Examples with Principal - co.cask.cdap.proto.security.Principal

Example 26 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultNamespaceAdmin method list.

/**
 * Lists all namespaces
 *
 * @return a list of {@link NamespaceMeta} for all namespaces
 */
@Override
public List<NamespaceMeta> list() throws Exception {
    List<NamespaceMeta> namespaces = nsStore.list();
    final Principal principal = authenticationContext.getPrincipal();
    return AuthorizationUtil.isVisible(namespaces, authorizationEnforcer, principal, new Function<NamespaceMeta, EntityId>() {

        @Override
        public EntityId apply(NamespaceMeta input) {
            return input.getNamespaceId();
        }
    }, new Predicate<NamespaceMeta>() {

        @Override
        public boolean apply(NamespaceMeta input) {
            return principal.getName().equals(input.getConfig().getPrincipal());
        }
    });
}

Also used : EntityId(co.cask.cdap.proto.id.EntityId) NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) Principal(co.cask.cdap.proto.security.Principal)

Example 27 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultSecureStoreServiceTest method setup.

@BeforeClass
public static void setup() throws Exception {
    SConfiguration sConf = SConfiguration.create();
    sConf.set(Constants.Security.Store.FILE_PASSWORD, "secret");
    CConfiguration cConf = createCConf();
    final Injector injector = AppFabricTestHelper.getInjector(cConf, sConf, new AbstractModule() {

        @Override
        protected void configure() {
        // no overrides
        }
    });
    discoveryServiceClient = injector.getInstance(DiscoveryServiceClient.class);
    appFabricServer = injector.getInstance(AppFabricServer.class);
    appFabricServer.startAndWait();
    waitForService(Constants.Service.DATASET_MANAGER);
    secureStore = injector.getInstance(SecureStore.class);
    secureStoreManager = injector.getInstance(SecureStoreManager.class);
    authorizer = injector.getInstance(AuthorizerInstantiator.class).get();
    // Wait for the default namespace creation
    String user = AuthorizationUtil.getEffectiveMasterUser(cConf);
    authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN));
    // Starting the Appfabric server will create the default namespace
    Tasks.waitFor(true, new Callable<Boolean>() {

        @Override
        public Boolean call() throws Exception {
            return injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT);
        }
    }, 5, TimeUnit.SECONDS);
    authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN));
}

Also used : DiscoveryServiceClient(org.apache.twill.discovery.DiscoveryServiceClient) CConfiguration(co.cask.cdap.common.conf.CConfiguration) SecureStore(co.cask.cdap.api.security.store.SecureStore) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) AbstractModule(com.google.inject.AbstractModule) Injector(com.google.inject.Injector) SConfiguration(co.cask.cdap.common.conf.SConfiguration) SecureStoreManager(co.cask.cdap.api.security.store.SecureStoreManager) Principal(co.cask.cdap.proto.security.Principal) BeforeClass(org.junit.BeforeClass)

Example 28 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class ProgramLifecycleServiceAuthorizationTest method setup.

@BeforeClass
public static void setup() throws Exception {
    cConf = createCConf();
    final Injector injector = AppFabricTestHelper.getInjector(cConf);
    authorizer = injector.getInstance(AuthorizerInstantiator.class).get();
    appFabricServer = injector.getInstance(AppFabricServer.class);
    appFabricServer.startAndWait();
    programLifecycleService = injector.getInstance(ProgramLifecycleService.class);
    // Wait for the default namespace creation
    String user = AuthorizationUtil.getEffectiveMasterUser(cConf);
    authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN));
    // Starting the Appfabric server will create the default namespace
    Tasks.waitFor(true, new Callable<Boolean>() {

        @Override
        public Boolean call() throws Exception {
            return injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT);
        }
    }, 5, TimeUnit.SECONDS);
    authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN));
}

Also used : Injector(com.google.inject.Injector) Principal(co.cask.cdap.proto.security.Principal) IOException(java.io.IOException) BeforeClass(org.junit.BeforeClass)

Example 29 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationArtifactRepository method deleteArtifact.

@Override
public void deleteArtifact(Id.Artifact artifactId) throws Exception {
    // for deleting artifacts, users need admin privileges on the artifact being deleted.
    Principal principal = authenticationContext.getPrincipal();
    authorizationEnforcer.enforce(artifactId.toEntityId(), principal, Action.ADMIN);
    delegate.deleteArtifact(artifactId);
}

Also used : Principal(co.cask.cdap.proto.security.Principal)

Example 30 with Principal

use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.

the class AuthorizationArtifactRepository method addArtifact.

@Override
public ArtifactDetail addArtifact(Id.Artifact artifactId, File artifactFile, @Nullable Set<ArtifactRange> parentArtifacts, @Nullable Set<PluginClass> additionalPlugins, Map<String, String> properties) throws Exception {
    if (artifactId.getNamespace().toEntityId().equals(NamespaceId.SYSTEM)) {
        throw new IllegalArgumentException("Cannot add artifact in system namespace");
    }
    // To add an artifact, a user must have ADMIN privilege on the artifact is being added
    // This method is used to add user app artifacts, so enforce authorization on the specified, non-system namespace
    Principal principal = authenticationContext.getPrincipal();
    authorizationEnforcer.enforce(artifactId.toEntityId(), principal, Action.ADMIN);
    return delegate.addArtifact(artifactId, artifactFile, parentArtifacts, additionalPlugins, properties);
}

Also used : Principal(co.cask.cdap.proto.security.Principal)

Aggregations

Principal (co.cask.cdap.proto.security.Principal)76 EntityId (co.cask.cdap.proto.id.EntityId)22 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)16 Action (co.cask.cdap.proto.security.Action)13 NamespaceId (co.cask.cdap.proto.id.NamespaceId)12 IOException (java.io.IOException)12 Path (javax.ws.rs.Path)11 Test (org.junit.Test)9 Role (co.cask.cdap.proto.security.Role)8 POST (javax.ws.rs.POST)7 MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)6 DatasetModuleMeta (co.cask.cdap.proto.DatasetModuleMeta)5 KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)5 Privilege (co.cask.cdap.proto.security.Privilege)5 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)4 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4 SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)4 DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)3 DatasetModuleConflictException (co.cask.cdap.data2.datafabric.dataset.type.DatasetModuleConflictException)3 DatasetTypeMeta (co.cask.cdap.proto.DatasetTypeMeta)3