Examples with Action co.cask.cdap.proto.security.Action used on opensource projects

Search in sources :

Example 26 with Action

use of co.cask.cdap.proto.security.Action in project cdap by caskdata.

the class AuthorizationTest method testCrossNSDatasetAccessWithAuthMapReduce.

private void testCrossNSDatasetAccessWithAuthMapReduce(MapReduceManager mrManager) throws Exception {
    NamespaceMeta inputDatasetNS = new NamespaceMeta.Builder().setName("inputNS").build();
    NamespaceId inputDatasetNSId = inputDatasetNS.getNamespaceId();
    NamespaceMeta outputDatasetNS = new NamespaceMeta.Builder().setName("outputNS").build();
    NamespaceId outputDatasetNSId = outputDatasetNS.getNamespaceId();
    DatasetId table1Id = inputDatasetNSId.dataset("table1");
    DatasetId table2Id = outputDatasetNSId.dataset("table2");
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(inputDatasetNSId, EnumSet.of(Action.ADMIN)).put(outputDatasetNSId, EnumSet.of(Action.ADMIN)).put(table1Id, EnumSet.of(Action.ADMIN, Action.WRITE)).put(table2Id, EnumSet.of(Action.ADMIN, Action.READ)).put(inputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).put(outputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    getNamespaceAdmin().create(inputDatasetNS);
    getNamespaceAdmin().create(outputDatasetNS);
    addDatasetInstance(table1Id, "keyValueTable").create();
    addDatasetInstance(table2Id, "keyValueTable").create();
    addDummyData(inputDatasetNSId, "table1");
    Map<String, String> argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, inputDatasetNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "table1", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, outputDatasetNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "table2");
    // Switch to BOB and run the  mapreduce job. The job will fail at the runtime since BOB does not have permission
    // on the input and output datasets in another namespaces.
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(argsForMR, mrManager);
    // Switch back to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2");
    // give privilege to BOB on the input dataset
    grantAndAssertSuccess(inputDatasetNS.getNamespaceId().dataset("table1"), BOB, EnumSet.of(Action.READ));
    // switch back to bob and try running again. this will still fail since bob does not have access on the output
    // dataset
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(argsForMR, mrManager);
    // Switch back to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2");
    // give privilege to BOB on the output dataset
    grantAndAssertSuccess(outputDatasetNS.getNamespaceId().dataset("table2"), BOB, EnumSet.of(Action.WRITE));
    // switch back to BOB and run MR again. this should work
    SecurityRequestContext.setUserId(BOB.getName());
    mrManager.start(argsForMR);
    mrManager.waitForRun(ProgramRunStatus.COMPLETED, 60, TimeUnit.SECONDS);
    // Verify results as alice
    SecurityRequestContext.setUserId(ALICE.getName());
    verifyDummyData(outputDatasetNS.getNamespaceId(), "table2");
    getNamespaceAdmin().delete(inputDatasetNS.getNamespaceId());
    getNamespaceAdmin().delete(outputDatasetNS.getNamespaceId());
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) PrivilegedAction(java.security.PrivilegedAction) Action(co.cask.cdap.proto.security.Action) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) NamespaceId(co.cask.cdap.proto.id.NamespaceId) DatasetId(co.cask.cdap.proto.id.DatasetId)

Example 27 with Action

use of co.cask.cdap.proto.security.Action in project cdap by caskdata.

the class AuthorizationTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
    Authorizer authorizer = getAuthorizer();
    Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
    authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions);
    ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Action action : actions) {
        expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used : PrivilegedAction(java.security.PrivilegedAction) Action(co.cask.cdap.proto.security.Action) ImmutableSet(com.google.common.collect.ImmutableSet) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) Privilege(co.cask.cdap.proto.security.Privilege)

Example 28 with Action

use of co.cask.cdap.proto.security.Action in project cdap by caskdata.

the class AuthorizationTest method testCrossNSDatasetAccessWithAuthSpark.

private void testCrossNSDatasetAccessWithAuthSpark(SparkManager sparkManager) throws Exception {
    NamespaceMeta inputDatasetNSMeta = new NamespaceMeta.Builder().setName("inputDatasetNS").build();
    NamespaceMeta outputDatasetNSMeta = new NamespaceMeta.Builder().setName("outputDatasetNS").build();
    NamespaceId inputDatasetNSMetaId = inputDatasetNSMeta.getNamespaceId();
    DatasetId inputTableId = inputDatasetNSMetaId.dataset("input");
    NamespaceId outputDatasetNSMetaId = outputDatasetNSMeta.getNamespaceId();
    DatasetId outputTableId = outputDatasetNSMetaId.dataset("output");
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(inputDatasetNSMetaId, EnumSet.of(Action.ADMIN)).put(outputDatasetNSMetaId, EnumSet.of(Action.ADMIN)).put(inputTableId, EnumSet.of(Action.ADMIN, Action.WRITE)).put(inputDatasetNSMetaId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).put(outputTableId, EnumSet.of(Action.ADMIN, Action.READ)).put(outputDatasetNSMetaId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    getNamespaceAdmin().create(inputDatasetNSMeta);
    getNamespaceAdmin().create(outputDatasetNSMeta);
    addDatasetInstance(inputTableId, "keyValueTable").create();
    addDatasetInstance(outputTableId, "keyValueTable").create();
    // write sample stuff in input dataset
    addDummyData(inputDatasetNSMeta.getNamespaceId(), "input");
    // Switch to Bob and run the spark program. this will fail because bob does not have access to either input or
    // output dataset
    SecurityRequestContext.setUserId(BOB.getName());
    Map<String, String> args = ImmutableMap.of(TestSparkCrossNSDatasetApp.INPUT_DATASET_NAMESPACE, inputDatasetNSMeta.getNamespaceId().getNamespace(), TestSparkCrossNSDatasetApp.INPUT_DATASET_NAME, "input", TestSparkCrossNSDatasetApp.OUTPUT_DATASET_NAMESPACE, outputDatasetNSMeta.getNamespaceId().getNamespace(), TestSparkCrossNSDatasetApp.OUTPUT_DATASET_NAME, "output");
    assertProgramFailure(args, sparkManager);
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output");
    // give privilege to BOB on the input dataset
    grantAndAssertSuccess(inputDatasetNSMeta.getNamespaceId().dataset("input"), BOB, EnumSet.of(Action.READ));
    // switch back to bob and try running again. this will still fail since bob does not have access on the output
    // dataset
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(args, sparkManager);
    // Switch back to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output");
    // give privilege to BOB on the output dataset
    grantAndAssertSuccess(outputDatasetNSMeta.getNamespaceId().dataset("output"), BOB, EnumSet.of(Action.WRITE));
    // switch back to BOB and run spark again. this should work
    SecurityRequestContext.setUserId(BOB.getName());
    sparkManager.start(args);
    sparkManager.waitForRun(ProgramRunStatus.COMPLETED, 120, TimeUnit.SECONDS);
    waitForStoppedPrograms(sparkManager);
    // Verify the results as alice
    SecurityRequestContext.setUserId(ALICE.getName());
    verifyDummyData(outputDatasetNSMeta.getNamespaceId(), "output");
    getNamespaceAdmin().delete(inputDatasetNSMeta.getNamespaceId());
    getNamespaceAdmin().delete(outputDatasetNSMeta.getNamespaceId());
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) PrivilegedAction(java.security.PrivilegedAction) Action(co.cask.cdap.proto.security.Action) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) NamespaceId(co.cask.cdap.proto.id.NamespaceId) DatasetId(co.cask.cdap.proto.id.DatasetId)

Example 29 with Action

use of co.cask.cdap.proto.security.Action in project cdap by caskdata.

the class AuthorizationTest method testCrossNSSpark.

@Test
public void testCrossNSSpark() throws Exception {
    createAuthNamespace();
    ApplicationId appId = AUTH_NAMESPACE.app(TestSparkCrossNSDatasetApp.APP_NAME);
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(TestSparkCrossNSDatasetApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(TestSparkCrossNSDatasetApp.DEFAULT_OUTPUT_DATASET), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    ProgramId programId = appId.spark(TestSparkCrossNSDatasetApp.SPARK_PROGRAM_NAME);
    // bob will be executing the program
    grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE));
    cleanUpEntities.add(programId);
    ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, TestSparkCrossNSDatasetApp.class);
    SparkManager sparkManager = appManager.getSparkManager(TestSparkCrossNSDatasetApp.SparkCrossNSDatasetProgram.class.getSimpleName());
    testCrossNSSystemDatasetAccessWithAuthSpark(sparkManager);
    testCrossNSDatasetAccessWithAuthSpark(sparkManager);
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) PrivilegedAction(java.security.PrivilegedAction) Action(co.cask.cdap.proto.security.Action) ApplicationManager(co.cask.cdap.test.ApplicationManager) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet) SparkManager(co.cask.cdap.test.SparkManager) KeyValueTable(co.cask.cdap.api.dataset.lib.KeyValueTable) TestSparkCrossNSDatasetApp(co.cask.cdap.spark.stream.TestSparkCrossNSDatasetApp) ApplicationId(co.cask.cdap.proto.id.ApplicationId) ProgramId(co.cask.cdap.proto.id.ProgramId) Test(org.junit.Test)

Example 30 with Action

use of co.cask.cdap.proto.security.Action in project cdap by caskdata.

the class AuthorizationHandler method revoke.

@Path("/privileges/revoke")
@POST
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void revoke(FullHttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
    ensureSecurityEnabled();
    RevokeRequest request = parseBody(httpRequest, RevokeRequest.class);
    if (request == null) {
        throw new BadRequestException("Missing request body");
    }
    if (request.getPrincipal() == null && request.getActions() == null) {
        privilegesManager.revoke(request.getAuthorizable());
    } else {
        Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions();
        privilegesManager.revoke(request.getAuthorizable(), request.getPrincipal(), actions);
    }
    httpResponder.sendStatus(HttpResponseStatus.OK);
    createLogEntry(httpRequest, HttpResponseStatus.OK);
}
Also used : RevokeRequest(co.cask.cdap.proto.security.RevokeRequest) Action(co.cask.cdap.proto.security.Action) BadRequestException(co.cask.cdap.common.BadRequestException) Path(javax.ws.rs.Path) AuditPolicy(co.cask.cdap.common.security.AuditPolicy) POST(javax.ws.rs.POST)

Aggregations

Action (co.cask.cdap.proto.security.Action)33 HashSet (java.util.HashSet)14 ImmutableSet (com.google.common.collect.ImmutableSet)13 EntityId (co.cask.cdap.proto.id.EntityId)12 Privilege (co.cask.cdap.proto.security.Privilege)9 PrivilegedAction (java.security.PrivilegedAction)9 PartitionedFileSet (co.cask.cdap.api.dataset.lib.PartitionedFileSet)8 EnumSet (java.util.EnumSet)8 Set (java.util.Set)8 POST (javax.ws.rs.POST)8 Path (javax.ws.rs.Path)8 Test (org.junit.Test)8 Principal (co.cask.cdap.proto.security.Principal)7 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)7 InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)6 Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)6 ApplicationManager (co.cask.cdap.test.ApplicationManager)6 MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)4 AuditPolicy (co.cask.cdap.common.security.AuditPolicy)4 ApplicationId (co.cask.cdap.proto.id.ApplicationId)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial