Example 1 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class AuthorizationHandlerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
client.createRole(admins);
// add another role
client.createRole(engineers);
// listing role should show the added role
Set<Role> roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(admins, engineers), roles);
// creating a role which already exists should throw an exception
try {
client.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (RoleAlreadyExistsException expected) {
// expected
}
// drop an existing role
client.dropRole(admins);
// the list should not have the dropped role
roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(engineers), roles);
// dropping a non-existing role should throw exception
try {
client.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (RoleNotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
client.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
client.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (RoleNotFoundException expected) {
// expected
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Sets.newHashSet(engineers), client.listRoles(spiderman));
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, Action.READ);
// give a permission to engineers role
client.grant(ns1, engineers, ImmutableSet.of(Action.READ));
// check that a spiderman who has engineers role has access
verifyAuthSuccess(ns1, spiderman, Action.READ);
// list privileges for spiderman should have read action on ns1
Assert.assertEquals(Sets.newHashSet(new Privilege(ns1, Action.READ)), client.listPrivileges(spiderman));
// revoke action from the role
client.revoke(ns1, engineers, ImmutableSet.of(Action.READ));
// now the privileges for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listPrivileges(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, Action.READ);
// remove an user from a existing role
client.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
client.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (RoleNotFoundException expected) {
// expected
}
}
Also used :
Role(co.cask.cdap.proto.security.Role)
RoleAlreadyExistsException(co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException)
RoleNotFoundException(co.cask.cdap.security.spi.authorization.RoleNotFoundException)
Privilege(co.cask.cdap.proto.security.Privilege)
Principal(co.cask.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 2 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class AuthorizationHandlerTest method verifyAuthFailure.
private void verifyAuthFailure(EntityId entity, Principal principal, Action action) throws Exception {
Set<Privilege> privileges = client.listPrivileges(principal);
Privilege privilegeToCheck = new Privilege(entity, action);
Assert.assertFalse(String.format("Expected principal %s to not have the privilege %s, but found that it did.", principal, privilegeToCheck), privileges.contains(privilegeToCheck));
}
Also used :
Privilege(co.cask.cdap.proto.security.Privilege)
Example 3 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class StreamAdminTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Authorizer authorizer = getAuthorizer();
Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
authorizer.grant(entityId, principal, actions);
ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Action action : actions) {
expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used :
Action(co.cask.cdap.proto.security.Action)
ImmutableSet(com.google.common.collect.ImmutableSet)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
Privilege(co.cask.cdap.proto.security.Privilege)
Example 4 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class ListPrivilegesCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
String principalType = arguments.get(ArgumentName.PRINCIPAL_TYPE.toString());
String principalName = arguments.get(ArgumentName.PRINCIPAL_NAME.toString());
Table table = Table.builder().setHeader("Entity", "Action").setRows(Lists.newArrayList(client.listPrivileges(new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())))), new RowMaker<Privilege>() {
@Override
public List<?> makeRow(Privilege privilege) {
return Lists.newArrayList(privilege.getEntity().toString(), privilege.getAction().name());
}
}).build();
cliConfig.getTableRenderer().render(cliConfig, output, table);
}Example 5 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class HiveExploreServiceStreamTest method revokeAndAssertSuccess.
private static void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Set<Privilege> existingPrivileges = new HashSet<>(authorizer.listPrivileges(principal));
authorizer.revoke(entityId, principal, actions);
for (Action action : actions) {
existingPrivileges.remove(new Privilege(entityId, action));
}
Assert.assertEquals(existingPrivileges, authorizer.listPrivileges(principal));
}Aggregations
Privilege (co.cask.cdap.proto.security.Privilege)24
Action (co.cask.cdap.proto.security.Action)12
HashSet (java.util.HashSet)8
InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)7
Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7
Test (org.junit.Test)7
ImmutableSet (com.google.common.collect.ImmutableSet)5
Principal (co.cask.cdap.proto.security.Principal)4
Role (co.cask.cdap.proto.security.Role)3
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)3
NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)2
NamespaceId (co.cask.cdap.proto.id.NamespaceId)2
Predicate (com.google.common.base.Predicate)2
ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)1
RowMaker (co.cask.cdap.cli.util.RowMaker)1
Table (co.cask.cdap.cli.util.table.Table)1
MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)1
NamespaceAdmin (co.cask.cdap.common.namespace.NamespaceAdmin)1
TopLevelDirectDataset (co.cask.cdap.data2.dataset2.customds.TopLevelDirectDataset)1
ByteCodeClassLoader (co.cask.cdap.internal.asm.ByteCodeClassLoader)1
