Search in sources :

Example 71 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class RemotePrivilegesHandler method listPrivileges.

@POST
@Path("/listPrivileges")
public void listPrivileges(FullHttpRequest request, HttpResponder responder) throws Exception {
    Iterator<MethodArgument> arguments = parseArguments(request);
    Principal principal = deserializeNext(arguments);
    LOG.trace("Listing privileges for principal {}", principal);
    Set<Privilege> privileges = privilegesManager.listPrivileges(principal);
    LOG.debug("Returning privileges for principal {} as {}", principal, privileges);
    responder.sendJson(HttpResponseStatus.OK, GSON.toJson(privileges));
}
Also used : MethodArgument(co.cask.cdap.common.internal.remote.MethodArgument) Privilege(co.cask.cdap.proto.security.Privilege) AuthorizationPrivilege(co.cask.cdap.proto.security.AuthorizationPrivilege) Principal(co.cask.cdap.proto.security.Principal) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 72 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class RemotePrivilegesHandler method isVisible.

@POST
@Path("/isVisible")
public void isVisible(FullHttpRequest request, HttpResponder responder) throws Exception {
    VisibilityRequest visibilityRequest = GSON.fromJson(request.content().toString(StandardCharsets.UTF_8), VisibilityRequest.class);
    Principal principal = visibilityRequest.getPrincipal();
    Set<EntityId> entityIds = visibilityRequest.getEntityIds();
    LOG.trace("Checking visibility for principal {} on entities {}", principal, entityIds);
    Set<? extends EntityId> visiableEntities = authorizationEnforcer.isVisible(entityIds, principal);
    LOG.debug("Returning entities visible for principal {} as {}", principal, visiableEntities);
    responder.sendJson(HttpResponseStatus.OK, GSON.toJson(visiableEntities));
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) VisibilityRequest(co.cask.cdap.proto.security.VisibilityRequest) Principal(co.cask.cdap.proto.security.Principal) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 73 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultNamespaceAdmin method get.

/**
 * Gets details of a namespace
 *
 * @param namespaceId the {@link Id.Namespace} of the requested namespace
 * @return the {@link NamespaceMeta} of the requested namespace
 * @throws NamespaceNotFoundException if the requested namespace is not found
 * @throws UnauthorizedException if the namespace is not authorized to the logged-user
 */
@Override
public NamespaceMeta get(NamespaceId namespaceId) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    boolean isAuthorzied = true;
    // See: CDAP-7387
    if (masterShortUserName == null || !masterShortUserName.equals(principal.getName())) {
        try {
            AuthorizationUtil.ensureAccess(namespaceId, authorizationEnforcer, principal);
        } catch (UnauthorizedException e) {
            isAuthorzied = false;
        }
    }
    NamespaceMeta namespaceMeta = null;
    try {
        namespaceMeta = namespaceMetaCache.get(namespaceId);
    } catch (Exception e) {
        if (isAuthorzied) {
            Throwable cause = e.getCause();
            if (cause instanceof NamespaceNotFoundException || cause instanceof IOException || cause instanceof UnauthorizedException) {
                throw (Exception) cause;
            }
            throw e;
        }
    }
    // If the requesting user is same as namespace owner, we do not care about if the user is authorized or not
    if (namespaceMeta != null && principal.getName().equals(namespaceMeta.getConfig().getPrincipal())) {
        return namespaceMeta;
    }
    if (!isAuthorzied) {
        throw new UnauthorizedException(String.format("Namespace %s is not visible to principal %s since the principal does not have any " + "privilege on this namespace or any entity in this namespace.", namespaceId, principal));
    }
    return namespaceMeta;
}
Also used : NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) IOException(java.io.IOException) Principal(co.cask.cdap.proto.security.Principal) NamespaceCannotBeCreatedException(co.cask.cdap.common.NamespaceCannotBeCreatedException) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException) BadRequestException(co.cask.cdap.common.BadRequestException) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) NamespaceCannotBeDeletedException(co.cask.cdap.common.NamespaceCannotBeDeletedException) DatasetManagementException(co.cask.cdap.api.dataset.DatasetManagementException) IOException(java.io.IOException) NamespaceAlreadyExistsException(co.cask.cdap.common.NamespaceAlreadyExistsException) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException)

Example 74 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationArtifactRepository method addSystemArtifacts.

@Override
public void addSystemArtifacts() throws Exception {
    // to add system artifacts, users should have admin privileges on the system namespace
    Principal principal = authenticationContext.getPrincipal();
    authorizationEnforcer.enforce(NamespaceId.SYSTEM, principal, Action.ADMIN);
    delegate.addSystemArtifacts();
}
Also used : Principal(co.cask.cdap.proto.security.Principal)

Example 75 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationHandlerTest method testRevokeEntityUser.

@Test
public void testRevokeEntityUser() throws Exception {
    Principal adminGroup = new Principal("admin", Principal.PrincipalType.GROUP);
    Principal bob = new Principal("bob", Principal.PrincipalType.USER);
    // grant() and revoke(EntityId, String)
    client.grant(Authorizable.fromEntityId(ns1), adminGroup, ImmutableSet.of(Action.READ));
    client.grant(Authorizable.fromEntityId(ns1), bob, ImmutableSet.of(Action.READ));
    verifyAuthSuccess(ns1, adminGroup, Action.READ);
    verifyAuthSuccess(ns1, bob, Action.READ);
    client.revoke(Authorizable.fromEntityId(ns1), adminGroup, EnumSet.allOf(Action.class));
    verifyAuthFailure(ns1, adminGroup, Action.READ);
    verifyAuthSuccess(ns1, bob, Action.READ);
}
Also used : Action(co.cask.cdap.proto.security.Action) Principal(co.cask.cdap.proto.security.Principal) Test(org.junit.Test)

Aggregations

Principal (co.cask.cdap.proto.security.Principal)76 EntityId (co.cask.cdap.proto.id.EntityId)22 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)16 Action (co.cask.cdap.proto.security.Action)13 NamespaceId (co.cask.cdap.proto.id.NamespaceId)12 IOException (java.io.IOException)12 Path (javax.ws.rs.Path)11 Test (org.junit.Test)9 Role (co.cask.cdap.proto.security.Role)8 POST (javax.ws.rs.POST)7 MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)6 DatasetModuleMeta (co.cask.cdap.proto.DatasetModuleMeta)5 KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)5 Privilege (co.cask.cdap.proto.security.Privilege)5 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)4 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4 SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)4 DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)3 DatasetModuleConflictException (co.cask.cdap.data2.datafabric.dataset.type.DatasetModuleConflictException)3 DatasetTypeMeta (co.cask.cdap.proto.DatasetTypeMeta)3