Examples with Principal co.cask.cdap.proto.security.Principal used on opensource projects

Example 61 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class LineageWriterDatasetFramework method getDataset.

@Nullable
@Override
public <T extends Dataset> T getDataset(final DatasetId datasetInstanceId, final Map<String, String> arguments, @Nullable final ClassLoader classLoader, final DatasetClassLoaderProvider classLoaderProvider, @Nullable final Iterable<? extends EntityId> owners, final AccessType accessType) throws DatasetManagementException, IOException {
    Principal principal = authenticationContext.getPrincipal();
    try {
        // For system, skip authorization and lineage (user program shouldn't allow to access system dataset CDAP-6649)
        // For non-system dataset, always perform authorization and lineage.
        AuthorizationEnforcer enforcer;
        DefaultDatasetRuntimeContext.DatasetAccessRecorder accessRecorder;
        if (!DatasetsUtil.isUserDataset(datasetInstanceId)) {
            enforcer = SYSTEM_NAMESPACE_ENFORCER;
            accessRecorder = SYSTEM_NAMESPACE_ACCESS_RECORDER;
        } else {
            enforcer = authorizationEnforcer;
            accessRecorder = new BasicDatasetAccessRecorder(datasetInstanceId, accessType, owners);
        }
        return DefaultDatasetRuntimeContext.execute(enforcer, accessRecorder, principal, datasetInstanceId, getConstructorDefaultAnnotation(accessType), new Callable<T>() {

            @Override
            public T call() throws Exception {
                return LineageWriterDatasetFramework.super.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType);
            }
        });
    } catch (IOException | DatasetManagementException | ServiceUnavailableException e) {
        throw e;
    } catch (Exception e) {
        throw new DatasetManagementException("Failed to create dataset instance: " + datasetInstanceId, e);
    }
}

Example 62 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultSecureStoreService method putSecureData.

/**
 * Puts the user provided data in the secure store, if the user has admin access to the key.
 *
 * @throws BadRequestException If the request does not contain the value to be stored.
 * @throws UnauthorizedException If the user does not have write permissions on the namespace.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws AlreadyExistsException If the key already exists in the namespace. Updating is not supported.
 * @throws IOException If there was a problem storing the key to underlying provider.
 */
@Override
public final synchronized void putSecureData(String namespace, String name, String value, String description, Map<String, String> properties) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    NamespaceId namespaceId = new NamespaceId(namespace);
    SecureKeyId secureKeyId = namespaceId.secureKey(name);
    authorizationEnforcer.enforce(secureKeyId, principal, Action.ADMIN);
    if (Strings.isNullOrEmpty(value)) {
        throw new BadRequestException("The data field should not be empty. This is the data that will be stored " + "securely.");
    }
    secureStoreManager.putSecureData(namespace, name, value, description, properties);
}

Example 63 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultSecureStoreService method listSecureData.

/**
 * Lists all the secure keys in the given namespace that the user has access to.
 * Returns an empty list if the user does not have access to any of the keys in the namespace.
 *
 * @return A map of key names accessible by the user and their descriptions.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws IOException If there was a problem reading from the store.
 */
@Override
public final Map<String, String> listSecureData(final String namespace) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    Map<String, String> metadatas = new HashMap<>(secureStore.listSecureData(namespace));
    metadatas.keySet().retainAll(AuthorizationUtil.isVisible(metadatas.keySet(), authorizationEnforcer, principal, new Function<String, EntityId>() {

        @Override
        public EntityId apply(String input) {
            return new SecureKeyId(namespace, input);
        }
    }, null));
    return metadatas;
}

Example 64 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultAuthorizationEnforcerTest method testSystemUser.

@Test
public void testSystemUser() throws Exception {
    CConfiguration cConfCopy = CConfiguration.copy(CCONF);
    Principal systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
    try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) {
        Authorizer authorizer = authorizerInstantiator.get();
        DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator);
        NamespaceId ns1 = new NamespaceId("ns1");
        authorizationEnforcer.enforce(NamespaceId.SYSTEM, systemUser, EnumSet.allOf(Action.class));
        Assert.assertEquals(ImmutableSet.of(NamespaceId.SYSTEM), authorizationEnforcer.isVisible(ImmutableSet.of(ns1, NamespaceId.SYSTEM), systemUser));
    }
}

Example 65 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizerTest method testAll.

@Test
public void testAll() throws Exception {
    Authorizer authorizer = get();
    verifyAuthFailure(namespace, user, Action.READ);
    authorizer.grant(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class));
    authorizer.enforce(namespace, user, Action.READ);
    authorizer.enforce(namespace, user, Action.WRITE);
    authorizer.enforce(namespace, user, Action.ADMIN);
    authorizer.enforce(namespace, user, Action.EXECUTE);
    authorizer.revoke(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class));
    verifyAuthFailure(namespace, user, Action.READ);
    Principal role = new Principal("admins", Principal.PrincipalType.ROLE);
    authorizer.grant(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ));
    authorizer.grant(Authorizable.fromEntityId(namespace), role, EnumSet.allOf(Action.class));
    authorizer.revoke(Authorizable.fromEntityId(namespace));
    verifyAuthFailure(namespace, user, Action.READ);
    verifyAuthFailure(namespace, role, Action.ADMIN);
    verifyAuthFailure(namespace, role, Action.READ);
    verifyAuthFailure(namespace, role, Action.WRITE);
    verifyAuthFailure(namespace, role, Action.EXECUTE);
}