use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationBootstrapperTest method test.
@Test
public void test() throws Exception {
final Principal systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
// initial state: no privileges for system or admin users
Predicate<EntityId> systemUserFilter = authorizationEnforcer.createFilter(systemUser);
Predicate<EntityId> adminUserFilter = authorizationEnforcer.createFilter(ADMIN_USER);
Assert.assertFalse(systemUserFilter.apply(instanceId));
Assert.assertFalse(systemUserFilter.apply(NamespaceId.SYSTEM));
Assert.assertFalse(adminUserFilter.apply(NamespaceId.DEFAULT));
// privileges should be granted after running bootstrap
authorizationBootstrapper.run();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
Predicate<EntityId> systemUserFilter = authorizationEnforcer.createFilter(systemUser);
Predicate<EntityId> adminUserFilter = authorizationEnforcer.createFilter(ADMIN_USER);
return systemUserFilter.apply(instanceId) && systemUserFilter.apply(NamespaceId.SYSTEM) && adminUserFilter.apply(NamespaceId.DEFAULT);
}
}, 10, TimeUnit.SECONDS);
txManager.startAndWait();
datasetService.startAndWait();
waitForService(Constants.Service.DATASET_MANAGER);
defaultNamespaceEnsurer.startAndWait();
systemArtifactLoader.startAndWait();
waitForService(defaultNamespaceEnsurer);
waitForService(systemArtifactLoader);
// ensure that the default namespace was created, and that the system user has privileges to access it
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
try {
return namespaceQueryAdmin.exists(NamespaceId.DEFAULT);
} catch (Exception e) {
return false;
}
}
}, 10, TimeUnit.SECONDS);
Assert.assertTrue(defaultNamespaceEnsurer.isRunning());
// ensure that the system artifact was deployed, and that the system user has privileges to access it
// this will throw an ArtifactNotFoundException if the artifact was not deployed, and UnauthorizedException if
// the user does not have required privileges
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
try {
artifactRepository.getArtifact(SYSTEM_ARTIFACT.toId());
return true;
} catch (Exception e) {
return false;
}
}
}, 20, TimeUnit.SECONDS);
Assert.assertTrue(systemArtifactLoader.isRunning());
// ensure that system datasets can be created by the system user
Dataset systemDataset = DatasetsUtil.getOrCreateDataset(dsFramework, NamespaceId.SYSTEM.dataset("system-dataset"), Table.class.getName(), DatasetProperties.EMPTY, Collections.<String, String>emptyMap());
Assert.assertNotNull(systemDataset);
// as part of bootstrapping, admin users were also granted admin privileges on the CDAP instance, so they can
// create namespaces
SecurityRequestContext.setUserId(ADMIN_USER.getName());
namespaceAdmin.create(new NamespaceMeta.Builder().setName("success").build());
SecurityRequestContext.setUserId("bob");
try {
namespaceAdmin.create(new NamespaceMeta.Builder().setName("failure").build());
Assert.fail("Bob should not have been able to create a namespace since he is not an admin user");
} catch (UnauthorizedException expected) {
// expected
}
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class FileStreamAdmin method ensureAccess.
private <T extends EntityId> void ensureAccess(T entityId) throws Exception {
Principal principal = authenticationContext.getPrincipal();
Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
if (!filter.apply(entityId)) {
throw new UnauthorizedException(principal, entityId);
}
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
Authorizer authorizer = get();
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
authorizer.createRole(admins);
// add another role
authorizer.createRole(engineers);
// listing role should show the added role
Set<Role> roles = authorizer.listAllRoles();
Set<Role> expectedRoles = new HashSet<>();
expectedRoles.add(admins);
expectedRoles.add(engineers);
Assert.assertEquals(expectedRoles, roles);
// creating a role which already exists should throw an exception
try {
authorizer.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (AlreadyExistsException expected) {
// expected
}
// drop an existing role
authorizer.dropRole(admins);
// the list should not have the dropped role
roles = authorizer.listAllRoles();
Assert.assertEquals(Collections.singleton(engineers), roles);
// dropping a non-existing role should throw exception
try {
authorizer.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (NotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
authorizer.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
authorizer.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (NotFoundException expected) {
// expectedRoles
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
// authorization checks with roles
NamespaceId ns1 = new NamespaceId("ns1");
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, Action.READ);
// give a permission to engineers role
authorizer.grant(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(Action.READ));
// check that a spiderman who has engineers role has access
authorizer.enforce(ns1, spiderman, Action.READ);
// list privileges for spiderman should have read action on ns1
Assert.assertEquals(Collections.singleton(new Privilege(ns1, Action.READ)), authorizer.listPrivileges(spiderman));
// revoke action from the role
authorizer.revoke(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(Action.READ));
// now the privileges for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listPrivileges(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, Action.READ);
// remove an user from a existing role
authorizer.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
authorizer.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (NotFoundException expected) {
// expectedRoles
}
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class DefaultSecureStoreService method deleteSecureData.
/**
* Deletes the key if the user has ADMIN privileges to the key.
*
* @throws UnauthorizedException If the user does not have admin privileges required to delete the secure key.
* @throws NamespaceNotFoundException If the specified namespace does not exist.
* @throws NotFoundException If the key to be deleted is not found.
* @throws IOException If there was a problem deleting it from the underlying provider.
*/
@Override
public final void deleteSecureData(String namespace, String name) throws Exception {
Principal principal = authenticationContext.getPrincipal();
SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
authorizationEnforcer.enforce(secureKeyId, principal, Action.ADMIN);
secureStoreManager.deleteSecureData(namespace, name);
}
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class DefaultSecureStoreService method getSecureData.
/**
* Checks if the user has access to read the secure key and returns the {@link SecureStoreData} associated
* with the key if they do.
*
* @return Data associated with the key if the user has read access.
* @throws NamespaceNotFoundException If the specified namespace does not exist.
* @throws NotFoundException If the key is not found in the store.
* @throws IOException If there was a problem reading from the store.
* @throws UnauthorizedException If the user does not have READ permissions on the secure key.
*/
@Override
public final SecureStoreData getSecureData(String namespace, String name) throws Exception {
Principal principal = authenticationContext.getPrincipal();
SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
authorizationEnforcer.enforce(secureKeyId, principal, Action.READ);
return secureStore.getSecureData(namespace, name);
}
Aggregations