use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationTest method testCrossNSDatasetAccessWithAuthMapReduce.
private void testCrossNSDatasetAccessWithAuthMapReduce(MapReduceManager mrManager) throws Exception {
NamespaceMeta inputDatasetNS = new NamespaceMeta.Builder().setName("inputNS").build();
NamespaceId inputDatasetNSId = inputDatasetNS.getNamespaceId();
NamespaceMeta outputDatasetNS = new NamespaceMeta.Builder().setName("outputNS").build();
NamespaceId outputDatasetNSId = outputDatasetNS.getNamespaceId();
DatasetId table1Id = inputDatasetNSId.dataset("table1");
DatasetId table2Id = outputDatasetNSId.dataset("table2");
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(inputDatasetNSId, EnumSet.of(Action.ADMIN)).put(outputDatasetNSId, EnumSet.of(Action.ADMIN)).put(table1Id, EnumSet.of(Action.ADMIN, Action.WRITE)).put(table2Id, EnumSet.of(Action.ADMIN, Action.READ)).put(inputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).put(outputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
getNamespaceAdmin().create(inputDatasetNS);
getNamespaceAdmin().create(outputDatasetNS);
addDatasetInstance(table1Id, "keyValueTable").create();
addDatasetInstance(table2Id, "keyValueTable").create();
addDummyData(inputDatasetNSId, "table1");
Map<String, String> argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, inputDatasetNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "table1", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, outputDatasetNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "table2");
// Switch to BOB and run the mapreduce job. The job will fail at the runtime since BOB does not have permission
// on the input and output datasets in another namespaces.
SecurityRequestContext.setUserId(BOB.getName());
assertProgramFailure(argsForMR, mrManager);
// Switch back to Alice
SecurityRequestContext.setUserId(ALICE.getName());
// Verify nothing write to the output dataset
assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2");
// give privilege to BOB on the input dataset
grantAndAssertSuccess(inputDatasetNS.getNamespaceId().dataset("table1"), BOB, EnumSet.of(Action.READ));
// switch back to bob and try running again. this will still fail since bob does not have access on the output
// dataset
SecurityRequestContext.setUserId(BOB.getName());
assertProgramFailure(argsForMR, mrManager);
// Switch back to Alice
SecurityRequestContext.setUserId(ALICE.getName());
// Verify nothing write to the output dataset
assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2");
// give privilege to BOB on the output dataset
grantAndAssertSuccess(outputDatasetNS.getNamespaceId().dataset("table2"), BOB, EnumSet.of(Action.WRITE));
// switch back to BOB and run MR again. this should work
SecurityRequestContext.setUserId(BOB.getName());
mrManager.start(argsForMR);
mrManager.waitForRun(ProgramRunStatus.COMPLETED, 60, TimeUnit.SECONDS);
// Verify results as alice
SecurityRequestContext.setUserId(ALICE.getName());
verifyDummyData(outputDatasetNS.getNamespaceId(), "table2");
getNamespaceAdmin().delete(inputDatasetNS.getNamespaceId());
getNamespaceAdmin().delete(outputDatasetNS.getNamespaceId());
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Authorizer authorizer = getAuthorizer();
Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions);
ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Action action : actions) {
expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationTest method testCrossNSDatasetAccessWithAuthSpark.
private void testCrossNSDatasetAccessWithAuthSpark(SparkManager sparkManager) throws Exception {
NamespaceMeta inputDatasetNSMeta = new NamespaceMeta.Builder().setName("inputDatasetNS").build();
NamespaceMeta outputDatasetNSMeta = new NamespaceMeta.Builder().setName("outputDatasetNS").build();
NamespaceId inputDatasetNSMetaId = inputDatasetNSMeta.getNamespaceId();
DatasetId inputTableId = inputDatasetNSMetaId.dataset("input");
NamespaceId outputDatasetNSMetaId = outputDatasetNSMeta.getNamespaceId();
DatasetId outputTableId = outputDatasetNSMetaId.dataset("output");
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(inputDatasetNSMetaId, EnumSet.of(Action.ADMIN)).put(outputDatasetNSMetaId, EnumSet.of(Action.ADMIN)).put(inputTableId, EnumSet.of(Action.ADMIN, Action.WRITE)).put(inputDatasetNSMetaId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).put(outputTableId, EnumSet.of(Action.ADMIN, Action.READ)).put(outputDatasetNSMetaId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
getNamespaceAdmin().create(inputDatasetNSMeta);
getNamespaceAdmin().create(outputDatasetNSMeta);
addDatasetInstance(inputTableId, "keyValueTable").create();
addDatasetInstance(outputTableId, "keyValueTable").create();
// write sample stuff in input dataset
addDummyData(inputDatasetNSMeta.getNamespaceId(), "input");
// Switch to Bob and run the spark program. this will fail because bob does not have access to either input or
// output dataset
SecurityRequestContext.setUserId(BOB.getName());
Map<String, String> args = ImmutableMap.of(TestSparkCrossNSDatasetApp.INPUT_DATASET_NAMESPACE, inputDatasetNSMeta.getNamespaceId().getNamespace(), TestSparkCrossNSDatasetApp.INPUT_DATASET_NAME, "input", TestSparkCrossNSDatasetApp.OUTPUT_DATASET_NAMESPACE, outputDatasetNSMeta.getNamespaceId().getNamespace(), TestSparkCrossNSDatasetApp.OUTPUT_DATASET_NAME, "output");
assertProgramFailure(args, sparkManager);
SecurityRequestContext.setUserId(ALICE.getName());
// Verify nothing write to the output dataset
assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output");
// give privilege to BOB on the input dataset
grantAndAssertSuccess(inputDatasetNSMeta.getNamespaceId().dataset("input"), BOB, EnumSet.of(Action.READ));
// switch back to bob and try running again. this will still fail since bob does not have access on the output
// dataset
SecurityRequestContext.setUserId(BOB.getName());
assertProgramFailure(args, sparkManager);
// Switch back to Alice
SecurityRequestContext.setUserId(ALICE.getName());
// Verify nothing write to the output dataset
assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output");
// give privilege to BOB on the output dataset
grantAndAssertSuccess(outputDatasetNSMeta.getNamespaceId().dataset("output"), BOB, EnumSet.of(Action.WRITE));
// switch back to BOB and run spark again. this should work
SecurityRequestContext.setUserId(BOB.getName());
sparkManager.start(args);
sparkManager.waitForRun(ProgramRunStatus.COMPLETED, 120, TimeUnit.SECONDS);
waitForStoppedPrograms(sparkManager);
// Verify the results as alice
SecurityRequestContext.setUserId(ALICE.getName());
verifyDummyData(outputDatasetNSMeta.getNamespaceId(), "output");
getNamespaceAdmin().delete(inputDatasetNSMeta.getNamespaceId());
getNamespaceAdmin().delete(outputDatasetNSMeta.getNamespaceId());
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationTest method testCrossNSSpark.
@Test
public void testCrossNSSpark() throws Exception {
createAuthNamespace();
ApplicationId appId = AUTH_NAMESPACE.app(TestSparkCrossNSDatasetApp.APP_NAME);
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(TestSparkCrossNSDatasetApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(TestSparkCrossNSDatasetApp.DEFAULT_OUTPUT_DATASET), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
ProgramId programId = appId.spark(TestSparkCrossNSDatasetApp.SPARK_PROGRAM_NAME);
// bob will be executing the program
grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE));
cleanUpEntities.add(programId);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, TestSparkCrossNSDatasetApp.class);
SparkManager sparkManager = appManager.getSparkManager(TestSparkCrossNSDatasetApp.SparkCrossNSDatasetProgram.class.getSimpleName());
testCrossNSSystemDatasetAccessWithAuthSpark(sparkManager);
testCrossNSDatasetAccessWithAuthSpark(sparkManager);
}
use of co.cask.cdap.proto.security.Action in project cdap by caskdata.
the class AuthorizationHandler method revoke.
@Path("/privileges/revoke")
@POST
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void revoke(FullHttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
ensureSecurityEnabled();
RevokeRequest request = parseBody(httpRequest, RevokeRequest.class);
if (request == null) {
throw new BadRequestException("Missing request body");
}
if (request.getPrincipal() == null && request.getActions() == null) {
privilegesManager.revoke(request.getAuthorizable());
} else {
Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions();
privilegesManager.revoke(request.getAuthorizable(), request.getPrincipal(), actions);
}
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, HttpResponseStatus.OK);
}
Aggregations