Search in sources :

Example 1 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationBootstrapper method getAdminUsers.

private Set<Principal> getAdminUsers(CConfiguration cConf) {
    Set<Principal> admins = new HashSet<>();
    String adminUsers = cConf.get(Constants.Security.Authorization.ADMIN_USERS);
    if (adminUsers != null) {
        for (String adminUser : Splitter.on(",").omitEmptyStrings().trimResults().split(adminUsers)) {
            admins.add(new Principal(adminUser, Principal.PrincipalType.USER));
        }
    }
    return admins;
}
Also used : Principal(co.cask.cdap.proto.security.Principal) HashSet(java.util.HashSet)

Example 2 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationBootstrapper method run.

public void run() {
    if (!enabled) {
        return;
    }
    LOG.debug("Bootstrapping authorization for CDAP instance: {}, system users: {} and admin users: {}", instanceId, systemUser, adminUsers);
    try {
        // grant admin on instance, so the system user can create default (and other) namespaces
        privilegesManager.grant(instanceId, systemUser, Collections.singleton(Action.ADMIN));
        // grant ALL on the system namespace, so the system user can create and access tables in the system namespace
        // also required by SystemArtifactsLoader to add system artifacts
        privilegesManager.grant(NamespaceId.SYSTEM, systemUser, EnumSet.allOf(Action.class));
        for (Principal adminUser : adminUsers) {
            // grant admin privileges on the CDAP instance to the admin users, so they can create namespaces
            privilegesManager.grant(instanceId, adminUser, Collections.singleton(Action.ADMIN));
            // also grant admin on the default namespace, so admins can also manage privileges on them
            privilegesManager.grant(NamespaceId.DEFAULT, adminUser, Collections.singleton(Action.ADMIN));
        }
        LOG.info("Successfully bootstrapped authorization for CDAP instance {}, system user {} and admin users: {}", instanceId, systemUser, adminUsers);
    } catch (Exception e) {
        throw Throwables.propagate(e);
    }
}
Also used : Action(co.cask.cdap.proto.security.Action) Principal(co.cask.cdap.proto.security.Principal) IOException(java.io.IOException)

Example 3 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class RemotePrivilegesHandler method grant.

@POST
@Path("/grant")
public void grant(HttpRequest request, HttpResponder responder) throws Exception {
    Iterator<MethodArgument> arguments = parseArguments(request);
    EntityId entityId = deserializeNext(arguments);
    Principal principal = deserializeNext(arguments);
    Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
    LOG.trace("Granting {} on {} to {}", actions, entityId, principal);
    privilegesManager.grant(entityId, principal, actions);
    LOG.info("Granted {} on {} to {} successfully", actions, entityId, principal);
    responder.sendStatus(HttpResponseStatus.OK);
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) Action(co.cask.cdap.proto.security.Action) MethodArgument(co.cask.cdap.common.internal.remote.MethodArgument) Principal(co.cask.cdap.proto.security.Principal) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 4 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class RemotePrivilegesHandler method revoke.

@POST
@Path("/revoke")
public void revoke(HttpRequest request, HttpResponder responder) throws Exception {
    Iterator<MethodArgument> arguments = parseArguments(request);
    EntityId entityId = deserializeNext(arguments);
    Principal principal = deserializeNext(arguments);
    Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS);
    LOG.trace("Revoking {} on {} from {}", actions, entityId, principal);
    privilegesManager.revoke(entityId, principal, actions);
    LOG.info("Revoked {} on {} from {} successfully", actions, entityId, principal);
    responder.sendStatus(HttpResponseStatus.OK);
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) Action(co.cask.cdap.proto.security.Action) MethodArgument(co.cask.cdap.common.internal.remote.MethodArgument) Principal(co.cask.cdap.proto.security.Principal) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 5 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class ApplicationLifecycleService method ensureAccess.

/**
   * Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
   *
   * @param appId the {@link ApplicationId} to check for privileges
   * @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
   */
private void ensureAccess(ApplicationId appId) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    if (!filter.apply(appId)) {
        throw new UnauthorizedException(principal, appId);
    }
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) Principal(co.cask.cdap.proto.security.Principal)

Aggregations

Principal (co.cask.cdap.proto.security.Principal)76 EntityId (co.cask.cdap.proto.id.EntityId)22 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)16 Action (co.cask.cdap.proto.security.Action)13 NamespaceId (co.cask.cdap.proto.id.NamespaceId)12 IOException (java.io.IOException)12 Path (javax.ws.rs.Path)11 Test (org.junit.Test)9 Role (co.cask.cdap.proto.security.Role)8 POST (javax.ws.rs.POST)7 MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)6 DatasetModuleMeta (co.cask.cdap.proto.DatasetModuleMeta)5 KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)5 Privilege (co.cask.cdap.proto.security.Privilege)5 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)4 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4 SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)4 DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)3 DatasetModuleConflictException (co.cask.cdap.data2.datafabric.dataset.type.DatasetModuleConflictException)3 DatasetTypeMeta (co.cask.cdap.proto.DatasetTypeMeta)3