Search in sources :

Example 1 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class AuthorizationHandlerTest method testRBAC.

@Test
public void testRBAC() throws Exception {
    Role admins = new Role("admins");
    Role engineers = new Role("engineers");
    // create a role
    client.createRole(admins);
    // add another role
    client.createRole(engineers);
    // listing role should show the added role
    Set<Role> roles = client.listAllRoles();
    Assert.assertEquals(Sets.newHashSet(admins, engineers), roles);
    // creating a role which already exists should throw an exception
    try {
        client.createRole(admins);
        Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
    } catch (RoleAlreadyExistsException expected) {
    // expected
    }
    // drop an existing role
    client.dropRole(admins);
    // the list should not have the dropped role
    roles = client.listAllRoles();
    Assert.assertEquals(Sets.newHashSet(engineers), roles);
    // dropping a non-existing role should throw exception
    try {
        client.dropRole(admins);
        Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
    } catch (RoleNotFoundException expected) {
    // expected
    }
    // add an user to an existing role
    Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
    client.addRoleToPrincipal(engineers, spiderman);
    // add an user to an non-existing role should throw an exception
    try {
        client.addRoleToPrincipal(admins, spiderman);
        Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
    } catch (RoleNotFoundException expected) {
    // expected
    }
    // check listing roles for spiderman have engineers role
    Assert.assertEquals(Sets.newHashSet(engineers), client.listRoles(spiderman));
    // check that spiderman who has engineers roles cannot read from ns1
    verifyAuthFailure(ns1, spiderman, Action.READ);
    // give a permission to engineers role
    client.grant(ns1, engineers, ImmutableSet.of(Action.READ));
    // check that a spiderman who has engineers role has access
    verifyAuthSuccess(ns1, spiderman, Action.READ);
    // list privileges for spiderman should have read action on ns1
    Assert.assertEquals(Sets.newHashSet(new Privilege(ns1, Action.READ)), client.listPrivileges(spiderman));
    // revoke action from the role
    client.revoke(ns1, engineers, ImmutableSet.of(Action.READ));
    // now the privileges for spiderman should be empty
    Assert.assertEquals(new HashSet<>(), client.listPrivileges(spiderman));
    // check that the user of this role is not authorized to do the revoked operation
    verifyAuthFailure(ns1, spiderman, Action.READ);
    // remove an user from a existing role
    client.removeRoleFromPrincipal(engineers, spiderman);
    // check listing roles for spiderman should be empty
    Assert.assertEquals(new HashSet<>(), client.listRoles(spiderman));
    // remove an user from a non-existing role should throw exception
    try {
        client.removeRoleFromPrincipal(admins, spiderman);
        Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
    } catch (RoleNotFoundException expected) {
    // expected
    }
}
Also used : Role(co.cask.cdap.proto.security.Role) RoleAlreadyExistsException(co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException) RoleNotFoundException(co.cask.cdap.security.spi.authorization.RoleNotFoundException) Privilege(co.cask.cdap.proto.security.Privilege) Principal(co.cask.cdap.proto.security.Principal) Test(org.junit.Test)

Example 2 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class AuthorizationHandlerTest method verifyAuthFailure.

private void verifyAuthFailure(EntityId entity, Principal principal, Action action) throws Exception {
    Set<Privilege> privileges = client.listPrivileges(principal);
    Privilege privilegeToCheck = new Privilege(entity, action);
    Assert.assertFalse(String.format("Expected principal %s to not have the privilege %s, but found that it did.", principal, privilegeToCheck), privileges.contains(privilegeToCheck));
}
Also used : Privilege(co.cask.cdap.proto.security.Privilege)

Example 3 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class StreamAdminTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
    Authorizer authorizer = getAuthorizer();
    Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
    authorizer.grant(entityId, principal, actions);
    ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Action action : actions) {
        expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used : Action(co.cask.cdap.proto.security.Action) ImmutableSet(com.google.common.collect.ImmutableSet) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) Privilege(co.cask.cdap.proto.security.Privilege)

Example 4 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class ListPrivilegesCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    String principalType = arguments.get(ArgumentName.PRINCIPAL_TYPE.toString());
    String principalName = arguments.get(ArgumentName.PRINCIPAL_NAME.toString());
    Table table = Table.builder().setHeader("Entity", "Action").setRows(Lists.newArrayList(client.listPrivileges(new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())))), new RowMaker<Privilege>() {

        @Override
        public List<?> makeRow(Privilege privilege) {
            return Lists.newArrayList(privilege.getEntity().toString(), privilege.getAction().name());
        }
    }).build();
    cliConfig.getTableRenderer().render(cliConfig, output, table);
}
Also used : Table(co.cask.cdap.cli.util.table.Table) RowMaker(co.cask.cdap.cli.util.RowMaker) Privilege(co.cask.cdap.proto.security.Privilege) Principal(co.cask.cdap.proto.security.Principal)

Example 5 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class HiveExploreServiceStreamTest method revokeAndAssertSuccess.

private static void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
    Set<Privilege> existingPrivileges = new HashSet<>(authorizer.listPrivileges(principal));
    authorizer.revoke(entityId, principal, actions);
    for (Action action : actions) {
        existingPrivileges.remove(new Privilege(entityId, action));
    }
    Assert.assertEquals(existingPrivileges, authorizer.listPrivileges(principal));
}
Also used : Action(co.cask.cdap.proto.security.Action) Privilege(co.cask.cdap.proto.security.Privilege) HashSet(java.util.HashSet)

Aggregations

Privilege (co.cask.cdap.proto.security.Privilege)24 Action (co.cask.cdap.proto.security.Action)12 HashSet (java.util.HashSet)8 InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)7 Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7 Test (org.junit.Test)7 ImmutableSet (com.google.common.collect.ImmutableSet)5 Principal (co.cask.cdap.proto.security.Principal)4 Role (co.cask.cdap.proto.security.Role)3 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)3 NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)2 NamespaceId (co.cask.cdap.proto.id.NamespaceId)2 Predicate (com.google.common.base.Predicate)2 ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)1 RowMaker (co.cask.cdap.cli.util.RowMaker)1 Table (co.cask.cdap.cli.util.table.Table)1 MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)1 NamespaceAdmin (co.cask.cdap.common.namespace.NamespaceAdmin)1 TopLevelDirectDataset (co.cask.cdap.data2.dataset2.customds.TopLevelDirectDataset)1 ByteCodeClassLoader (co.cask.cdap.internal.asm.ByteCodeClassLoader)1