Search in sources :

Example 36 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class DefaultAuthorizationEnforcerTest method testAuthFilter.

@Test
public void testAuthFilter() throws Exception {
    try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) {
        Authorizer authorizer = authorizerInstantiator.get();
        NamespaceId ns1 = new NamespaceId("ns1");
        NamespaceId ns2 = new NamespaceId("ns2");
        DatasetId ds11 = ns1.dataset("ds1");
        DatasetId ds12 = ns1.dataset("ds2");
        DatasetId ds21 = ns2.dataset("ds1");
        DatasetId ds22 = ns2.dataset("ds2");
        DatasetId ds23 = ns2.dataset("ds3");
        Set<NamespaceId> namespaces = ImmutableSet.of(ns1, ns2);
        authorizer.grant(ns1, ALICE, Collections.singleton(Action.WRITE));
        authorizer.grant(ns2, ALICE, Collections.singleton(Action.ADMIN));
        authorizer.grant(ds11, ALICE, Collections.singleton(Action.READ));
        authorizer.grant(ds11, BOB, Collections.singleton(Action.ADMIN));
        authorizer.grant(ds21, ALICE, Collections.singleton(Action.WRITE));
        authorizer.grant(ds12, BOB, Collections.singleton(Action.WRITE));
        authorizer.grant(ds12, BOB, EnumSet.allOf(Action.class));
        authorizer.grant(ds21, ALICE, Collections.singleton(Action.WRITE));
        authorizer.grant(ds23, ALICE, Collections.singleton(Action.ADMIN));
        authorizer.grant(ds22, BOB, Collections.singleton(Action.ADMIN));
        DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator);
        Predicate<EntityId> aliceFilter = authEnforcementService.createFilter(ALICE);
        for (NamespaceId namespace : namespaces) {
            Assert.assertTrue(aliceFilter.apply(namespace));
        }
        Predicate<EntityId> bobFilter = authEnforcementService.createFilter(BOB);
        for (NamespaceId namespace : namespaces) {
            Assert.assertFalse(bobFilter.apply(namespace));
        }
        for (DatasetId datasetId : ImmutableSet.of(ds11, ds21, ds23)) {
            Assert.assertTrue(aliceFilter.apply(datasetId));
        }
        for (DatasetId datasetId : ImmutableSet.of(ds12, ds22)) {
            Assert.assertTrue(aliceFilter.apply(datasetId));
        }
        for (DatasetId datasetId : ImmutableSet.of(ds11, ds12, ds22)) {
            Assert.assertTrue(bobFilter.apply(datasetId));
        }
        for (DatasetId datasetId : ImmutableSet.of(ds21, ds23)) {
            Assert.assertFalse(bobFilter.apply(datasetId));
        }
    }
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) Action(co.cask.cdap.proto.security.Action) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) NamespaceId(co.cask.cdap.proto.id.NamespaceId) DatasetId(co.cask.cdap.proto.id.DatasetId) Test(org.junit.Test)

Example 37 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class AuthorizationHandler method verifyAuthRequest.

private void verifyAuthRequest(AuthorizationRequest request) throws BadRequestException, NotFoundException {
    if (request == null) {
        throw new BadRequestException("Missing request body");
    }
    EntityId entity = request.getEntity();
    entityExistenceVerifier.ensureExists(entity);
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) BadRequestException(co.cask.cdap.common.BadRequestException)

Example 38 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class ArtifactRepository method getArtifactDetails.

/**
   * Get all artifact details that match artifacts in the given ranges.
   *
   * @param range the range to match artifacts in
   * @param limit the limit number of the result
   * @param order the order of the result
   * @return an unmodifiable list of all artifacts that match the given ranges. If none exist, an empty list is returned
   */
public List<ArtifactDetail> getArtifactDetails(final ArtifactRange range, int limit, ArtifactSortOrder order) throws Exception {
    List<ArtifactDetail> artifacts = artifactStore.getArtifacts(range, limit, order);
    // No authorization for system artifacts
    if (NamespaceId.SYSTEM.getNamespace().equals(range.getNamespace())) {
        return artifacts;
    }
    Principal principal = authenticationContext.getPrincipal();
    final Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    return Lists.newArrayList(Iterables.filter(artifacts, new com.google.common.base.Predicate<ArtifactDetail>() {

        @Override
        public boolean apply(ArtifactDetail artifactDetail) {
            ArtifactId artifactId = artifactDetail.getDescriptor().getArtifactId();
            return filter.apply(new NamespaceId(range.getNamespace()).artifact(artifactId.getName(), artifactId.getVersion().getVersion()));
        }
    }));
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) ArtifactId(co.cask.cdap.api.artifact.ArtifactId) NamespaceId(co.cask.cdap.proto.id.NamespaceId) Principal(co.cask.cdap.proto.security.Principal) Predicate(co.cask.cdap.api.Predicate)

Example 39 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class DatasetInstanceService method ensureAccess.

/**
   * Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
   *
   * @param datasetId the {@link DatasetId} to check for privileges
   * @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
   */
private void ensureAccess(DatasetId datasetId) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    if (!filter.apply(datasetId)) {
        throw new UnauthorizedException(principal, datasetId);
    }
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) Principal(co.cask.cdap.proto.security.Principal)

Example 40 with EntityId

use of co.cask.cdap.proto.id.EntityId in project cdap by caskdata.

the class RemoveMetadataCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    EntityId entity = EntityId.fromString(arguments.get(ArgumentName.ENTITY.toString()));
    client.removeMetadata(entity);
    output.println("Successfully removed metadata");
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId)

Aggregations

EntityId (co.cask.cdap.proto.id.EntityId)62 Principal (co.cask.cdap.proto.security.Principal)21 EnumSet (java.util.EnumSet)18 HashSet (java.util.HashSet)18 Set (java.util.Set)18 PartitionedFileSet (co.cask.cdap.api.dataset.lib.PartitionedFileSet)17 ImmutableSet (com.google.common.collect.ImmutableSet)17 Test (org.junit.Test)17 Action (co.cask.cdap.proto.security.Action)14 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)13 DatasetId (co.cask.cdap.proto.id.DatasetId)12 ProgramId (co.cask.cdap.proto.id.ProgramId)11 ApplicationManager (co.cask.cdap.test.ApplicationManager)11 ApplicationId (co.cask.cdap.proto.id.ApplicationId)10 StreamId (co.cask.cdap.proto.id.StreamId)9 NamespaceId (co.cask.cdap.proto.id.NamespaceId)8 PrivilegedAction (java.security.PrivilegedAction)8 KeyValueTable (co.cask.cdap.api.dataset.lib.KeyValueTable)7 NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)7 Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7