use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationBootstrapper method getAdminUsers.
private Set<Principal> getAdminUsers(CConfiguration cConf) {
Set<Principal> admins = new HashSet<>();
String adminUsers = cConf.get(Constants.Security.Authorization.ADMIN_USERS);
if (adminUsers != null) {
for (String adminUser : Splitter.on(",").omitEmptyStrings().trimResults().split(adminUsers)) {
admins.add(new Principal(adminUser, Principal.PrincipalType.USER));
}
}
return admins;
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationBootstrapper method run.
public void run() {
if (!enabled) {
return;
}
LOG.debug("Bootstrapping authorization for CDAP instance: {}, system users: {} and admin users: {}", instanceId, systemUser, adminUsers);
try {
// grant admin on instance, so the system user can create default (and other) namespaces
privilegesManager.grant(instanceId, systemUser, Collections.singleton(Action.ADMIN));
// grant ALL on the system namespace, so the system user can create and access tables in the system namespace
// also required by SystemArtifactsLoader to add system artifacts
privilegesManager.grant(NamespaceId.SYSTEM, systemUser, EnumSet.allOf(Action.class));
for (Principal adminUser : adminUsers) {
// grant admin privileges on the CDAP instance to the admin users, so they can create namespaces
privilegesManager.grant(instanceId, adminUser, Collections.singleton(Action.ADMIN));
// also grant admin on the default namespace, so admins can also manage privileges on them
privilegesManager.grant(NamespaceId.DEFAULT, adminUser, Collections.singleton(Action.ADMIN));
}
LOG.info("Successfully bootstrapped authorization for CDAP instance {}, system user {} and admin users: {}", instanceId, systemUser, adminUsers);
} catch (Exception e) {
throw Throwables.propagate(e);
}
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class RemotePrivilegesHandler method grant.
@POST
@Path("/grant")
public void grant(HttpRequest request, HttpResponder responder) throws Exception {
Iterator<MethodArgument> arguments = parseArguments(request);
EntityId entityId = deserializeNext(arguments);
Principal principal = deserializeNext(arguments);
Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
LOG.trace("Granting {} on {} to {}", actions, entityId, principal);
privilegesManager.grant(entityId, principal, actions);
LOG.info("Granted {} on {} to {} successfully", actions, entityId, principal);
responder.sendStatus(HttpResponseStatus.OK);
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class RemotePrivilegesHandler method revoke.
@POST
@Path("/revoke")
public void revoke(HttpRequest request, HttpResponder responder) throws Exception {
Iterator<MethodArgument> arguments = parseArguments(request);
EntityId entityId = deserializeNext(arguments);
Principal principal = deserializeNext(arguments);
Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
LOG.trace("Revoking {} on {} from {}", actions, entityId, principal);
privilegesManager.revoke(entityId, principal, actions);
LOG.info("Revoked {} on {} from {} successfully", actions, entityId, principal);
responder.sendStatus(HttpResponseStatus.OK);
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class ApplicationLifecycleService method ensureAccess.
/**
* Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
*
* @param appId the {@link ApplicationId} to check for privileges
* @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
*/
private void ensureAccess(ApplicationId appId) throws Exception {
Principal principal = authenticationContext.getPrincipal();
Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
if (!filter.apply(appId)) {
throw new UnauthorizedException(principal, appId);
}
}
Aggregations