Example 31 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class ApplicationLifecycleService method deployApp.
private ApplicationWithPrograms deployApp(NamespaceId namespaceId, @Nullable String appName, @Nullable String appVersion, @Nullable String configStr, ProgramTerminator programTerminator, ArtifactDetail artifactDetail, @Nullable KerberosPrincipalId ownerPrincipal, boolean updateSchedules) throws Exception {
// Now to deploy an app, we need ADMIN privilege on the owner principal if it is present, and also ADMIN on the app
// But since at this point, app name is unknown to us, so the enforcement on the app is happening in the deploy
// pipeline - LocalArtifactLoaderStage
// need to enforce on the principal id if impersonation is involved
KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, namespaceId, ownerPrincipal == null ? null : ownerPrincipal.getPrincipal());
Principal requestingUser = authenticationContext.getPrincipal();
// impersonated principal
if (effectiveOwner != null) {
authorizationEnforcer.enforce(effectiveOwner, requestingUser, Action.ADMIN);
}
ApplicationClass appClass = Iterables.getFirst(artifactDetail.getMeta().getClasses().getApps(), null);
if (appClass == null) {
throw new InvalidArtifactException(String.format("No application class found in artifact '%s' in namespace '%s'.", artifactDetail.getDescriptor().getArtifactId(), namespaceId));
}
// deploy application with newly added artifact
AppDeploymentInfo deploymentInfo = new AppDeploymentInfo(artifactDetail.getDescriptor(), namespaceId, appClass.getClassName(), appName, appVersion, configStr, ownerPrincipal, updateSchedules);
Manager<AppDeploymentInfo, ApplicationWithPrograms> manager = managerFactory.create(programTerminator);
// TODO: (CDAP-3258) Manager needs MUCH better error handling.
ApplicationWithPrograms applicationWithPrograms;
try {
applicationWithPrograms = manager.deploy(deploymentInfo).get();
} catch (ExecutionException e) {
Throwables.propagateIfPossible(e.getCause(), Exception.class);
throw Throwables.propagate(e.getCause());
}
return applicationWithPrograms;
}
Also used :
AppDeploymentInfo(co.cask.cdap.internal.app.deploy.pipeline.AppDeploymentInfo)
ApplicationWithPrograms(co.cask.cdap.internal.app.deploy.pipeline.ApplicationWithPrograms)
ApplicationClass(co.cask.cdap.api.artifact.ApplicationClass)
ExecutionException(java.util.concurrent.ExecutionException)
KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId)
Principal(co.cask.cdap.proto.security.Principal)
InvalidArtifactException(co.cask.cdap.common.InvalidArtifactException)
CannotBeDeletedException(co.cask.cdap.common.CannotBeDeletedException)
ApplicationNotFoundException(co.cask.cdap.common.ApplicationNotFoundException)
ArtifactNotFoundException(co.cask.cdap.common.ArtifactNotFoundException)
ArtifactAlreadyExistsException(co.cask.cdap.common.ArtifactAlreadyExistsException)
IOException(java.io.IOException)
InvalidArtifactException(co.cask.cdap.common.InvalidArtifactException)
ExecutionException(java.util.concurrent.ExecutionException)
NotFoundException(co.cask.cdap.common.NotFoundException)
Example 32 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class ApplicationLifecycleService method filterApplicationDetail.
/**
* Filter the {@link ApplicationDetail} by only returning the visible entities
*/
private ApplicationDetail filterApplicationDetail(final ApplicationId appId, ApplicationDetail applicationDetail) throws Exception {
Principal principal = authenticationContext.getPrincipal();
List<ProgramRecord> filteredPrograms = AuthorizationUtil.isVisible(applicationDetail.getPrograms(), authorizationEnforcer, principal, new Function<ProgramRecord, EntityId>() {
@Override
public EntityId apply(ProgramRecord input) {
return appId.program(input.getType(), input.getName());
}
}, null);
List<StreamDetail> filteredStreams = AuthorizationUtil.isVisible(applicationDetail.getStreams(), authorizationEnforcer, principal, new Function<StreamDetail, EntityId>() {
@Override
public EntityId apply(StreamDetail input) {
return appId.getNamespaceId().stream(input.getName());
}
}, null);
List<DatasetDetail> filteredDatasets = AuthorizationUtil.isVisible(applicationDetail.getDatasets(), authorizationEnforcer, principal, new Function<DatasetDetail, EntityId>() {
@Override
public EntityId apply(DatasetDetail input) {
return appId.getNamespaceId().dataset(input.getName());
}
}, null);
return new ApplicationDetail(applicationDetail.getName(), applicationDetail.getAppVersion(), applicationDetail.getDescription(), applicationDetail.getConfiguration(), filteredStreams, filteredDatasets, filteredPrograms, applicationDetail.getPlugins(), applicationDetail.getArtifact(), applicationDetail.getOwnerPrincipal());
}
Also used :
DatasetDetail(co.cask.cdap.proto.DatasetDetail)
StreamDetail(co.cask.cdap.proto.StreamDetail)
EntityId(co.cask.cdap.proto.id.EntityId)
ApplicationDetail(co.cask.cdap.proto.ApplicationDetail)
ProgramRecord(co.cask.cdap.proto.ProgramRecord)
Principal(co.cask.cdap.proto.security.Principal)
Example 33 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationHandlerTest method testRevokeEntity.
@Test
public void testRevokeEntity() throws Exception {
Principal adminGroup = new Principal("admin", Principal.PrincipalType.GROUP);
Principal bob = new Principal("bob", Principal.PrincipalType.USER);
// grant() and revoke(EntityId)
client.grant(Authorizable.fromEntityId(ns1), adminGroup, ImmutableSet.of(Action.READ));
client.grant(Authorizable.fromEntityId(ns1), bob, ImmutableSet.of(Action.READ));
client.grant(Authorizable.fromEntityId(ns2), adminGroup, ImmutableSet.of(Action.READ));
verifyAuthSuccess(ns1, adminGroup, Action.READ);
verifyAuthSuccess(ns1, bob, Action.READ);
verifyAuthSuccess(ns2, adminGroup, Action.READ);
client.revoke(Authorizable.fromEntityId(ns1));
verifyAuthFailure(ns1, adminGroup, Action.READ);
verifyAuthFailure(ns1, bob, Action.READ);
verifyAuthSuccess(ns2, adminGroup, Action.READ);
}Example 34 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class AuthorizationHandlerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
client.createRole(admins);
// add another role
client.createRole(engineers);
// listing role should show the added role
Set<Role> roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(admins, engineers), roles);
// creating a role which already exists should throw an exception
try {
client.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (AlreadyExistsException expected) {
// expected
}
// drop an existing role
client.dropRole(admins);
// the list should not have the dropped role
roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(engineers), roles);
// dropping a non-existing role should throw exception
try {
client.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (co.cask.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
client.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
client.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (co.cask.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Sets.newHashSet(engineers), client.listRoles(spiderman));
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, Action.READ);
// give a permission to engineers role
client.grant(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(Action.READ));
// check that a spiderman who has engineers role has access
verifyAuthSuccess(ns1, spiderman, Action.READ);
// list privileges for spiderman should have read action on ns1
Assert.assertEquals(Sets.newHashSet(new Privilege(ns1, Action.READ)), client.listPrivileges(spiderman));
// revoke action from the role
client.revoke(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(Action.READ));
// now the privileges for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listPrivileges(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, Action.READ);
// remove an user from a existing role
client.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
client.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (co.cask.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
}
Also used :
Role(co.cask.cdap.proto.security.Role)
AlreadyExistsException(co.cask.cdap.security.spi.authorization.AlreadyExistsException)
Privilege(co.cask.cdap.proto.security.Privilege)
Principal(co.cask.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 35 with Principal
use of co.cask.cdap.proto.security.Principal in project cdap by caskdata.
the class GrantActionCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
Authorizable authorizable = Authorizable.fromString(arguments.get(ArgumentName.ENTITY.toString()));
String principalName = arguments.get("principal-name");
Principal.PrincipalType principalType = Principal.PrincipalType.valueOf(arguments.get("principal-type").toUpperCase());
Principal principal = new Principal(principalName, principalType);
Set<Action> actions = ACTIONS_STRING_TO_SET.apply(arguments.get("actions"));
// actions is not an optional argument so should never be null
Preconditions.checkNotNull(actions, "Actions can never be null in the grant command.");
client.grant(authorizable, principal, actions);
output.printf("Successfully granted action(s) '%s' on entity '%s' to %s '%s'\n", Joiner.on(",").join(actions), authorizable.toString(), principal.getType(), principal.getName());
}
Also used :
Action(co.cask.cdap.proto.security.Action)
Authorizable(co.cask.cdap.proto.security.Authorizable)
Principal(co.cask.cdap.proto.security.Principal)
Aggregations
Principal (co.cask.cdap.proto.security.Principal)76
EntityId (co.cask.cdap.proto.id.EntityId)22
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)16
Action (co.cask.cdap.proto.security.Action)13
NamespaceId (co.cask.cdap.proto.id.NamespaceId)12
IOException (java.io.IOException)12
Path (javax.ws.rs.Path)11
Test (org.junit.Test)9
Role (co.cask.cdap.proto.security.Role)8
POST (javax.ws.rs.POST)7
MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)6
DatasetModuleMeta (co.cask.cdap.proto.DatasetModuleMeta)5
KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)5
Privilege (co.cask.cdap.proto.security.Privilege)5
DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)4
NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4
SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)4
DatasetSpecification (co.cask.cdap.api.dataset.DatasetSpecification)3
DatasetModuleConflictException (co.cask.cdap.data2.datafabric.dataset.type.DatasetModuleConflictException)3
DatasetTypeMeta (co.cask.cdap.proto.DatasetTypeMeta)3
