Search in sources :

Example 16 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationBootstrapperTest method test.

@Test
public void test() throws Exception {
    final Principal systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
    // initial state: no privileges for system or admin users
    Predicate<EntityId> systemUserFilter = authorizationEnforcer.createFilter(systemUser);
    Predicate<EntityId> adminUserFilter = authorizationEnforcer.createFilter(ADMIN_USER);
    Assert.assertFalse(systemUserFilter.apply(instanceId));
    Assert.assertFalse(systemUserFilter.apply(NamespaceId.SYSTEM));
    Assert.assertFalse(adminUserFilter.apply(NamespaceId.DEFAULT));
    // privileges should be granted after running bootstrap
    authorizationBootstrapper.run();
    Tasks.waitFor(true, new Callable<Boolean>() {

        @Override
        public Boolean call() throws Exception {
            Predicate<EntityId> systemUserFilter = authorizationEnforcer.createFilter(systemUser);
            Predicate<EntityId> adminUserFilter = authorizationEnforcer.createFilter(ADMIN_USER);
            return systemUserFilter.apply(instanceId) && systemUserFilter.apply(NamespaceId.SYSTEM) && adminUserFilter.apply(NamespaceId.DEFAULT);
        }
    }, 10, TimeUnit.SECONDS);
    txManager.startAndWait();
    datasetService.startAndWait();
    waitForService(Constants.Service.DATASET_MANAGER);
    defaultNamespaceEnsurer.startAndWait();
    systemArtifactLoader.startAndWait();
    waitForService(defaultNamespaceEnsurer);
    waitForService(systemArtifactLoader);
    // ensure that the default namespace was created, and that the system user has privileges to access it
    Tasks.waitFor(true, new Callable<Boolean>() {

        @Override
        public Boolean call() throws Exception {
            try {
                return namespaceQueryAdmin.exists(NamespaceId.DEFAULT);
            } catch (Exception e) {
                return false;
            }
        }
    }, 10, TimeUnit.SECONDS);
    Assert.assertTrue(defaultNamespaceEnsurer.isRunning());
    // ensure that the system artifact was deployed, and that the system user has privileges to access it
    // this will throw an ArtifactNotFoundException if the artifact was not deployed, and UnauthorizedException if
    // the user does not have required privileges
    Tasks.waitFor(true, new Callable<Boolean>() {

        @Override
        public Boolean call() throws Exception {
            try {
                artifactRepository.getArtifact(SYSTEM_ARTIFACT.toId());
                return true;
            } catch (Exception e) {
                return false;
            }
        }
    }, 20, TimeUnit.SECONDS);
    Assert.assertTrue(systemArtifactLoader.isRunning());
    // ensure that system datasets can be created by the system user
    Dataset systemDataset = DatasetsUtil.getOrCreateDataset(dsFramework, NamespaceId.SYSTEM.dataset("system-dataset"), Table.class.getName(), DatasetProperties.EMPTY, Collections.<String, String>emptyMap());
    Assert.assertNotNull(systemDataset);
    // as part of bootstrapping, admin users were also granted admin privileges on the CDAP instance, so they can
    // create namespaces
    SecurityRequestContext.setUserId(ADMIN_USER.getName());
    namespaceAdmin.create(new NamespaceMeta.Builder().setName("success").build());
    SecurityRequestContext.setUserId("bob");
    try {
        namespaceAdmin.create(new NamespaceMeta.Builder().setName("failure").build());
        Assert.fail("Bob should not have been able to create a namespace since he is not an admin user");
    } catch (UnauthorizedException expected) {
    // expected
    }
}
Also used : Table(co.cask.cdap.api.dataset.table.Table) Dataset(co.cask.cdap.api.dataset.Dataset) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) IOException(java.io.IOException) Predicate(co.cask.cdap.api.Predicate) EntityId(co.cask.cdap.proto.id.EntityId) NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) Principal(co.cask.cdap.proto.security.Principal) Test(org.junit.Test)

Example 17 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class FileStreamAdmin method ensureAccess.

private <T extends EntityId> void ensureAccess(T entityId) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    if (!filter.apply(entityId)) {
        throw new UnauthorizedException(principal, entityId);
    }
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) Principal(co.cask.cdap.proto.security.Principal)

Example 18 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizerTest method testRBAC.

@Test
public void testRBAC() throws Exception {
    Authorizer authorizer = get();
    Role admins = new Role("admins");
    Role engineers = new Role("engineers");
    // create a role
    authorizer.createRole(admins);
    // add another role
    authorizer.createRole(engineers);
    // listing role should show the added role
    Set<Role> roles = authorizer.listAllRoles();
    Set<Role> expectedRoles = new HashSet<>();
    expectedRoles.add(admins);
    expectedRoles.add(engineers);
    Assert.assertEquals(expectedRoles, roles);
    // creating a role which already exists should throw an exception
    try {
        authorizer.createRole(admins);
        Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
    } catch (AlreadyExistsException expected) {
    // expected
    }
    // drop an existing role
    authorizer.dropRole(admins);
    // the list should not have the dropped role
    roles = authorizer.listAllRoles();
    Assert.assertEquals(Collections.singleton(engineers), roles);
    // dropping a non-existing role should throw exception
    try {
        authorizer.dropRole(admins);
        Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
    } catch (NotFoundException expected) {
    // expected
    }
    // add an user to an existing role
    Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
    authorizer.addRoleToPrincipal(engineers, spiderman);
    // add an user to an non-existing role should throw an exception
    try {
        authorizer.addRoleToPrincipal(admins, spiderman);
        Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
    // check listing roles for spiderman have engineers role
    Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
    // authorization checks with roles
    NamespaceId ns1 = new NamespaceId("ns1");
    // check that spiderman who has engineers roles cannot read from ns1
    verifyAuthFailure(ns1, spiderman, Action.READ);
    // give a permission to engineers role
    authorizer.grant(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(Action.READ));
    // check that a spiderman who has engineers role has access
    authorizer.enforce(ns1, spiderman, Action.READ);
    // list privileges for spiderman should have read action on ns1
    Assert.assertEquals(Collections.singleton(new Privilege(ns1, Action.READ)), authorizer.listPrivileges(spiderman));
    // revoke action from the role
    authorizer.revoke(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(Action.READ));
    // now the privileges for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listPrivileges(spiderman));
    // check that the user of this role is not authorized to do the revoked operation
    verifyAuthFailure(ns1, spiderman, Action.READ);
    // remove an user from a existing role
    authorizer.removeRoleFromPrincipal(engineers, spiderman);
    // check listing roles for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
    // remove an user from a non-existing role should throw exception
    try {
        authorizer.removeRoleFromPrincipal(admins, spiderman);
        Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
}
Also used : Role(co.cask.cdap.proto.security.Role) NamespaceId(co.cask.cdap.proto.id.NamespaceId) Privilege(co.cask.cdap.proto.security.Privilege) Principal(co.cask.cdap.proto.security.Principal) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 19 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultSecureStoreService method deleteSecureData.

/**
 * Deletes the key if the user has ADMIN privileges to the key.
 *
 * @throws UnauthorizedException If the user does not have admin privileges required to delete the secure key.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws NotFoundException If the key to be deleted is not found.
 * @throws IOException If there was a problem deleting it from the underlying provider.
 */
@Override
public final void deleteSecureData(String namespace, String name) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
    authorizationEnforcer.enforce(secureKeyId, principal, Action.ADMIN);
    secureStoreManager.deleteSecureData(namespace, name);
}
Also used : SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) Principal(co.cask.cdap.proto.security.Principal)

Example 20 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultSecureStoreService method getSecureData.

/**
 * Checks if the user has access to read the secure key and returns the {@link SecureStoreData} associated
 * with the key if they do.
 *
 * @return Data associated with the key if the user has read access.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws NotFoundException If the key is not found in the store.
 * @throws IOException If there was a problem reading from the store.
 * @throws UnauthorizedException If the user does not have READ permissions on the secure key.
 */
@Override
public final SecureStoreData getSecureData(String namespace, String name) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
    authorizationEnforcer.enforce(secureKeyId, principal, Action.READ);
    return secureStore.getSecureData(namespace, name);
}
Also used : SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) Principal(co.cask.cdap.proto.security.Principal)

Aggregations

Principal (co.cask.cdap.proto.security.Principal)76 EntityId (co.cask.cdap.proto.id.EntityId)22 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)16 Action (co.cask.cdap.proto.security.Action)13 NamespaceId (co.cask.cdap.proto.id.NamespaceId)12 IOException (java.io.IOException)12 Path (javax.ws.rs.Path)11 Test (org.junit.Test)9 Role (co.cask.cdap.proto.security.Role)8 POST (javax.ws.rs.POST)7 MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)6 DatasetModuleMeta (co.cask.cdap.proto.DatasetModuleMeta)5 KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)5 Privilege (co.cask.cdap.proto.security.Privilege)5 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)4 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4 SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)4 DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)3 DatasetModuleConflictException (co.cask.cdap.data2.datafabric.dataset.type.DatasetModuleConflictException)3 DatasetTypeMeta (co.cask.cdap.proto.DatasetTypeMeta)3