use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class RemotePrivilegesHandler method listPrivileges.
@POST
@Path("/listPrivileges")
public void listPrivileges(FullHttpRequest request, HttpResponder responder) throws Exception {
Iterator<MethodArgument> arguments = parseArguments(request);
Principal principal = deserializeNext(arguments);
LOG.trace("Listing privileges for principal {}", principal);
Set<Privilege> privileges = privilegesManager.listPrivileges(principal);
LOG.debug("Returning privileges for principal {} as {}", principal, privileges);
responder.sendJson(HttpResponseStatus.OK, GSON.toJson(privileges));
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class RemotePrivilegesHandler method isVisible.
@POST
@Path("/isVisible")
public void isVisible(FullHttpRequest request, HttpResponder responder) throws Exception {
VisibilityRequest visibilityRequest = GSON.fromJson(request.content().toString(StandardCharsets.UTF_8), VisibilityRequest.class);
Principal principal = visibilityRequest.getPrincipal();
Set<EntityId> entityIds = visibilityRequest.getEntityIds();
LOG.trace("Checking visibility for principal {} on entities {}", principal, entityIds);
Set<? extends EntityId> visiableEntities = authorizationEnforcer.isVisible(entityIds, principal);
LOG.debug("Returning entities visible for principal {} as {}", principal, visiableEntities);
responder.sendJson(HttpResponseStatus.OK, GSON.toJson(visiableEntities));
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class DefaultNamespaceAdmin method get.
/**
* Gets details of a namespace
*
* @param namespaceId the {@link Id.Namespace} of the requested namespace
* @return the {@link NamespaceMeta} of the requested namespace
* @throws NamespaceNotFoundException if the requested namespace is not found
* @throws UnauthorizedException if the namespace is not authorized to the logged-user
*/
@Override
public NamespaceMeta get(NamespaceId namespaceId) throws Exception {
Principal principal = authenticationContext.getPrincipal();
boolean isAuthorzied = true;
// See: CDAP-7387
if (masterShortUserName == null || !masterShortUserName.equals(principal.getName())) {
try {
AuthorizationUtil.ensureAccess(namespaceId, authorizationEnforcer, principal);
} catch (UnauthorizedException e) {
isAuthorzied = false;
}
}
NamespaceMeta namespaceMeta = null;
try {
namespaceMeta = namespaceMetaCache.get(namespaceId);
} catch (Exception e) {
if (isAuthorzied) {
Throwable cause = e.getCause();
if (cause instanceof NamespaceNotFoundException || cause instanceof IOException || cause instanceof UnauthorizedException) {
throw (Exception) cause;
}
throw e;
}
}
// If the requesting user is same as namespace owner, we do not care about if the user is authorized or not
if (namespaceMeta != null && principal.getName().equals(namespaceMeta.getConfig().getPrincipal())) {
return namespaceMeta;
}
if (!isAuthorzied) {
throw new UnauthorizedException(String.format("Namespace %s is not visible to principal %s since the principal does not have any " + "privilege on this namespace or any entity in this namespace.", namespaceId, principal));
}
return namespaceMeta;
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationArtifactRepository method addSystemArtifacts.
@Override
public void addSystemArtifacts() throws Exception {
// to add system artifacts, users should have admin privileges on the system namespace
Principal principal = authenticationContext.getPrincipal();
authorizationEnforcer.enforce(NamespaceId.SYSTEM, principal, Action.ADMIN);
delegate.addSystemArtifacts();
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationHandlerTest method testRevokeEntityUser.
@Test
public void testRevokeEntityUser() throws Exception {
Principal adminGroup = new Principal("admin", Principal.PrincipalType.GROUP);
Principal bob = new Principal("bob", Principal.PrincipalType.USER);
// grant() and revoke(EntityId, String)
client.grant(Authorizable.fromEntityId(ns1), adminGroup, ImmutableSet.of(Action.READ));
client.grant(Authorizable.fromEntityId(ns1), bob, ImmutableSet.of(Action.READ));
verifyAuthSuccess(ns1, adminGroup, Action.READ);
verifyAuthSuccess(ns1, bob, Action.READ);
client.revoke(Authorizable.fromEntityId(ns1), adminGroup, EnumSet.allOf(Action.class));
verifyAuthFailure(ns1, adminGroup, Action.READ);
verifyAuthSuccess(ns1, bob, Action.READ);
}
Aggregations