Search in sources :

Example 6 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class HiveExploreServiceStreamTest method grantAndAssertSuccess.

private static void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
    Set<Privilege> existingPrivileges = new HashSet<>(authorizer.listPrivileges(principal));
    authorizer.grant(entityId, principal, actions);
    ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Action action : actions) {
        expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used : Action(co.cask.cdap.proto.security.Action) ImmutableSet(com.google.common.collect.ImmutableSet) Privilege(co.cask.cdap.proto.security.Privilege) HashSet(java.util.HashSet)

Example 7 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class SystemArtifactsAuthorizationTest method testAuthorizationForSystemArtifacts.

@Test
public void testAuthorizationForSystemArtifacts() throws Exception {
    artifactRepository.addSystemArtifacts();
    // alice should not be able to refresh system artifacts because she does not have write privileges on the
    // CDAP instance
    SecurityRequestContext.setUserId(ALICE.getName());
    try {
        artifactRepository.addSystemArtifacts();
        Assert.fail("Adding system artifacts should have failed because alice does not have write privileges on " + "the CDAP instance.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice write privileges on the CDAP instance
    authorizer.grant(NamespaceId.SYSTEM, ALICE, Collections.singleton(Action.WRITE));
    Assert.assertEquals(Collections.singleton(new Privilege(NamespaceId.SYSTEM, Action.WRITE)), authorizer.listPrivileges(ALICE));
    // refreshing system artifacts should succeed now
    artifactRepository.addSystemArtifacts();
    SecurityRequestContext.setUserId("bob");
    // deleting a system artifact should fail because bob does not have admin privileges on the artifact
    try {
        artifactRepository.deleteArtifact(SYSTEM_ARTIFACT.toId());
        Assert.fail("Deleting a system artifact should have failed because alice does not have admin privileges on " + "the CDAP instance.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on the CDAP instance, so she can create a namespace
    SecurityRequestContext.setUserId(ALICE.getName());
    authorizer.grant(instance, ALICE, Collections.singleton(Action.ADMIN));
    NamespaceId namespaceId = new NamespaceId("test");
    namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
    authorizer.revoke(instance);
    // test that system artifacts are available to everyone
    List<ArtifactSummary> artifacts = artifactRepository.getArtifactSummaries(namespaceId, true);
    Assert.assertEquals(1, artifacts.size());
    ArtifactSummary artifactSummary = artifacts.get(0);
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactSummary.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactSummary.getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactSummary.getScope().name().toLowerCase());
    // test the getArtifact API
    ArtifactDetail artifactDetail = artifactRepository.getArtifact(SYSTEM_ARTIFACT.toId());
    co.cask.cdap.api.artifact.ArtifactId artifactId = artifactDetail.getDescriptor().getArtifactId();
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactId.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactId.getVersion().getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactId.getScope().name().toLowerCase());
    namespaceAdmin.delete(namespaceId);
    authorizer.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(Action.class));
    authorizer.enforce(NamespaceId.SYSTEM, ALICE, Action.WRITE);
    // deleting system artifact should succeed as alice, because alice added the artifacts, so she should have all
    // privileges on it
    artifactRepository.deleteArtifact(SYSTEM_ARTIFACT.toId());
}
Also used : Action(co.cask.cdap.proto.security.Action) ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary) NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) NamespaceId(co.cask.cdap.proto.id.NamespaceId) Privilege(co.cask.cdap.proto.security.Privilege) Test(org.junit.Test)

Example 8 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class DatasetClassRewriterTest method testConstructorDefaultAnnotation.

@Test
public void testConstructorDefaultAnnotation() throws Exception {
    ByteCodeClassLoader classLoader = new ByteCodeClassLoader(getClass().getClassLoader());
    classLoader.addClass(rewrite(TopLevelDirectDataset.class));
    InMemoryAccessRecorder accessRecorder = new InMemoryAccessRecorder();
    AuthorizationRecorder authorizationRecorder = new AuthorizationRecorder();
    // Test constructor no default
    createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], null);
    Assert.assertEquals(ImmutableList.of(AccessType.UNKNOWN), accessRecorder.getLineageRecorded());
    Assert.assertEquals(ImmutableList.of(AccessType.UNKNOWN), accessRecorder.getAuditRecorded());
    Assert.assertEquals(1, authorizationRecorder.getPrivileges().size());
    // Expects the enforcer still get called
    Assert.assertNull(authorizationRecorder.getPrivileges().get(0));
    accessRecorder.clear();
    authorizationRecorder.clear();
    // Test constructor default ReadOnly
    createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], ReadOnly.class);
    Assert.assertEquals(ImmutableList.of(AccessType.READ), accessRecorder.getLineageRecorded());
    Assert.assertEquals(ImmutableList.of(AccessType.READ), accessRecorder.getAuditRecorded());
    Assert.assertEquals(ImmutableList.of(new Privilege(DATASET_ID, Action.READ)), authorizationRecorder.getPrivileges());
    accessRecorder.clear();
    authorizationRecorder.clear();
    // Test constructor default WriteOnly
    createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], WriteOnly.class);
    Assert.assertEquals(ImmutableList.of(AccessType.WRITE), accessRecorder.getLineageRecorded());
    Assert.assertEquals(ImmutableList.of(AccessType.WRITE), accessRecorder.getAuditRecorded());
    Assert.assertEquals(ImmutableList.of(new Privilege(DATASET_ID, Action.WRITE)), authorizationRecorder.getPrivileges());
    accessRecorder.clear();
    authorizationRecorder.clear();
    // Test constructor default ReadWrite
    createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], ReadWrite.class);
    Assert.assertEquals(ImmutableList.of(AccessType.READ_WRITE), accessRecorder.getLineageRecorded());
    Assert.assertEquals(ImmutableList.of(AccessType.READ_WRITE), accessRecorder.getAuditRecorded());
    Assert.assertTrue(ImmutableSet.of(new Privilege(DATASET_ID, Action.READ), new Privilege(DATASET_ID, Action.WRITE)).containsAll(authorizationRecorder.getPrivileges()));
}
Also used : ByteCodeClassLoader(co.cask.cdap.internal.asm.ByteCodeClassLoader) TopLevelDirectDataset(co.cask.cdap.data2.dataset2.customds.TopLevelDirectDataset) Privilege(co.cask.cdap.proto.security.Privilege) Test(org.junit.Test)

Example 9 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class AuthorizerTest method testRBAC.

@Test
public void testRBAC() throws Exception {
    Authorizer authorizer = get();
    Role admins = new Role("admins");
    Role engineers = new Role("engineers");
    // create a role
    authorizer.createRole(admins);
    // add another role
    authorizer.createRole(engineers);
    // listing role should show the added role
    Set<Role> roles = authorizer.listAllRoles();
    Set<Role> expectedRoles = new HashSet<>();
    expectedRoles.add(admins);
    expectedRoles.add(engineers);
    Assert.assertEquals(expectedRoles, roles);
    // creating a role which already exists should throw an exception
    try {
        authorizer.createRole(admins);
        Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
    } catch (RoleAlreadyExistsException expected) {
    // expected
    }
    // drop an existing role
    authorizer.dropRole(admins);
    // the list should not have the dropped role
    roles = authorizer.listAllRoles();
    Assert.assertEquals(Collections.singleton(engineers), roles);
    // dropping a non-existing role should throw exception
    try {
        authorizer.dropRole(admins);
        Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
    } catch (RoleNotFoundException expected) {
    // expected
    }
    // add an user to an existing role
    Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
    authorizer.addRoleToPrincipal(engineers, spiderman);
    // add an user to an non-existing role should throw an exception
    try {
        authorizer.addRoleToPrincipal(admins, spiderman);
        Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
    } catch (RoleNotFoundException expected) {
    // expectedRoles
    }
    // check listing roles for spiderman have engineers role
    Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
    // authorization checks with roles
    NamespaceId ns1 = new NamespaceId("ns1");
    // check that spiderman who has engineers roles cannot read from ns1
    verifyAuthFailure(ns1, spiderman, Action.READ);
    // give a permission to engineers role
    authorizer.grant(ns1, engineers, Collections.singleton(Action.READ));
    // check that a spiderman who has engineers role has access
    authorizer.enforce(ns1, spiderman, Action.READ);
    // list privileges for spiderman should have read action on ns1
    Assert.assertEquals(Collections.singleton(new Privilege(ns1, Action.READ)), authorizer.listPrivileges(spiderman));
    // revoke action from the role
    authorizer.revoke(ns1, engineers, Collections.singleton(Action.READ));
    // now the privileges for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listPrivileges(spiderman));
    // check that the user of this role is not authorized to do the revoked operation
    verifyAuthFailure(ns1, spiderman, Action.READ);
    // remove an user from a existing role
    authorizer.removeRoleFromPrincipal(engineers, spiderman);
    // check listing roles for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
    // remove an user from a non-existing role should throw exception
    try {
        authorizer.removeRoleFromPrincipal(admins, spiderman);
        Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
    } catch (RoleNotFoundException expected) {
    // expectedRoles
    }
}
Also used : Role(co.cask.cdap.proto.security.Role) NamespaceId(co.cask.cdap.proto.id.NamespaceId) Privilege(co.cask.cdap.proto.security.Privilege) Principal(co.cask.cdap.proto.security.Principal) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 10 with Privilege

use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.

the class AuthorizerTest method testSimple.

@Test
public void testSimple() throws Exception {
    Authorizer authorizer = get();
    verifyAuthFailure(namespace, user, Action.READ);
    authorizer.grant(namespace, user, Collections.singleton(Action.READ));
    authorizer.enforce(namespace, user, Action.READ);
    Set<Privilege> expectedPrivileges = new HashSet<>();
    expectedPrivileges.add(new Privilege(namespace, Action.READ));
    Assert.assertEquals(expectedPrivileges, authorizer.listPrivileges(user));
    authorizer.revoke(namespace, user, Collections.singleton(Action.READ));
    verifyAuthFailure(namespace, user, Action.READ);
}
Also used : Privilege(co.cask.cdap.proto.security.Privilege) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

Privilege (co.cask.cdap.proto.security.Privilege)24 Action (co.cask.cdap.proto.security.Action)12 HashSet (java.util.HashSet)8 InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)7 Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7 Test (org.junit.Test)7 ImmutableSet (com.google.common.collect.ImmutableSet)5 Principal (co.cask.cdap.proto.security.Principal)4 Role (co.cask.cdap.proto.security.Role)3 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)3 NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)2 NamespaceId (co.cask.cdap.proto.id.NamespaceId)2 Predicate (com.google.common.base.Predicate)2 ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)1 RowMaker (co.cask.cdap.cli.util.RowMaker)1 Table (co.cask.cdap.cli.util.table.Table)1 MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)1 NamespaceAdmin (co.cask.cdap.common.namespace.NamespaceAdmin)1 TopLevelDirectDataset (co.cask.cdap.data2.dataset2.customds.TopLevelDirectDataset)1 ByteCodeClassLoader (co.cask.cdap.internal.asm.ByteCodeClassLoader)1