Example 11 with Action
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationHandler method grant.
@Path("/privileges/grant")
@POST
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void grant(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
ensureSecurityEnabled();
GrantRequest request = parseBody(httpRequest, GrantRequest.class);
verifyAuthRequest(request);
Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions();
// enforce that the user granting access has admin privileges on the entity
authorizationEnforcer.enforce(request.getEntity(), authenticationContext.getPrincipal(), Action.ADMIN);
privilegesManager.grant(request.getEntity(), request.getPrincipal(), actions);
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, request, HttpResponseStatus.OK);
}
Also used :
Action(co.cask.cdap.proto.security.Action)
GrantRequest(co.cask.cdap.proto.security.GrantRequest)
Path(javax.ws.rs.Path)
AuditPolicy(co.cask.cdap.common.security.AuditPolicy)
POST(javax.ws.rs.POST)
Example 12 with Action
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationHandler method revoke.
@Path("/privileges/revoke")
@POST
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void revoke(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
ensureSecurityEnabled();
RevokeRequest request = parseBody(httpRequest, RevokeRequest.class);
verifyAuthRequest(request);
// enforce that the user revoking access has admin privileges on the entity
authorizationEnforcer.enforce(request.getEntity(), authenticationContext.getPrincipal(), Action.ADMIN);
if (request.getPrincipal() == null && request.getActions() == null) {
privilegesManager.revoke(request.getEntity());
} else {
Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions();
privilegesManager.revoke(request.getEntity(), request.getPrincipal(), actions);
}
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, request, HttpResponseStatus.OK);
}
Also used :
RevokeRequest(co.cask.cdap.proto.security.RevokeRequest)
Action(co.cask.cdap.proto.security.Action)
Path(javax.ws.rs.Path)
AuditPolicy(co.cask.cdap.common.security.AuditPolicy)
POST(javax.ws.rs.POST)
Example 13 with Action
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class InMemoryAuthorizer method getPrivileges.
private Set<Privilege> getPrivileges(Principal principal) {
Set<Privilege> result = new HashSet<>();
for (Map.Entry<EntityId, ConcurrentMap<Principal, Set<Action>>> entry : privileges.entrySet()) {
EntityId entityId = entry.getKey();
Set<Action> actions = getActions(entityId, principal);
for (Action action : actions) {
result.add(new Privilege(entityId, action));
}
}
return Collections.unmodifiableSet(result);
}
Also used :
EntityId(co.cask.cdap.proto.id.EntityId)
Action(co.cask.cdap.proto.security.Action)
ConcurrentMap(java.util.concurrent.ConcurrentMap)
Privilege(co.cask.cdap.proto.security.Privilege)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
ConcurrentMap(java.util.concurrent.ConcurrentMap)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 14 with Action
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class StreamAdminTest method testConfigAndTruncate.
@Test
public void testConfigAndTruncate() throws Exception {
StreamAdmin streamAdmin = getStreamAdmin();
grantAndAssertSuccess(FOO_NAMESPACE, USER, ImmutableSet.of(Action.WRITE));
StreamId stream = FOO_NAMESPACE.stream("stream");
streamAdmin.create(stream);
Assert.assertTrue(streamAdmin.exists(stream));
writeEvent(stream);
// Getting config / properties should work
streamAdmin.getConfig(stream);
streamAdmin.getProperties(stream);
// Now revoke access to the user to the stream and to the namespace
revokeAndAssertSuccess(FOO_NAMESPACE, USER, ImmutableSet.of(Action.WRITE));
revokeAndAssertSuccess(stream, USER, EnumSet.allOf(Action.class));
streamAdmin.getConfig(stream);
try {
streamAdmin.getProperties(stream);
Assert.fail("User should not be able to get the properties.");
} catch (UnauthorizedException e) {
// expected
}
// read action should be enough to get the stream config
grantAndAssertSuccess(stream, USER, ImmutableSet.of(Action.READ));
streamAdmin.getConfig(stream);
StreamProperties properties = streamAdmin.getProperties(stream);
try {
streamAdmin.updateConfig(stream, properties);
Assert.fail("User should not be able to update the config with just READ permissions.");
} catch (UnauthorizedException e) {
// expected
}
// This call bypasses the stream handler and thus authorization is not checked for this call and so write
// to stream will succeed. It is done so that we can check and perform truncate call.
writeEvent(stream);
grantAndAssertSuccess(stream, USER, ImmutableSet.of(Action.WRITE));
writeEvent(stream);
try {
streamAdmin.updateConfig(stream, properties);
Assert.fail("User should not be able to update the config with just READ and WRITE permissions.");
} catch (UnauthorizedException e) {
// expected
}
try {
streamAdmin.truncate(stream);
Assert.fail("User should not be able to truncate the stream without ADMIN permission.");
} catch (UnauthorizedException e) {
// expected
}
try {
streamAdmin.drop(stream);
Assert.fail("User should not be able to drop the stream without ADMIN permission.");
} catch (UnauthorizedException e) {
// expdcted
}
grantAndAssertSuccess(stream, USER, ImmutableSet.of(Action.ADMIN));
streamAdmin.updateConfig(stream, properties);
streamAdmin.truncate(stream);
Assert.assertEquals(0, getStreamSize(stream));
streamAdmin.drop(stream);
}
Also used :
StreamId(co.cask.cdap.proto.id.StreamId)
Action(co.cask.cdap.proto.security.Action)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
StreamProperties(co.cask.cdap.proto.StreamProperties)
Test(org.junit.Test)
Example 15 with Action
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class StreamAdminTest method revokeAndAssertSuccess.
private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Authorizer authorizer = getAuthorizer();
Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
authorizer.revoke(entityId, principal, actions);
Set<Privilege> revokedPrivileges = new HashSet<>();
for (Action action : actions) {
revokedPrivileges.add(new Privilege(entityId, action));
}
Assert.assertEquals(Sets.difference(existingPrivileges, revokedPrivileges), authorizer.listPrivileges(principal));
}
Also used :
Action(co.cask.cdap.proto.security.Action)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
Privilege(co.cask.cdap.proto.security.Privilege)
HashSet(java.util.HashSet)
Aggregations
Action (co.cask.cdap.proto.security.Action)21
Privilege (co.cask.cdap.proto.security.Privilege)9
Principal (co.cask.cdap.proto.security.Principal)6
HashSet (java.util.HashSet)6
EntityId (co.cask.cdap.proto.id.EntityId)5
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)5
ImmutableSet (com.google.common.collect.ImmutableSet)5
POST (javax.ws.rs.POST)4
Path (javax.ws.rs.Path)4
InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)3
Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)3
MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)2
AuditPolicy (co.cask.cdap.common.security.AuditPolicy)2
NamespaceId (co.cask.cdap.proto.id.NamespaceId)2
StreamId (co.cask.cdap.proto.id.StreamId)2
Test (org.junit.Test)2
DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)1
DatasetAlreadyExistsException (co.cask.cdap.common.DatasetAlreadyExistsException)1
DatasetNotFoundException (co.cask.cdap.common.DatasetNotFoundException)1
DatasetTypeNotFoundException (co.cask.cdap.common.DatasetTypeNotFoundException)1
