Examples with Principal co.cask.cdap.proto.security.Principal used on opensource projects

Example 66 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class RemoteAuthorizationEnforcer method loadVisibility.

private Map<VisibilityKey, Boolean> loadVisibility(Iterable<? extends VisibilityKey> keys) throws IOException {
    if (!keys.iterator().hasNext()) {
        return Collections.emptyMap();
    }
    // It is okay to use the first principal here, since isVisible request will always come for a single principal
    Principal principal = keys.iterator().next().getPrincipal();
    Set<? extends EntityId> visibleEntities = visibilityCheckCall(new VisibilityRequest(principal, toEntityIds(keys)));
    Map<VisibilityKey, Boolean> keyMap = new HashMap<>();
    for (VisibilityKey key : keys) {
        keyMap.put(key, visibleEntities.contains(key.getEntityId()));
    }
    return keyMap;
}

Example 67 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationTest method deployDummyAppWithImpersonation.

private void deployDummyAppWithImpersonation(NamespaceMeta nsMeta, @Nullable String appOwner) throws Exception {
    NamespaceId namespaceId = nsMeta.getNamespaceId();
    ApplicationId dummyAppId = namespaceId.app(DummyApp.class.getSimpleName());
    ArtifactId artifactId = namespaceId.artifact(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT");
    DatasetId datasetId = namespaceId.dataset("whom");
    DatasetTypeId datasetTypeId = namespaceId.datasetType(KeyValueTable.class.getName());
    StreamId streamId = namespaceId.stream("who");
    String owner = appOwner != null ? appOwner : nsMeta.getConfig().getPrincipal();
    KerberosPrincipalId principalId = new KerberosPrincipalId(owner);
    Principal principal = new Principal(owner, Principal.PrincipalType.USER);
    DatasetId dummyDatasetId = namespaceId.dataset("customDataset");
    DatasetTypeId dummyTypeId = namespaceId.datasetType(DummyApp.CustomDummyDataset.class.getName());
    DatasetModuleId dummyModuleId = namespaceId.datasetModule((DummyApp.CustomDummyDataset.class.getName()));
    // these are the privileges that are needed to deploy the app if no impersonation is involved,
    // can check testApps() for more info
    Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(dummyAppId, EnumSet.of(Action.ADMIN)).put(artifactId, EnumSet.of(Action.ADMIN)).put(datasetId, EnumSet.of(Action.ADMIN)).put(streamId, EnumSet.of(Action.ADMIN)).put(datasetTypeId, EnumSet.of(Action.ADMIN)).put(principalId, EnumSet.of(Action.ADMIN)).put(dummyDatasetId, EnumSet.of(Action.ADMIN)).put(dummyTypeId, EnumSet.of(Action.ADMIN)).put(dummyModuleId, EnumSet.of(Action.ADMIN)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    // add the artifact
    addAppArtifact(artifactId, DummyApp.class);
    AppRequest<? extends Config> appRequest = new AppRequest<>(new ArtifactSummary(artifactId.getArtifact(), artifactId.getVersion()), null, appOwner);
    try {
        deployApplication(dummyAppId, appRequest);
        Assert.fail();
    } catch (Exception e) {
    // expected
    }
    // revoke privileges on datasets and streams from alice, she does not need these privileges to deploy the app
    // the owner will need these privileges to deploy
    revokeAndAssertSuccess(datasetId);
    revokeAndAssertSuccess(datasetTypeId);
    revokeAndAssertSuccess(streamId);
    revokeAndAssertSuccess(dummyDatasetId);
    revokeAndAssertSuccess(dummyTypeId);
    revokeAndAssertSuccess(dummyModuleId);
    // grant ADMIN privileges to owner
    grantAndAssertSuccess(datasetId, principal, EnumSet.of(Action.ADMIN));
    grantAndAssertSuccess(datasetTypeId, principal, EnumSet.of(Action.ADMIN));
    grantAndAssertSuccess(streamId, principal, EnumSet.of(Action.ADMIN));
    grantAndAssertSuccess(dummyDatasetId, principal, EnumSet.of(Action.ADMIN));
    grantAndAssertSuccess(dummyTypeId, principal, EnumSet.of(Action.ADMIN));
    grantAndAssertSuccess(dummyModuleId, principal, EnumSet.of(Action.ADMIN));
    // this time it should be successful
    deployApplication(dummyAppId, appRequest);
    // clean up the privilege on the owner principal id
    revokeAndAssertSuccess(principalId);
}

Example 68 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationCLITest method testAuthorizationCLI.

@Test
public void testAuthorizationCLI() throws Exception {
    Role role = new Role("admins");
    Principal principal = new Principal("spiderman", Principal.PrincipalType.USER);
    NamespaceId namespaceId = new NamespaceId("ns1");
    testCommandOutputContains(cli, String.format("create namespace %s", namespaceId.getNamespace()), String.format("Namespace '%s' created successfully", namespaceId.getNamespace()));
    // test creating role
    testCommandOutputContains(cli, "create role " + role.getName(), String.format("Successfully created role '%s'", role.getName()));
    // test add role to principal
    testCommandOutputContains(cli, String.format("add role %s to %s %s", role.getName(), principal.getType(), principal.getName()), String.format("Successfully added role '%s' to '%s' '%s'", role.getName(), principal.getType(), principal.getName()));
    // test listing all roles
    String output = getCommandOutput(cli, "list roles");
    List<String> lines = Arrays.asList(output.split("\\r?\\n"));
    Assert.assertEquals(2, lines.size());
    // 0 is just the table headers
    Assert.assertEquals(role.getName(), lines.get(1));
    // test listing roles for a principal
    output = getCommandOutput(cli, String.format("list roles for %s %s", principal.getType(), principal.getName()));
    lines = Arrays.asList(output.split("\\r?\\n"));
    Assert.assertEquals(2, lines.size());
    Assert.assertEquals(role.getName(), lines.get(1));
    // test grant action. also tests case insensitivity of Action and Principal.PrincipalType
    testCommandOutputContains(cli, String.format("grant actions %s on entity %s to %s %s", Action.READ.name().toLowerCase(), namespaceId.toString(), principal.getType().name().toLowerCase(), principal.getName()), String.format("Successfully granted action(s) '%s' on entity '%s' to %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
    // test listing privilege
    output = getCommandOutput(cli, String.format("list privileges for %s %s", principal.getType(), principal.getName()));
    lines = Arrays.asList(output.split("\\r?\\n"));
    Assert.assertEquals(2, lines.size());
    Assert.assertArrayEquals(new String[] { namespaceId.toString(), Action.READ.name() }, lines.get(1).split(","));
    // test revoke actions
    testCommandOutputContains(cli, String.format("revoke actions %s on entity %s from %s %s", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()), String.format("Successfully revoked action(s) '%s' on entity '%s' for %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
    // grant and perform revoke on the entity
    testCommandOutputContains(cli, String.format("grant actions %s on entity %s to %s %s", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()), String.format("Successfully granted action(s) '%s' on entity '%s' to %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
    testCommandOutputContains(cli, String.format("revoke all on entity %s ", namespaceId.toString()), String.format("Successfully revoked all actions on entity '%s' for all principals", namespaceId.toString()));
    // test remove role from principal
    testCommandOutputContains(cli, String.format("remove role %s from %s %s", role.getName(), principal.getType(), principal.getName()), String.format("Successfully removed role '%s' from %s '%s'", role.getName(), principal.getType(), principal.getName()));
    // test remove role (which doesn't exist) from principal
    Role nonexistentRole = new Role("nonexistent_role");
    testCommandOutputContains(cli, String.format("remove role %s from %s %s", nonexistentRole.getName(), principal.getType(), principal.getName()), String.format("Error: %s not found", nonexistentRole));
}

Example 69 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationHandler method addRoleToPrincipal.

@Path("/{principal-type}/{principal-name}/roles/{role-name}")
@PUT
public void addRoleToPrincipal(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String principalType, @PathParam("principal-name") String principalName, @PathParam("role-name") String roleName) throws Exception {
    ensureSecurityEnabled();
    Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase()));
    authorizer.addRoleToPrincipal(new Role(roleName), principal);
    httpResponder.sendStatus(HttpResponseStatus.OK);
    createLogEntry(httpRequest, HttpResponseStatus.OK);
}

Example 70 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationHandler method listRoles.

@Path("{principal-type}/{principal-name}/roles")
@GET
public void listRoles(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String principalType, @PathParam("principal-name") String principalName) throws Exception {
    ensureSecurityEnabled();
    Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase()));
    httpResponder.sendJson(HttpResponseStatus.OK, GSON.toJson(authorizer.listRoles(principal)));
    createLogEntry(httpRequest, HttpResponseStatus.OK);
}