use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationTest method testFlowStreamAuth.
@Test
@Category(SlowTests.class)
public void testFlowStreamAuth() throws Exception {
createAuthNamespace();
Authorizer authorizer = getAuthorizer();
// set up privilege to deploy the app
setUpPrivilegeToDeployStreamAuthApp();
StreamId streamId1 = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
StreamId streamId2 = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM2);
Map<EntityId, Set<Action>> additionalPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(streamId1, EnumSet.of(Action.READ, Action.WRITE)).put(streamId2, EnumSet.of(Action.READ, Action.WRITE)).put(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE), EnumSet.of(Action.READ, Action.WRITE)).put(AUTH_NAMESPACE.app(StreamAuthApp.APP).flow(StreamAuthApp.FLOW), EnumSet.of(Action.EXECUTE)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, additionalPrivileges);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, StreamAuthApp.class);
final FlowManager flowManager = appManager.getFlowManager(StreamAuthApp.FLOW);
StreamManager streamManager = getStreamManager(streamId1);
StreamManager streamManager2 = getStreamManager(streamId2);
streamManager.send("Auth");
flowManager.start();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
return kvTable.get().read("Auth") != null;
}
}, 5, TimeUnit.SECONDS);
flowManager.stop();
flowManager.waitForRun(ProgramRunStatus.KILLED, 60, TimeUnit.SECONDS);
// Now revoke the privileges for ALICE on the stream and grant her ADMIN and WRITE
authorizer.revoke(Authorizable.fromEntityId(streamId1), ALICE, EnumSet.allOf(Action.class));
authorizer.grant(Authorizable.fromEntityId(streamId1), ALICE, EnumSet.of(Action.WRITE, Action.ADMIN));
streamManager.send("Security");
streamManager2.send("Safety");
try {
flowManager.start();
} catch (UnauthorizedException e) {
// Expected
}
flowManager.waitForStatus(false);
authorizer.grant(Authorizable.fromEntityId(streamId1), ALICE, ImmutableSet.of(Action.READ));
flowManager.start();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
return kvTable.get().read("Security") != null;
}
}, 5, TimeUnit.SECONDS);
TimeUnit.MILLISECONDS.sleep(10);
flowManager.stop();
flowManager.waitForRuns(ProgramRunStatus.KILLED, 2, 5, TimeUnit.SECONDS);
appManager.delete();
}
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationTest method testWorkerStreamAuth.
@Test
@Category(SlowTests.class)
public void testWorkerStreamAuth() throws Exception {
createAuthNamespace();
Authorizer authorizer = getAuthorizer();
setUpPrivilegeToDeployStreamAuthApp();
StreamId streamId = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
Map<EntityId, Set<Action>> additionalPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(streamId, EnumSet.of(Action.READ, Action.WRITE)).put(AUTH_NAMESPACE.app(StreamAuthApp.APP).worker(StreamAuthApp.WORKER), EnumSet.of(Action.EXECUTE)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, additionalPrivileges);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, StreamAuthApp.class);
WorkerManager workerManager = appManager.getWorkerManager(StreamAuthApp.WORKER);
workerManager.start();
workerManager.waitForRun(ProgramRunStatus.COMPLETED, 60, TimeUnit.SECONDS);
StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM));
Assert.assertEquals(5, streamManager.getEvents(0, Long.MAX_VALUE, Integer.MAX_VALUE).size());
// Now revoke write permission for Alice on that stream
authorizer.revoke(Authorizable.fromEntityId(streamId), ALICE, EnumSet.of(Action.WRITE));
workerManager.start();
workerManager.waitForRuns(ProgramRunStatus.FAILED, 1, 60, TimeUnit.SECONDS);
Assert.assertEquals(5, streamManager.getEvents(0, Long.MAX_VALUE, Integer.MAX_VALUE).size());
appManager.delete();
}
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class DefaultAuthorizationEnforcer method isVisible.
@Override
public Set<? extends EntityId> isVisible(Set<? extends EntityId> entityIds, Principal principal) throws Exception {
if (!isSecurityAuthorizationEnabled()) {
return entityIds;
}
Set<EntityId> visibleEntities = new HashSet<>();
// filter out entity id which is in system namespace and principal is the master user
for (EntityId entityId : entityIds) {
if (isAccessingSystemNSAsMasterUser(entityId, principal) || isEnforcingOnSamePrincipalId(entityId, principal)) {
visibleEntities.add(entityId);
}
}
Set<? extends EntityId> difference = Sets.difference(entityIds, visibleEntities);
LOG.trace("Checking visibility of {} for principal {}.", difference, principal);
// create new stopwatch instance every time enforce is called since the DefaultAuthorizationEnforcer is binded as
// singleton we don't want the stopwatch instance to get re-used across multiple calls.
StopWatch watch = new StopWatch();
watch.start();
Set<? extends EntityId> moreVisibleEntities;
try {
moreVisibleEntities = authorizerInstantiator.get().isVisible(difference, principal);
} finally {
watch.stop();
long timeTaken = watch.getTime();
String logLine = "Checked visibility of {} for principal {}. Time spent in visibility check was {} ms.";
if (timeTaken > logTimeTakenAsWarn) {
LOG.warn(logLine, difference, principal, timeTaken);
} else {
LOG.trace(logLine, difference, principal, timeTaken);
}
}
visibleEntities.addAll(moreVisibleEntities);
LOG.trace("Getting {} as visible entities", visibleEntities);
return Collections.unmodifiableSet(visibleEntities);
}
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class DatasetInstanceServiceTest method testInstanceMetaCache.
@Test
public void testInstanceMetaCache() throws Exception {
// deploy a dataset
instanceService.create(NamespaceId.DEFAULT.getEntityName(), "testds", new DatasetInstanceConfiguration("table", new HashMap<String, String>()));
// get the dataset meta for two different owners, assert it is the same
DatasetMeta meta = instanceService.get(NamespaceId.DEFAULT.dataset("testds"), ImmutableList.<EntityId>of(new ProgramId(NamespaceId.DEFAULT.getNamespace(), "app1", ProgramType.FLOW, "flow1")));
DatasetMeta met2 = instanceService.get(NamespaceId.DEFAULT.dataset("testds"), ImmutableList.<EntityId>of(new ProgramId(NamespaceId.DEFAULT.getNamespace(), "app2", ProgramType.FLOW, "flow2")));
Assert.assertSame(meta, met2);
// update the dataset
instanceService.update(NamespaceId.DEFAULT.dataset("testds"), ImmutableMap.of("ttl", "12345678"));
// get the dataset meta, validate it changed
met2 = instanceService.get(NamespaceId.DEFAULT.dataset("testds"), ImmutableList.<EntityId>of(new ProgramId(NamespaceId.DEFAULT.getNamespace(), "app2", ProgramType.FLOW, "flow2")));
Assert.assertNotSame(meta, met2);
Assert.assertEquals("12345678", met2.getSpec().getProperty("ttl"));
// delete the dataset
instanceService.drop(NamespaceId.DEFAULT.dataset("testds"));
// get the dataset meta, validate not found
try {
instanceService.get(NamespaceId.DEFAULT.dataset("testds"), ImmutableList.<EntityId>of(new ProgramId(NamespaceId.DEFAULT.getNamespace(), "app1", ProgramType.FLOW, "flow2")));
Assert.fail("get() should have thrown NotFoundException");
} catch (NotFoundException e) {
// expected
}
// recreate the dataset
instanceService.create(NamespaceId.DEFAULT.getNamespace(), "testds", new DatasetInstanceConfiguration("table", new HashMap<String, String>()));
// get the dataset meta, validate it is up to date
met2 = instanceService.get(NamespaceId.DEFAULT.dataset("testds"), ImmutableList.<EntityId>of(new ProgramId(NamespaceId.DEFAULT.getNamespace(), "app2", ProgramType.FLOW, "flow2")));
Assert.assertEquals(meta.getSpec(), met2.getSpec());
}
use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.
the class DefaultNamespaceAdmin method list.
/**
* Lists all namespaces
*
* @return a list of {@link NamespaceMeta} for all namespaces
*/
@Override
public List<NamespaceMeta> list() throws Exception {
List<NamespaceMeta> namespaces = nsStore.list();
final Principal principal = authenticationContext.getPrincipal();
return AuthorizationUtil.isVisible(namespaces, authorizationEnforcer, principal, new Function<NamespaceMeta, EntityId>() {
@Override
public EntityId apply(NamespaceMeta input) {
return input.getNamespaceId();
}
}, new Predicate<NamespaceMeta>() {
@Override
public boolean apply(NamespaceMeta input) {
return principal.getName().equals(input.getConfig().getPrincipal());
}
});
}
Aggregations