use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationHandler method grant.
@Path("/privileges/grant")
@POST
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void grant(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
ensureSecurityEnabled();
GrantRequest request = parseBody(httpRequest, GrantRequest.class);
verifyAuthRequest(request);
Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions();
// enforce that the user granting access has admin privileges on the entity
authorizationEnforcer.enforce(request.getEntity(), authenticationContext.getPrincipal(), Action.ADMIN);
privilegesManager.grant(request.getEntity(), request.getPrincipal(), actions);
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, request, HttpResponseStatus.OK);
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationHandler method revoke.
@Path("/privileges/revoke")
@POST
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void revoke(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
ensureSecurityEnabled();
RevokeRequest request = parseBody(httpRequest, RevokeRequest.class);
verifyAuthRequest(request);
// enforce that the user revoking access has admin privileges on the entity
authorizationEnforcer.enforce(request.getEntity(), authenticationContext.getPrincipal(), Action.ADMIN);
if (request.getPrincipal() == null && request.getActions() == null) {
privilegesManager.revoke(request.getEntity());
} else {
Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions();
privilegesManager.revoke(request.getEntity(), request.getPrincipal(), actions);
}
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, request, HttpResponseStatus.OK);
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class RemotePrivilegesHandler method grant.
@POST
@Path("/grant")
public void grant(HttpRequest request, HttpResponder responder) throws Exception {
Iterator<MethodArgument> arguments = parseArguments(request);
EntityId entityId = deserializeNext(arguments);
Principal principal = deserializeNext(arguments);
Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
LOG.trace("Granting {} on {} to {}", actions, entityId, principal);
privilegesManager.grant(entityId, principal, actions);
LOG.info("Granted {} on {} to {} successfully", actions, entityId, principal);
responder.sendStatus(HttpResponseStatus.OK);
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class RemotePrivilegesHandler method revoke.
@POST
@Path("/revoke")
public void revoke(HttpRequest request, HttpResponder responder) throws Exception {
Iterator<MethodArgument> arguments = parseArguments(request);
EntityId entityId = deserializeNext(arguments);
Principal principal = deserializeNext(arguments);
Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
LOG.trace("Revoking {} on {} from {}", actions, entityId, principal);
privilegesManager.revoke(entityId, principal, actions);
LOG.info("Revoked {} on {} from {} successfully", actions, entityId, principal);
responder.sendStatus(HttpResponseStatus.OK);
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class ArtifactRepository method addArtifact.
/**
* Inspects and builds plugin and application information for the given artifact, adding an additional set of
* plugin classes to the plugins found through inspection. This method is used when all plugin classes
* cannot be derived by inspecting the artifact but need to be explicitly set. This is true for 3rd party plugins
* like jdbc drivers.
*
* @param artifactId the id of the artifact to inspect and store
* @param artifactFile the artifact to inspect and store
* @param parentArtifacts artifacts the given artifact extends.
* If null, the given artifact does not extend another artifact
* @param additionalPlugins the set of additional plugin classes to add to the plugins found through inspection.
* If null, no additional plugin classes will be added
* @throws IOException if there was an exception reading from the artifact store
* @throws ArtifactRangeNotFoundException if none of the parent artifacts could be found
* @throws UnauthorizedException if the user is not authorized to add an artifact in the specified namespace. To add
* an artifact, a user must have {@link Action#WRITE} on the namespace in which
* the artifact is being added. If authorization is successful, and
* the artifact is added successfully, then the user gets all {@link Action privileges}
* on the added artifact.
*/
public ArtifactDetail addArtifact(Id.Artifact artifactId, File artifactFile, @Nullable Set<ArtifactRange> parentArtifacts, @Nullable Set<PluginClass> additionalPlugins) throws Exception {
// To add an artifact, a user must have write privileges on the namespace in which the artifact is being added
// This method is used to add user app artifacts, so enforce authorization on the specified, non-system namespace
Principal principal = authenticationContext.getPrincipal();
NamespaceId namespace = artifactId.getNamespace().toEntityId();
authorizationEnforcer.enforce(namespace, principal, Action.WRITE);
ArtifactDetail artifactDetail = addArtifact(artifactId, artifactFile, parentArtifacts, additionalPlugins, Collections.<String, String>emptyMap());
// artifact successfully added. now grant ALL permissions on the artifact to the current user
privilegesManager.grant(artifactId.toEntityId(), principal, EnumSet.allOf(Action.class));
return artifactDetail;
}
Aggregations