Examples with Principal co.cask.cdap.proto.security.Principal used on opensource projects

Example 11 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DatasetTypeService method listModules.

/**
   * Returns all {@link DatasetModuleMeta dataset modules} in the specified {@link NamespaceId namespace}.
   */
List<DatasetModuleMeta> listModules(final NamespaceId namespaceId) throws Exception {
    ensureNamespaceExists(namespaceId);
    // Sorting by name for convenience
    List<DatasetModuleMeta> allModules = Lists.newArrayList(typeManager.getModules(namespaceId));
    Collections.sort(allModules, new Comparator<DatasetModuleMeta>() {

        @Override
        public int compare(DatasetModuleMeta o1, DatasetModuleMeta o2) {
            return o1.getName().compareTo(o2.getName());
        }
    });
    Principal principal = authenticationContext.getPrincipal();
    final Predicate<EntityId> authFilter = authorizationEnforcer.createFilter(principal);
    Iterable<DatasetModuleMeta> authorizedDatasetModules = Iterables.filter(allModules, new com.google.common.base.Predicate<DatasetModuleMeta>() {

        @Override
        public boolean apply(DatasetModuleMeta datasetModuleMeta) {
            return authFilter.apply(namespaceId.datasetModule(datasetModuleMeta.getName()));
        }
    });
    return Lists.newArrayList(authorizedDatasetModules);
}

Example 12 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultMetadataAdmin method filterAuthorizedSearchResult.

/**
   * Filter a list of {@link MetadataSearchResultRecord} that ensures the logged-in user has a privilege on
   *
   * @param results the {@link MetadataSearchResponse} to filter
   * @return filtered {@link MetadataSearchResponse}
   */
private MetadataSearchResponse filterAuthorizedSearchResult(MetadataSearchResponse results) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    final Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    return new MetadataSearchResponse(results.getSort(), results.getOffset(), results.getLimit(), results.getNumCursors(), results.getTotal(), ImmutableSet.copyOf(Iterables.filter(results.getResults(), new com.google.common.base.Predicate<MetadataSearchResultRecord>() {

        @Override
        public boolean apply(MetadataSearchResultRecord metadataSearchResultRecord) {
            return filter.apply(metadataSearchResultRecord.getEntityId());
        }
    })), results.getCursors(), results.isShowHidden(), results.getEntityScope());
}

Example 13 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class ArtifactRepository method ensureAccess.

/**
   * Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
   *
   * @param artifactId the {@link co.cask.cdap.proto.id.ArtifactId} to check for privileges
   * @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
   */
private void ensureAccess(co.cask.cdap.proto.id.ArtifactId artifactId) throws Exception {
    // No authorization for system artifacts
    if (NamespaceId.SYSTEM.equals(artifactId.getParent())) {
        return;
    }
    Principal principal = authenticationContext.getPrincipal();
    Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    if (!filter.apply(artifactId)) {
        throw new UnauthorizedException(principal, artifactId);
    }
}

Example 14 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class ArtifactRepository method addArtifact.

/**
   * Inspects and builds plugin and application information for the given artifact, adding an additional set of
   * plugin classes to the plugins found through inspection. This method is used when all plugin classes
   * cannot be derived by inspecting the artifact but need to be explicitly set. This is true for 3rd party plugins
   * like jdbc drivers.
   *
   * @param artifactId the id of the artifact to inspect and store
   * @param artifactFile the artifact to inspect and store
   * @param parentArtifacts artifacts the given artifact extends.
   *                        If null, the given artifact does not extend another artifact
   * @param additionalPlugins the set of additional plugin classes to add to the plugins found through inspection.
   *                          If null, no additional plugin classes will be added
   * @throws IOException if there was an exception reading from the artifact store
   * @throws ArtifactRangeNotFoundException if none of the parent artifacts could be found
   * @throws UnauthorizedException if the user is not authorized to add an artifact in the specified namespace. To add
   *                               an artifact, a user must have {@link Action#WRITE} on the namespace in which
   *                               the artifact is being added. If authorization is successful, and
   *                               the artifact is added successfully, then the user gets all {@link Action privileges}
   *                               on the added artifact.
   */
public ArtifactDetail addArtifact(Id.Artifact artifactId, File artifactFile, @Nullable Set<ArtifactRange> parentArtifacts, @Nullable Set<PluginClass> additionalPlugins) throws Exception {
    // To add an artifact, a user must have write privileges on the namespace in which the artifact is being added
    // This method is used to add user app artifacts, so enforce authorization on the specified, non-system namespace
    Principal principal = authenticationContext.getPrincipal();
    NamespaceId namespace = artifactId.getNamespace().toEntityId();
    authorizationEnforcer.enforce(namespace, principal, Action.WRITE);
    ArtifactDetail artifactDetail = addArtifact(artifactId, artifactFile, parentArtifacts, additionalPlugins, Collections.<String, String>emptyMap());
    // artifact successfully added. now grant ALL permissions on the artifact to the current user
    privilegesManager.grant(artifactId.toEntityId(), principal, EnumSet.allOf(Action.class));
    return artifactDetail;
}

Example 15 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationHandlerTest method testAuthorizationForPrivileges.

@Test
public void testAuthorizationForPrivileges() throws Exception {
    Principal bob = new Principal("bob", Principal.PrincipalType.USER);
    Principal alice = new Principal("alice", Principal.PrincipalType.USER);
    // olduser has been set as admin in the beginning of this test. admin has been configured as a superuser.
    String oldUser = getCurrentUser();
    setCurrentUser(alice.getName());
    try {
        try {
            client.grant(ns1, bob, EnumSet.allOf(Action.class));
            Assert.fail(String.format("alice should not be able to grant privileges to bob on namespace %s because she " + "does not have admin privileges on the namespace.", ns1));
        } catch (UnauthorizedException expected) {
        // expected
        }
        setCurrentUser(oldUser);
        // admin should be able to grant since he is a super user
        client.grant(ns1, alice, ImmutableSet.of(Action.ADMIN));
        // now alice should be able to grant privileges on ns since she has ADMIN privileges
        setCurrentUser(alice.getName());
        client.grant(ns1, bob, EnumSet.allOf(Action.class));
        // revoke alice's permissions as admin
        setCurrentUser(oldUser);
        client.revoke(ns1);
        // revoking bob's privileges as alice should fail
        setCurrentUser(alice.getName());
        try {
            client.revoke(ns1, bob, EnumSet.allOf(Action.class));
            Assert.fail(String.format("alice should not be able to revoke bob's privileges on namespace %s because she " + "does not have admin privileges on the namespace.", ns1));
        } catch (UnauthorizedException expected) {
        // expected
        }
        // grant alice privileges as admin again
        setCurrentUser(oldUser);
        client.grant(ns1, alice, EnumSet.allOf(Action.class));
        // Now alice should be able to revoke bob's privileges
        setCurrentUser(alice.getName());
        client.revoke(ns1, bob, EnumSet.allOf(Action.class));
    } finally {
        setCurrentUser(oldUser);
    }
}