Search in sources :

Example 16 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class AuthorizationTest method testAddDropPartitions.

@Test
public void testAddDropPartitions() throws Exception {
    createAuthNamespace();
    ApplicationId appId = AUTH_NAMESPACE.app(PartitionTestApp.class.getSimpleName());
    DatasetId datasetId = AUTH_NAMESPACE.dataset(PartitionTestApp.PFS_NAME);
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(PartitionTestApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(datasetId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(PartitionedFileSet.class.getName()), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    ProgramId programId = appId.program(ProgramType.SERVICE, PartitionTestApp.PFS_SERVICE_NAME);
    grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE));
    cleanUpEntities.add(programId);
    grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.READ));
    cleanUpEntities.add(datasetId);
    ApplicationManager appMgr = deployApplication(AUTH_NAMESPACE, PartitionTestApp.class);
    SecurityRequestContext.setUserId(BOB.getName());
    String partition = "p1";
    String subPartition = "1";
    String text = "some random text for pfs";
    ServiceManager pfsService = appMgr.getServiceManager(PartitionTestApp.PFS_SERVICE_NAME);
    pfsService.start();
    pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);
    URL pfsURL = pfsService.getServiceURL();
    String apiPath = String.format("partitions/%s/subpartitions/%s", partition, subPartition);
    URL url = new URL(pfsURL, apiPath);
    HttpRequest request;
    HttpResponse response;
    try {
        request = HttpRequest.post(url).withBody(text).build();
        response = HttpRequests.execute(request);
        // should fail because bob does not have write privileges on the dataset
        Assert.assertEquals(500, response.getResponseCode());
    } finally {
        pfsService.stop();
        pfsService.waitForRun(ProgramRunStatus.KILLED, 1, TimeUnit.MINUTES);
    }
    // grant read and write on dataset and restart
    grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.WRITE, Action.READ));
    pfsService.start();
    pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);
    pfsURL = pfsService.getServiceURL();
    url = new URL(pfsURL, apiPath);
    try {
        request = HttpRequest.post(url).withBody(text).build();
        response = HttpRequests.execute(request);
        // should succeed now because bob was granted write privileges on the dataset
        Assert.assertEquals(200, response.getResponseCode());
        // make sure that the partition was added
        request = HttpRequest.get(url).build();
        response = HttpRequests.execute(request);
        Assert.assertEquals(200, response.getResponseCode());
        Assert.assertEquals(text, response.getResponseBodyAsString());
        // drop the partition
        request = HttpRequest.delete(url).build();
        response = HttpRequests.execute(request);
        Assert.assertEquals(200, response.getResponseCode());
    } finally {
        pfsService.stop();
        pfsService.waitForRuns(ProgramRunStatus.KILLED, 2, 1, TimeUnit.MINUTES);
        SecurityRequestContext.setUserId(ALICE.getName());
    }
}
Also used : HttpRequest(co.cask.common.http.HttpRequest) PrivilegedAction(java.security.PrivilegedAction) Action(co.cask.cdap.proto.security.Action) ApplicationManager(co.cask.cdap.test.ApplicationManager) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) HttpResponse(co.cask.common.http.HttpResponse) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) ProgramId(co.cask.cdap.proto.id.ProgramId) URL(java.net.URL) DatasetId(co.cask.cdap.proto.id.DatasetId) EntityId(co.cask.cdap.proto.id.EntityId) ServiceManager(co.cask.cdap.test.ServiceManager) ApplicationId(co.cask.cdap.proto.id.ApplicationId) Test(org.junit.Test)

Example 17 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class AuthorizationTest method testApps.

@Test
@Category(SlowTests.class)
public void testApps() throws Exception {
    try {
        deployApplication(NamespaceId.DEFAULT, DummyApp.class);
        Assert.fail("App deployment should fail because alice does not have ADMIN privilege on the application");
    } catch (UnauthorizedException e) {
    // Expected
    }
    createAuthNamespace();
    Authorizer authorizer = getAuthorizer();
    ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(dummyAppId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset("whom"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.stream("who"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset("customDataset"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    // alice will not be able to deploy the app since she does not have privilege on the implicit dataset module
    try {
        deployApplication(AUTH_NAMESPACE, DummyApp.class);
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    // grant alice the required implicit type and module
    grantAndAssertSuccess(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN));
    cleanUpEntities.add(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()));
    grantAndAssertSuccess(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN));
    cleanUpEntities.add(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()));
    // this time it should be successful
    ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DummyApp.class);
    // Bob should not have any privileges on Alice's app
    Assert.assertTrue("Bob should not have any privileges on alice's app", authorizer.listPrivileges(BOB).isEmpty());
    // update should succeed because alice has admin privileges on the app
    appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
    // Update should fail for Bob
    SecurityRequestContext.setUserId(BOB.getName());
    try {
        appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
        Assert.fail("App update should have failed because Bob does not have admin privileges on the app.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant READ and WRITE to Bob
    grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(Action.READ, Action.WRITE));
    // delete should fail
    try {
        appManager.delete();
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant ADMIN to Bob. Now delete should succeed
    grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(Action.ADMIN));
    // deletion should succeed since BOB has privileges on the app
    appManager.delete();
    // Should still have the privilege for the app since we no longer revoke privileges after deletion of an entity
    Assert.assertTrue(!getAuthorizer().isVisible(Collections.singleton(dummyAppId), BOB).isEmpty());
    // bob should still have privileges granted to him
    Assert.assertEquals(3, authorizer.listPrivileges(BOB).size());
    // switch back to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
    // Deploy a couple of apps in the namespace
    // Deploy dummy app should be successful since we already pre-grant the required privileges
    deployApplication(AUTH_NAMESPACE, DummyApp.class);
    final ApplicationId appId = AUTH_NAMESPACE.app(AllProgramsApp.NAME);
    Map<EntityId, Set<Action>> anotherAppNeededPrivilege = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME3), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.stream(AllProgramsApp.STREAM_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(ObjectMappedTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, anotherAppNeededPrivilege);
    Map<EntityId, Set<Action>> bobDatasetPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(Action.ADMIN)).build();
    Map<EntityId, Set<Action>> bobProgramPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId.program(ProgramType.FLOW, AllProgramsApp.NoOpFlow.NAME), EnumSet.of(Action.EXECUTE)).put(appId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME), EnumSet.of(Action.EXECUTE)).put(appId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME), EnumSet.of(Action.EXECUTE)).build();
    setUpPrivilegeAndRegisterForDeletion(BOB, bobDatasetPrivileges);
    setUpPrivilegeAndRegisterForDeletion(BOB, bobProgramPrivileges);
    deployApplication(AUTH_NAMESPACE, AllProgramsApp.class);
    // Switch to BOB since he does not have any privilege
    SecurityRequestContext.setUserId(BOB.getName());
    // deleting all apps should fail because bob does not have admin privileges on the apps and the namespace
    try {
        deleteAllApplications(AUTH_NAMESPACE);
        Assert.fail("Deleting all applications in the namespace should have failed because bob does not have ADMIN " + "privilege on the workflow app.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    ApplicationDetail applicationDetail = getAppDetail(appId);
    Assert.assertEquals(bobDatasetPrivileges.keySet(), Sets.<EntityId>newHashSet(Iterables.transform(applicationDetail.getDatasets(), new Function<DatasetDetail, DatasetId>() {

        @Override
        public DatasetId apply(DatasetDetail input) {
            return appId.getNamespaceId().dataset(input.getName());
        }
    })));
    Assert.assertEquals(bobProgramPrivileges.keySet(), Sets.<EntityId>newHashSet(Iterables.transform(applicationDetail.getPrograms(), new Function<ProgramRecord, ProgramId>() {

        @Override
        public ProgramId apply(ProgramRecord input) {
            return appId.program(input.getType(), input.getName());
        }
    })));
    Assert.assertEquals(Collections.emptyList(), applicationDetail.getStreams());
    // Switch to ALICE, deletion should be successful since ALICE has ADMIN privileges
    SecurityRequestContext.setUserId(ALICE.getName());
    deleteAllApplications(AUTH_NAMESPACE);
}
Also used : DatasetDetail(co.cask.cdap.proto.DatasetDetail) PrivilegedAction(java.security.PrivilegedAction) Action(co.cask.cdap.proto.security.Action) ApplicationManager(co.cask.cdap.test.ApplicationManager) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) AllProgramsApp(co.cask.cdap.AllProgramsApp) ProgramId(co.cask.cdap.proto.id.ProgramId) AppRequest(co.cask.cdap.proto.artifact.AppRequest) DatasetId(co.cask.cdap.proto.id.DatasetId) EntityId(co.cask.cdap.proto.id.EntityId) ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary) ApplicationDetail(co.cask.cdap.proto.ApplicationDetail) ProgramRecord(co.cask.cdap.proto.ProgramRecord) KeyValueTable(co.cask.cdap.api.dataset.lib.KeyValueTable) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) DummyApp(co.cask.cdap.test.app.DummyApp) ApplicationId(co.cask.cdap.proto.id.ApplicationId) ObjectMappedTable(co.cask.cdap.api.dataset.lib.ObjectMappedTable) Category(org.junit.experimental.categories.Category) Test(org.junit.Test)

Example 18 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class AuthorizationTest method testCrossNSSystemDatasetAccessWithAuthMapReduce.

private void testCrossNSSystemDatasetAccessWithAuthMapReduce(MapReduceManager mrManager) throws Exception {
    addDatasetInstance(NamespaceId.SYSTEM.dataset("table1"), "keyValueTable").create();
    addDatasetInstance(NamespaceId.SYSTEM.dataset("table2"), "keyValueTable").create();
    NamespaceMeta otherNS = new NamespaceMeta.Builder().setName("otherNS").build();
    NamespaceId otherNsId = otherNS.getNamespaceId();
    DatasetId datasetId = otherNsId.dataset("otherTable");
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(otherNsId, EnumSet.of(Action.ADMIN)).put(datasetId, EnumSet.of(Action.ADMIN)).put(otherNsId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    getNamespaceAdmin().create(otherNS);
    addDatasetInstance(datasetId, "keyValueTable").create();
    addDummyData(NamespaceId.SYSTEM, "table1");
    // first test that reading system namespace fails with valid table as output
    Map<String, String> argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "table1", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, otherNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "otherTable");
    // give privilege to BOB on all the datasets
    grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ));
    grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE));
    grantAndAssertSuccess(otherNS.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS);
    // Switch to BOB and run the  mapreduce job. The job will fail at the runtime since BOB is trying to read from
    // system namespace
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(argsForMR, mrManager);
    assertDatasetIsEmpty(otherNS.getNamespaceId(), "otherTable");
    // now try reading a table from valid namespace and writing to system namespace
    argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, otherNS.getName(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "otherTable", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "table2");
    addDummyData(otherNS.getNamespaceId(), "otherTable");
    // verify that the program fails
    assertProgramFailure(argsForMR, mrManager);
    assertDatasetIsEmpty(NamespaceId.SYSTEM, "table2");
    // switch to back to ALICE
    SecurityRequestContext.setUserId(ALICE.getName());
    // cleanup
    deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table1"));
    deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table2"));
    getNamespaceAdmin().delete(otherNS.getNamespaceId());
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) NamespaceId(co.cask.cdap.proto.id.NamespaceId) DatasetId(co.cask.cdap.proto.id.DatasetId)

Example 19 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class AuthorizationTest method testScheduleAuth.

@Test
public void testScheduleAuth() throws Exception {
    createAuthNamespace();
    ApplicationId appId = AUTH_NAMESPACE.app(AppWithSchedule.class.getSimpleName());
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(AppWithSchedule.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AppWithSchedule.INPUT_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AppWithSchedule.OUTPUT_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(ObjectStore.class.getName()), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, AppWithSchedule.class);
    String workflowName = AppWithSchedule.SampleWorkflow.class.getSimpleName();
    ProgramId workflowID = new ProgramId(AUTH_NAMESPACE.getNamespace(), AppWithSchedule.class.getSimpleName(), ProgramType.WORKFLOW, workflowName);
    cleanUpEntities.add(workflowID);
    final WorkflowManager workflowManager = appManager.getWorkflowManager(workflowName);
    ScheduleManager scheduleManager = workflowManager.getSchedule(AppWithSchedule.EVERY_HOUR_SCHEDULE);
    // switch to BOB
    SecurityRequestContext.setUserId(BOB.getName());
    // try to resume schedule as BOB. It should fail since BOB does not have execute privileges on the programs
    try {
        scheduleManager.resume();
        Assert.fail("Resuming schedule should have failed since BOB does not have EXECUTE on the program");
    } catch (UnauthorizedException e) {
    // Expected
    }
    // bob should also not be able see the status of the schedule
    try {
        scheduleManager.status(HttpURLConnection.HTTP_FORBIDDEN);
        Assert.fail("Getting schedule status should have failed since BOB does not have any privilege on the program");
    } catch (UnauthorizedException e) {
    // Expected
    }
    // give BOB READ permission in the workflow
    grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.READ));
    // switch to BOB
    SecurityRequestContext.setUserId(BOB.getName());
    // try to resume schedule as BOB. It should fail since BOB has READ but not EXECUTE on the workflow
    try {
        scheduleManager.resume();
        Assert.fail("Resuming schedule should have failed since BOB does not have EXECUTE on the program");
    } catch (UnauthorizedException e) {
    // Expected
    }
    // but BOB should be able to get schedule status now
    Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
    // give BOB EXECUTE permission in the workflow
    grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.EXECUTE));
    // switch to BOB
    SecurityRequestContext.setUserId(BOB.getName());
    // try to resume the schedule. This should pass and workflow should run
    scheduleManager.resume();
    Assert.assertEquals(ProgramScheduleStatus.SCHEDULED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
    // suspend the schedule so that it does not start running again
    scheduleManager.suspend();
    Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
    ScheduleId scheduleId = new ScheduleId(appId.getNamespace(), appId.getApplication(), appId.getVersion(), "testSchedule");
    ScheduleDetail scheduleDetail = new ScheduleDetail(AUTH_NAMESPACE.getNamespace(), AppWithSchedule.class.getSimpleName(), "1.0-SNAPSHOT", "testSchedule", "Something 2", new ScheduleProgramInfo(SchedulableProgramType.WORKFLOW, workflowName), Collections.<String, String>emptyMap(), new TimeTrigger("*/1 * * * *"), Collections.<Constraint>emptyList(), TimeUnit.HOURS.toMillis(6), null);
    try {
        addSchedule(scheduleId, scheduleDetail);
        Assert.fail("Adding schedule should fail since BOB does not have AMDIN on the app");
    } catch (UnauthorizedException e) {
    // expected
    }
    // grant BOB ADMIN on the app
    grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN));
    // add schedule should succeed
    addSchedule(scheduleId, scheduleDetail);
    Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_OK));
    // update schedule should succeed
    updateSchedule(scheduleId, scheduleDetail);
    Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_OK));
    // revoke ADMIN from BOB
    getAuthorizer().revoke(Authorizable.fromEntityId(appId), BOB, EnumSet.of(Action.ADMIN));
    try {
        // delete schedule should fail since we revoke the ADMIN privilege from BOB
        deleteSchedule(scheduleId);
        Assert.fail("Deleting schedule should fail since BOB does not have AMDIN on the app");
    } catch (UnauthorizedException e) {
    // expected
    }
    try {
        updateSchedule(scheduleId, scheduleDetail);
        Assert.fail("Updating schedule should fail since BOB does not have AMDIN on the app");
    } catch (UnauthorizedException e) {
    // expected
    }
    // grant BOB ADMIN on the app again
    grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN));
    deleteSchedule(scheduleId);
    workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_NOT_FOUND);
    // switch to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
}
Also used : ScheduleManager(co.cask.cdap.test.ScheduleManager) ObjectStore(co.cask.cdap.api.dataset.lib.ObjectStore) ApplicationManager(co.cask.cdap.test.ApplicationManager) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) TimeTrigger(co.cask.cdap.internal.app.runtime.schedule.trigger.TimeTrigger) WorkflowManager(co.cask.cdap.test.WorkflowManager) AppWithSchedule(co.cask.cdap.test.app.AppWithSchedule) ProgramId(co.cask.cdap.proto.id.ProgramId) ScheduleId(co.cask.cdap.proto.id.ScheduleId) EntityId(co.cask.cdap.proto.id.EntityId) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) ScheduleDetail(co.cask.cdap.proto.ScheduleDetail) ApplicationId(co.cask.cdap.proto.id.ApplicationId) ScheduleProgramInfo(co.cask.cdap.api.workflow.ScheduleProgramInfo) Test(org.junit.Test)

Example 20 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class AuthorizationTest method testCrossNSFlowlet.

@Test
public void testCrossNSFlowlet() throws Exception {
    createAuthNamespace();
    ApplicationId appId = AUTH_NAMESPACE.app(CrossNsDatasetAccessApp.APP_NAME);
    StreamId streamId = AUTH_NAMESPACE.stream(CrossNsDatasetAccessApp.STREAM_NAME);
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(CrossNsDatasetAccessApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(streamId, EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    ProgramId programId = appId.flow(CrossNsDatasetAccessApp.FLOW_NAME);
    cleanUpEntities.add(programId);
    // grant bob execute on program and READ/WRITE on stream
    grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE));
    grantAndAssertSuccess(streamId, BOB, EnumSet.of(Action.WRITE, Action.READ));
    ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, CrossNsDatasetAccessApp.class);
    // switch to BOB
    SecurityRequestContext.setUserId(BOB.getName());
    // Send data to stream as BOB this ensures that BOB can write to a stream in auth namespace
    StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.stream(CrossNsDatasetAccessApp.STREAM_NAME));
    for (int i = 0; i < 10; i++) {
        streamManager.send(String.valueOf(i).getBytes());
    }
    // switch to back to ALICE
    SecurityRequestContext.setUserId(ALICE.getName());
    final FlowManager flowManager = appManager.getFlowManager(CrossNsDatasetAccessApp.FLOW_NAME);
    testSystemDatasetAccessFromFlowlet(flowManager);
    testCrossNSDatasetAccessFromFlowlet(flowManager);
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) FlowManager(co.cask.cdap.test.FlowManager) StreamId(co.cask.cdap.proto.id.StreamId) ApplicationManager(co.cask.cdap.test.ApplicationManager) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) StreamManager(co.cask.cdap.test.StreamManager) ApplicationId(co.cask.cdap.proto.id.ApplicationId) ProgramId(co.cask.cdap.proto.id.ProgramId) Constraint(co.cask.cdap.internal.schedule.constraint.Constraint) Test(org.junit.Test)

Aggregations

EntityId (co.cask.cdap.proto.id.EntityId)62 Principal (co.cask.cdap.proto.security.Principal)21 EnumSet (java.util.EnumSet)18 HashSet (java.util.HashSet)18 Set (java.util.Set)18 PartitionedFileSet (co.cask.cdap.api.dataset.lib.PartitionedFileSet)17 ImmutableSet (com.google.common.collect.ImmutableSet)17 Test (org.junit.Test)17 Action (co.cask.cdap.proto.security.Action)14 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)13 DatasetId (co.cask.cdap.proto.id.DatasetId)12 ProgramId (co.cask.cdap.proto.id.ProgramId)11 ApplicationManager (co.cask.cdap.test.ApplicationManager)11 ApplicationId (co.cask.cdap.proto.id.ApplicationId)10 StreamId (co.cask.cdap.proto.id.StreamId)9 NamespaceId (co.cask.cdap.proto.id.NamespaceId)8 PrivilegedAction (java.security.PrivilegedAction)8 KeyValueTable (co.cask.cdap.api.dataset.lib.KeyValueTable)7 NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)7 Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7