Example 1 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationBootstrapper method getAdminUsers.
private Set<Principal> getAdminUsers(CConfiguration cConf) {
Set<Principal> admins = new HashSet<>();
String adminUsers = cConf.get(Constants.Security.Authorization.ADMIN_USERS);
if (adminUsers != null) {
for (String adminUser : Splitter.on(",").omitEmptyStrings().trimResults().split(adminUsers)) {
admins.add(new Principal(adminUser, Principal.PrincipalType.USER));
}
}
return admins;
}Example 2 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationBootstrapper method run.
public void run() {
if (!enabled) {
return;
}
LOG.debug("Bootstrapping authorization for CDAP instance: {}, system users: {} and admin users: {}", instanceId, systemUser, adminUsers);
try {
// grant admin on instance, so the system user can create default (and other) namespaces
privilegesManager.grant(instanceId, systemUser, Collections.singleton(Action.ADMIN));
// grant ALL on the system namespace, so the system user can create and access tables in the system namespace
// also required by SystemArtifactsLoader to add system artifacts
privilegesManager.grant(NamespaceId.SYSTEM, systemUser, EnumSet.allOf(Action.class));
for (Principal adminUser : adminUsers) {
// grant admin privileges on the CDAP instance to the admin users, so they can create namespaces
privilegesManager.grant(instanceId, adminUser, Collections.singleton(Action.ADMIN));
// also grant admin on the default namespace, so admins can also manage privileges on them
privilegesManager.grant(NamespaceId.DEFAULT, adminUser, Collections.singleton(Action.ADMIN));
}
LOG.info("Successfully bootstrapped authorization for CDAP instance {}, system user {} and admin users: {}", instanceId, systemUser, adminUsers);
} catch (Exception e) {
throw Throwables.propagate(e);
}
}
Also used :
Action(co.cask.cdap.proto.security.Action)
Principal(co.cask.cdap.proto.security.Principal)
IOException(java.io.IOException)
Example 3 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class RemotePrivilegesHandler method grant.
@POST
@Path("/grant")
public void grant(HttpRequest request, HttpResponder responder) throws Exception {
Iterator<MethodArgument> arguments = parseArguments(request);
EntityId entityId = deserializeNext(arguments);
Principal principal = deserializeNext(arguments);
Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
LOG.trace("Granting {} on {} to {}", actions, entityId, principal);
privilegesManager.grant(entityId, principal, actions);
LOG.info("Granted {} on {} to {} successfully", actions, entityId, principal);
responder.sendStatus(HttpResponseStatus.OK);
}Example 4 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class RemotePrivilegesHandler method revoke.
@POST
@Path("/revoke")
public void revoke(HttpRequest request, HttpResponder responder) throws Exception {
Iterator<MethodArgument> arguments = parseArguments(request);
EntityId entityId = deserializeNext(arguments);
Principal principal = deserializeNext(arguments);
Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
LOG.trace("Revoking {} on {} from {}", actions, entityId, principal);
privilegesManager.revoke(entityId, principal, actions);
LOG.info("Revoked {} on {} from {} successfully", actions, entityId, principal);
responder.sendStatus(HttpResponseStatus.OK);
}Example 5 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class ApplicationLifecycleService method ensureAccess.
/**
* Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
*
* @param appId the {@link ApplicationId} to check for privileges
* @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
*/
private void ensureAccess(ApplicationId appId) throws Exception {
Principal principal = authenticationContext.getPrincipal();
Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
if (!filter.apply(appId)) {
throw new UnauthorizedException(principal, appId);
}
}
Also used :
EntityId(co.cask.cdap.proto.id.EntityId)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
Principal(co.cask.cdap.proto.security.Principal)
Aggregations
Principal (co.cask.cdap.proto.security.Principal)76
EntityId (co.cask.cdap.proto.id.EntityId)22
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)16
Action (co.cask.cdap.proto.security.Action)13
NamespaceId (co.cask.cdap.proto.id.NamespaceId)12
IOException (java.io.IOException)12
Path (javax.ws.rs.Path)11
Test (org.junit.Test)9
Role (co.cask.cdap.proto.security.Role)8
POST (javax.ws.rs.POST)7
MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)6
DatasetModuleMeta (co.cask.cdap.proto.DatasetModuleMeta)5
KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)5
Privilege (co.cask.cdap.proto.security.Privilege)5
DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)4
NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4
SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)4
DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)3
DatasetModuleConflictException (co.cask.cdap.data2.datafabric.dataset.type.DatasetModuleConflictException)3
DatasetTypeMeta (co.cask.cdap.proto.DatasetTypeMeta)3
