId(co.cask.cdap.proto.id.DatasetId)
EntityId(co.cask.cdap.proto.id.EntityId)
ServiceManager(co.cask.cdap.test.ServiceManager)
ApplicationId(co.cask.cdap.proto.id.ApplicationId)
Test(org.junit.Test)
Example 17 with EntityId
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationTest method testApps.
@Test
@Category(SlowTests.class)
public void testApps() throws Exception {
try {
deployApplication(NamespaceId.DEFAULT, DummyApp.class);
Assert.fail("App deployment should fail because alice does not have ADMIN privilege on the application");
} catch (UnauthorizedException e) {
// Expected
}
createAuthNamespace();
Authorizer authorizer = getAuthorizer();
ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(dummyAppId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset("whom"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.stream("who"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset("customDataset"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
// alice will not be able to deploy the app since she does not have privilege on the implicit dataset module
try {
deployApplication(AUTH_NAMESPACE, DummyApp.class);
Assert.fail();
} catch (UnauthorizedException e) {
// expected
}
// grant alice the required implicit type and module
grantAndAssertSuccess(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN));
cleanUpEntities.add(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()));
grantAndAssertSuccess(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN));
cleanUpEntities.add(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()));
// this time it should be successful
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DummyApp.class);
// Bob should not have any privileges on Alice's app
Assert.assertTrue("Bob should not have any privileges on alice's app", authorizer.listPrivileges(BOB).isEmpty());
// update should succeed because alice has admin privileges on the app
appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
// Update should fail for Bob
SecurityRequestContext.setUserId(BOB.getName());
try {
appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
Assert.fail("App update should have failed because Bob does not have admin privileges on the app.");
} catch (UnauthorizedException expected) {
// expected
}
// grant READ and WRITE to Bob
grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(Action.READ, Action.WRITE));
// delete should fail
try {
appManager.delete();
} catch (UnauthorizedException expected) {
// expected
}
// grant ADMIN to Bob. Now delete should succeed
grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(Action.ADMIN));
// deletion should succeed since BOB has privileges on the app
appManager.delete();
// Should still have the privilege for the app since we no longer revoke privileges after deletion of an entity
Assert.assertTrue(!getAuthorizer().isVisible(Collections.singleton(dummyAppId), BOB).isEmpty());
// bob should still have privileges granted to him
Assert.assertEquals(3, authorizer.listPrivileges(BOB).size());
// switch back to Alice
SecurityRequestContext.setUserId(ALICE.getName());
// Deploy a couple of apps in the namespace
// Deploy dummy app should be successful since we already pre-grant the required privileges
deployApplication(AUTH_NAMESPACE, DummyApp.class);
final ApplicationId appId = AUTH_NAMESPACE.app(AllProgramsApp.NAME);
Map<EntityId, Set<Action>> anotherAppNeededPrivilege = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME3), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.stream(AllProgramsApp.STREAM_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(ObjectMappedTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, anotherAppNeededPrivilege);
Map<EntityId, Set<Action>> bobDatasetPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(Action.ADMIN)).build();
Map<EntityId, Set<Action>> bobProgramPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId.program(ProgramType.FLOW, AllProgramsApp.NoOpFlow.NAME), EnumSet.of(Action.EXECUTE)).put(appId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME), EnumSet.of(Action.EXECUTE)).put(appId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME), EnumSet.of(Action.EXECUTE)).build();
setUpPrivilegeAndRegisterForDeletion(BOB, bobDatasetPrivileges);
setUpPrivilegeAndRegisterForDeletion(BOB, bobProgramPrivileges);
deployApplication(AUTH_NAMESPACE, AllProgramsApp.class);
// Switch to BOB since he does not have any privilege
SecurityRequestContext.setUserId(BOB.getName());
// deleting all apps should fail because bob does not have admin privileges on the apps and the namespace
try {
deleteAllApplications(AUTH_NAMESPACE);
Assert.fail("Deleting all applications in the namespace should have failed because bob does not have ADMIN " + "privilege on the workflow app.");
} catch (UnauthorizedException expected) {
// expected
}
ApplicationDetail applicationDetail = getAppDetail(appId);
Assert.assertEquals(bobDatasetPrivileges.keySet(), Sets.<EntityId>newHashSet(Iterables.transform(applicationDetail.getDatasets(), new Function<DatasetDetail, DatasetId>() {
@Override
public DatasetId apply(DatasetDetail input) {
return appId.getNamespaceId().dataset(input.getName());
}
})));
Assert.assertEquals(bobProgramPrivileges.keySet(), Sets.<EntityId>newHashSet(Iterables.transform(applicationDetail.getPrograms(), new Function<ProgramRecord, ProgramId>() {
@Override
public ProgramId apply(ProgramRecord input) {
return appId.program(input.getType(), input.getName());
}
})));
Assert.assertEquals(Collections.emptyList(), applicationDetail.getStreams());
// Switch to ALICE, deletion should be successful since ALICE has ADMIN privileges
SecurityRequestContext.setUserId(ALICE.getName());
deleteAllApplications(AUTH_NAMESPACE);
}
Also used :
DatasetDetail(co.cask.cdap.proto.DatasetDetail)
PrivilegedAction(java.security.PrivilegedAction)
Action(co.cask.cdap.proto.security.Action)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
AllProgramsApp(co.cask.cdap.AllProgramsApp)
ProgramId(co.cask.cdap.proto.id.ProgramId)
AppRequest(co.cask.cdap.proto.artifact.AppRequest)
DatasetId(co.cask.cdap.proto.id.DatasetId)
EntityId(co.cask.cdap.proto.id.EntityId)
ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary)
ApplicationDetail(co.cask.cdap.proto.ApplicationDetail)
ProgramRecord(co.cask.cdap.proto.ProgramRecord)
KeyValueTable(co.cask.cdap.api.dataset.lib.KeyValueTable)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
DummyApp(co.cask.cdap.test.app.DummyApp)
ApplicationId(co.cask.cdap.proto.id.ApplicationId)
ObjectMappedTable(co.cask.cdap.api.dataset.lib.ObjectMappedTable)
Category(org.junit.experimental.categories.Category)
Test(org.junit.Test)
Example 18 with EntityId
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationTest method testCrossNSSystemDatasetAccessWithAuthMapReduce.
private void testCrossNSSystemDatasetAccessWithAuthMapReduce(MapReduceManager mrManager) throws Exception {
addDatasetInstance(NamespaceId.SYSTEM.dataset("table1"), "keyValueTable").create();
addDatasetInstance(NamespaceId.SYSTEM.dataset("table2"), "keyValueTable").create();
NamespaceMeta otherNS = new NamespaceMeta.Builder().setName("otherNS").build();
NamespaceId otherNsId = otherNS.getNamespaceId();
DatasetId datasetId = otherNsId.dataset("otherTable");
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(otherNsId, EnumSet.of(Action.ADMIN)).put(datasetId, EnumSet.of(Action.ADMIN)).put(otherNsId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
getNamespaceAdmin().create(otherNS);
addDatasetInstance(datasetId, "keyValueTable").create();
addDummyData(NamespaceId.SYSTEM, "table1");
// first test that reading system namespace fails with valid table as output
Map<String, String> argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "table1", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, otherNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "otherTable");
// give privilege to BOB on all the datasets
grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ));
grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE));
grantAndAssertSuccess(otherNS.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS);
// Switch to BOB and run the mapreduce job. The job will fail at the runtime since BOB is trying to read from
// system namespace
SecurityRequestContext.setUserId(BOB.getName());
assertProgramFailure(argsForMR, mrManager);
assertDatasetIsEmpty(otherNS.getNamespaceId(), "otherTable");
// now try reading a table from valid namespace and writing to system namespace
argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, otherNS.getName(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "otherTable", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "table2");
addDummyData(otherNS.getNamespaceId(), "otherTable");
// verify that the program fails
assertProgramFailure(argsForMR, mrManager);
assertDatasetIsEmpty(NamespaceId.SYSTEM, "table2");
// switch to back to ALICE
SecurityRequestContext.setUserId(ALICE.getName());
// cleanup
deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table1"));
deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table2"));
getNamespaceAdmin().delete(otherNS.getNamespaceId());
}
Also used :
EntityId(co.cask.cdap.proto.id.EntityId)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
NamespaceMeta(co.cask.cdap.proto.NamespaceMeta)
NamespaceId(co.cask.cdap.proto.id.NamespaceId)
DatasetId(co.cask.cdap.proto.id.DatasetId)
Example 19 with EntityId
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationTest method testScheduleAuth.
@Test
public void testScheduleAuth() throws Exception {
createAuthNamespace();
ApplicationId appId = AUTH_NAMESPACE.app(AppWithSchedule.class.getSimpleName());
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(AppWithSchedule.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AppWithSchedule.INPUT_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AppWithSchedule.OUTPUT_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(ObjectStore.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, AppWithSchedule.class);
String workflowName = AppWithSchedule.SampleWorkflow.class.getSimpleName();
ProgramId workflowID = new ProgramId(AUTH_NAMESPACE.getNamespace(), AppWithSchedule.class.getSimpleName(), ProgramType.WORKFLOW, workflowName);
cleanUpEntities.add(workflowID);
final WorkflowManager workflowManager = appManager.getWorkflowManager(workflowName);
ScheduleManager scheduleManager = workflowManager.getSchedule(AppWithSchedule.EVERY_HOUR_SCHEDULE);
// switch to BOB
SecurityRequestContext.setUserId(BOB.getName());
// try to resume schedule as BOB. It should fail since BOB does not have execute privileges on the programs
try {
scheduleManager.resume();
Assert.fail("Resuming schedule should have failed since BOB does not have EXECUTE on the program");
} catch (UnauthorizedException e) {
// Expected
}
// bob should also not be able see the status of the schedule
try {
scheduleManager.status(HttpURLConnection.HTTP_FORBIDDEN);
Assert.fail("Getting schedule status should have failed since BOB does not have any privilege on the program");
} catch (UnauthorizedException e) {
// Expected
}
// give BOB READ permission in the workflow
grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.READ));
// switch to BOB
SecurityRequestContext.setUserId(BOB.getName());
// try to resume schedule as BOB. It should fail since BOB has READ but not EXECUTE on the workflow
try {
scheduleManager.resume();
Assert.fail("Resuming schedule should have failed since BOB does not have EXECUTE on the program");
} catch (UnauthorizedException e) {
// Expected
}
// but BOB should be able to get schedule status now
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
// give BOB EXECUTE permission in the workflow
grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.EXECUTE));
// switch to BOB
SecurityRequestContext.setUserId(BOB.getName());
// try to resume the schedule. This should pass and workflow should run
scheduleManager.resume();
Assert.assertEquals(ProgramScheduleStatus.SCHEDULED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
// suspend the schedule so that it does not start running again
scheduleManager.suspend();
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
ScheduleId scheduleId = new ScheduleId(appId.getNamespace(), appId.getApplication(), appId.getVersion(), "testSchedule");
ScheduleDetail scheduleDetail = new ScheduleDetail(AUTH_NAMESPACE.getNamespace(), AppWithSchedule.class.getSimpleName(), "1.0-SNAPSHOT", "testSchedule", "Something 2", new ScheduleProgramInfo(SchedulableProgramType.WORKFLOW, workflowName), Collections.<String, String>emptyMap(), new TimeTrigger("*/1 * * * *"), Collections.<Constraint>emptyList(), TimeUnit.HOURS.toMillis(6), null);
try {
addSchedule(scheduleId, scheduleDetail);
Assert.fail("Adding schedule should fail since BOB does not have AMDIN on the app");
} catch (UnauthorizedException e) {
// expected
}
// grant BOB ADMIN on the app
grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN));
// add schedule should succeed
addSchedule(scheduleId, scheduleDetail);
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_OK));
// update schedule should succeed
updateSchedule(scheduleId, scheduleDetail);
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_OK));
// revoke ADMIN from BOB
getAuthorizer().revoke(Authorizable.fromEntityId(appId), BOB, EnumSet.of(Action.ADMIN));
try {
// delete schedule should fail since we revoke the ADMIN privilege from BOB
deleteSchedule(scheduleId);
Assert.fail("Deleting schedule should fail since BOB does not have AMDIN on the app");
} catch (UnauthorizedException e) {
// expected
}
try {
updateSchedule(scheduleId, scheduleDetail);
Assert.fail("Updating schedule should fail since BOB does not have AMDIN on the app");
} catch (UnauthorizedException e) {
// expected
}
// grant BOB ADMIN on the app again
grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN));
deleteSchedule(scheduleId);
workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_NOT_FOUND);
// switch to Alice
SecurityRequestContext.setUserId(ALICE.getName());
}
Also used :
ScheduleManager(co.cask.cdap.test.ScheduleManager)
ObjectStore(co.cask.cdap.api.dataset.lib.ObjectStore)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
TimeTrigger(co.cask.cdap.internal.app.runtime.schedule.trigger.TimeTrigger)
WorkflowManager(co.cask.cdap.test.WorkflowManager)
AppWithSchedule(co.cask.cdap.test.app.AppWithSchedule)
ProgramId(co.cask.cdap.proto.id.ProgramId)
ScheduleId(co.cask.cdap.proto.id.ScheduleId)
EntityId(co.cask.cdap.proto.id.EntityId)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
ScheduleDetail(co.cask.cdap.proto.ScheduleDetail)
ApplicationId(co.cask.cdap.proto.id.ApplicationId)
ScheduleProgramInfo(co.cask.cdap.api.workflow.ScheduleProgramInfo)
Test(org.junit.Test)
Example 20 with EntityId
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationTest method testCrossNSFlowlet.
@Test
public void testCrossNSFlowlet() throws Exception {
createAuthNamespace();
ApplicationId appId = AUTH_NAMESPACE.app(CrossNsDatasetAccessApp.APP_NAME);
StreamId streamId = AUTH_NAMESPACE.stream(CrossNsDatasetAccessApp.STREAM_NAME);
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(CrossNsDatasetAccessApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(streamId, EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
ProgramId programId = appId.flow(CrossNsDatasetAccessApp.FLOW_NAME);
cleanUpEntities.add(programId);
// grant bob execute on program and READ/WRITE on stream
grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE));
grantAndAssertSuccess(streamId, BOB, EnumSet.of(Action.WRITE, Action.READ));
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, CrossNsDatasetAccessApp.class);
// switch to BOB
SecurityRequestContext.setUserId(BOB.getName());
// Send data to stream as BOB this ensures that BOB can write to a stream in auth namespace
StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.stream(CrossNsDatasetAccessApp.STREAM_NAME));
for (int i = 0; i < 10; i++) {
streamManager.send(String.valueOf(i).getBytes());
}
// switch to back to ALICE
SecurityRequestContext.setUserId(ALICE.getName());
final FlowManager flowManager = appManager.getFlowManager(CrossNsDatasetAccessApp.FLOW_NAME);
testSystemDatasetAccessFromFlowlet(flowManager);
testCrossNSDatasetAccessFromFlowlet(flowManager);
}
Also used :
EntityId(co.cask.cdap.proto.id.EntityId)
FlowManager(co.cask.cdap.test.FlowManager)
StreamId(co.cask.cdap.proto.id.StreamId)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
StreamManager(co.cask.cdap.test.StreamManager)
ApplicationId(co.cask.cdap.proto.id.ApplicationId)
ProgramId(co.cask.cdap.proto.id.ProgramId)
Constraint(co.cask.cdap.internal.schedule.constraint.Constraint)
Test(org.junit.Test)
Aggregations
EntityId (co.cask.cdap.proto.id.EntityId)62
Principal (co.cask.cdap.proto.security.Principal)21
EnumSet (java.util.EnumSet)18
HashSet (java.util.HashSet)18
Set (java.util.Set)18
PartitionedFileSet (co.cask.cdap.api.dataset.lib.PartitionedFileSet)17
ImmutableSet (com.google.common.collect.ImmutableSet)17
Test (org.junit.Test)17
Action (co.cask.cdap.proto.security.Action)14
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)13
DatasetId (co.cask.cdap.proto.id.DatasetId)12
ProgramId (co.cask.cdap.proto.id.ProgramId)11
ApplicationManager (co.cask.cdap.test.ApplicationManager)11
ApplicationId (co.cask.cdap.proto.id.ApplicationId)10
StreamId (co.cask.cdap.proto.id.StreamId)9
NamespaceId (co.cask.cdap.proto.id.NamespaceId)8
PrivilegedAction (java.security.PrivilegedAction)8
KeyValueTable (co.cask.cdap.api.dataset.lib.KeyValueTable)7
NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)7
Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7
