Search in sources :

Example 46 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationCLITest method testAuthorizationCLI.

@Test
public void testAuthorizationCLI() throws Exception {
    Role role = new Role("admins");
    Principal principal = new Principal("spiderman", Principal.PrincipalType.USER);
    NamespaceId namespaceId = new NamespaceId("ns1");
    testCommandOutputContains(cli, String.format("create namespace %s", namespaceId.getNamespace()), String.format("Namespace '%s' created successfully", namespaceId.getNamespace()));
    // test creating role
    testCommandOutputContains(cli, "create role " + role.getName(), String.format("Successfully created role '%s'", role.getName()));
    // test add role to principal
    testCommandOutputContains(cli, String.format("add role %s to %s %s", role.getName(), principal.getType(), principal.getName()), String.format("Successfully added role '%s' to '%s' '%s'", role.getName(), principal.getType(), principal.getName()));
    // test listing all roles
    String output = getCommandOutput(cli, "list roles");
    List<String> lines = Arrays.asList(output.split("\\r?\\n"));
    Assert.assertEquals(2, lines.size());
    // 0 is just the table headers
    Assert.assertEquals(role.getName(), lines.get(1));
    // test listing roles for a principal
    output = getCommandOutput(cli, String.format("list roles for %s %s", principal.getType(), principal.getName()));
    lines = Arrays.asList(output.split("\\r?\\n"));
    Assert.assertEquals(2, lines.size());
    Assert.assertEquals(role.getName(), lines.get(1));
    // test grant action. also tests case insensitivity of Action and Principal.PrincipalType
    testCommandOutputContains(cli, String.format("grant actions %s on entity %s to %s %s", Action.READ.name().toLowerCase(), namespaceId.toString(), principal.getType().name().toLowerCase(), principal.getName()), String.format("Successfully granted action(s) '%s' on entity '%s' to %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
    // test listing privilege
    output = getCommandOutput(cli, String.format("list privileges for %s %s", principal.getType(), principal.getName()));
    lines = Arrays.asList(output.split("\\r?\\n"));
    Assert.assertEquals(2, lines.size());
    Assert.assertArrayEquals(new String[] { namespaceId.toString(), Action.READ.name() }, lines.get(1).split(","));
    // test revoke actions
    testCommandOutputContains(cli, String.format("revoke actions %s on entity %s from %s %s", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()), String.format("Successfully revoked action(s) '%s' on entity '%s' for %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
    // grant and perform revoke on the entity
    testCommandOutputContains(cli, String.format("grant actions %s on entity %s to %s %s", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()), String.format("Successfully granted action(s) '%s' on entity '%s' to %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
    testCommandOutputContains(cli, String.format("revoke all on entity %s ", namespaceId.toString()), String.format("Successfully revoked all actions on entity '%s' for all principals", namespaceId.toString()));
    // test remove role from principal
    testCommandOutputContains(cli, String.format("remove role %s from %s %s", role.getName(), principal.getType(), principal.getName()), String.format("Successfully removed role '%s' from %s '%s'", role.getName(), principal.getType(), principal.getName()));
    // test remove role (which doesn't exist) from principal
    Role nonexistentRole = new Role("nonexistent_role");
    testCommandOutputContains(cli, String.format("remove role %s from %s %s", nonexistentRole.getName(), principal.getType(), principal.getName()), String.format("Error: %s not found", nonexistentRole));
}
Also used : Role(co.cask.cdap.proto.security.Role) NamespaceId(co.cask.cdap.proto.id.NamespaceId) Principal(co.cask.cdap.proto.security.Principal) Test(org.junit.Test)

Example 47 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class PreviewDatasetFramework method getDataset.

@Nullable
@Override
public <T extends Dataset> T getDataset(final DatasetId datasetInstanceId, final Map<String, String> arguments, @Nullable final ClassLoader classLoader, final DatasetClassLoaderProvider classLoaderProvider, @Nullable final Iterable<? extends EntityId> owners, final AccessType accessType) throws DatasetManagementException, IOException {
    Principal principal = authenticationContext.getPrincipal();
    try {
        AuthorizationEnforcer enforcer;
        final boolean isUserDataset = DatasetsUtil.isUserDataset(datasetInstanceId);
        // only for the datasets from the real space enforce the authorization.
        if (isUserDataset && actualDatasetFramework.hasInstance(datasetInstanceId)) {
            enforcer = authorizationEnforcer;
        } else {
            enforcer = NOOP_ENFORCER;
        }
        return DefaultDatasetRuntimeContext.execute(enforcer, NOOP_DATASET_ACCESS_RECORDER, principal, datasetInstanceId, null, new Callable<T>() {

            @Override
            public T call() throws Exception {
                if (isUserDataset && actualDatasetFramework.hasInstance(datasetInstanceId)) {
                    return actualDatasetFramework.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType);
                }
                return localDatasetFramework.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType);
            }
        });
    } catch (IOException | DatasetManagementException e) {
        throw e;
    } catch (Exception e) {
        throw new DatasetManagementException("Failed to create dataset instance: " + datasetInstanceId, e);
    }
}
Also used : DatasetManagementException(co.cask.cdap.api.dataset.DatasetManagementException) AuthorizationEnforcer(co.cask.cdap.security.spi.authorization.AuthorizationEnforcer) IOException(java.io.IOException) Principal(co.cask.cdap.proto.security.Principal) DatasetManagementException(co.cask.cdap.api.dataset.DatasetManagementException) IOException(java.io.IOException) Nullable(javax.annotation.Nullable)

Example 48 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class RemotePrivilegesHandler method listPrivileges.

@POST
@Path("/listPrivileges")
public void listPrivileges(HttpRequest request, HttpResponder responder) throws Exception {
    Iterator<MethodArgument> arguments = parseArguments(request);
    Principal principal = deserializeNext(arguments);
    LOG.trace("Listing privileges for principal {}", principal);
    Set<Privilege> privileges = privilegesManager.listPrivileges(principal);
    LOG.debug("Returning privileges for principal {} as {}", principal, privileges);
    responder.sendJson(HttpResponseStatus.OK, privileges);
}
Also used : MethodArgument(co.cask.cdap.common.internal.remote.MethodArgument) AuthorizationPrivilege(co.cask.cdap.proto.security.AuthorizationPrivilege) Privilege(co.cask.cdap.proto.security.Privilege) Principal(co.cask.cdap.proto.security.Principal) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 49 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class ApplicationLifecycleService method getApps.

/**
   * Get all applications in the specified namespace that satisfy the specified predicate.
   *
   * @param namespace the namespace to get apps from
   * @param predicate the predicate that must be satisfied in order to be returned
   * @return list of all applications in the namespace that satisfy the specified predicate
   */
public List<ApplicationRecord> getApps(final NamespaceId namespace, com.google.common.base.Predicate<ApplicationRecord> predicate) throws Exception {
    List<ApplicationRecord> appRecords = new ArrayList<>();
    Set<ApplicationId> appIds = new HashSet<>();
    for (ApplicationSpecification appSpec : store.getAllApplications(namespace)) {
        appIds.add(namespace.app(appSpec.getName(), appSpec.getAppVersion()));
    }
    for (ApplicationId appId : appIds) {
        ApplicationSpecification appSpec = store.getApplication(appId);
        if (appSpec == null) {
            continue;
        }
        // possible if this particular app was deploy prior to v3.2 and upgrade failed for some reason.
        ArtifactId artifactId = appSpec.getArtifactId();
        ArtifactSummary artifactSummary = artifactId == null ? new ArtifactSummary(appSpec.getName(), null) : ArtifactSummary.from(artifactId);
        ApplicationRecord record = new ApplicationRecord(artifactSummary, appId, appSpec.getDescription(), ownerAdmin.getOwnerPrincipal(appId));
        if (predicate.apply(record)) {
            appRecords.add(record);
        }
    }
    Principal principal = authenticationContext.getPrincipal();
    final Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    return Lists.newArrayList(Iterables.filter(appRecords, new com.google.common.base.Predicate<ApplicationRecord>() {

        @Override
        public boolean apply(ApplicationRecord appRecord) {
            return filter.apply(namespace.app(appRecord.getName()));
        }
    }));
}
Also used : ApplicationSpecification(co.cask.cdap.api.app.ApplicationSpecification) ArtifactId(co.cask.cdap.api.artifact.ArtifactId) ArrayList(java.util.ArrayList) ApplicationRecord(co.cask.cdap.proto.ApplicationRecord) Predicate(co.cask.cdap.api.Predicate) EntityId(co.cask.cdap.proto.id.EntityId) ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary) ApplicationId(co.cask.cdap.proto.id.ApplicationId) Principal(co.cask.cdap.proto.security.Principal) HashSet(java.util.HashSet)

Example 50 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class RemoveRoleFromPrincipalCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    String roleName = arguments.get("role-name");
    String principalType = arguments.get("principal-type");
    String principalName = arguments.get("principal-name");
    client.removeRoleFromPrincipal(new Role(roleName), new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())));
    output.printf("Successfully removed role '%s' from %s '%s'\n", roleName, principalType, principalName);
}
Also used : Role(co.cask.cdap.proto.security.Role) Principal(co.cask.cdap.proto.security.Principal)

Aggregations

Principal (co.cask.cdap.proto.security.Principal)58 EntityId (co.cask.cdap.proto.id.EntityId)24 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)16 Action (co.cask.cdap.proto.security.Action)14 NamespaceId (co.cask.cdap.proto.id.NamespaceId)11 Test (org.junit.Test)9 Role (co.cask.cdap.proto.security.Role)8 IOException (java.io.IOException)8 Path (javax.ws.rs.Path)7 Predicate (co.cask.cdap.api.Predicate)5 HashSet (java.util.HashSet)5 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4 DatasetModuleMeta (co.cask.cdap.proto.DatasetModuleMeta)4 SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)4 ArtifactId (co.cask.cdap.api.artifact.ArtifactId)3 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)3 DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)3 DatasetModuleNotFoundException (co.cask.cdap.common.DatasetModuleNotFoundException)3 DatasetModuleConflictException (co.cask.cdap.data2.datafabric.dataset.type.DatasetModuleConflictException)3 DatasetTypeMeta (co.cask.cdap.proto.DatasetTypeMeta)3