Example 6 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class HiveExploreServiceStreamTest method grantAndAssertSuccess.
private static void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Set<Privilege> existingPrivileges = new HashSet<>(authorizer.listPrivileges(principal));
authorizer.grant(entityId, principal, actions);
ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Action action : actions) {
expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used :
Action(co.cask.cdap.proto.security.Action)
ImmutableSet(com.google.common.collect.ImmutableSet)
Privilege(co.cask.cdap.proto.security.Privilege)
HashSet(java.util.HashSet)
Example 7 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class SystemArtifactsAuthorizationTest method testAuthorizationForSystemArtifacts.
@Test
public void testAuthorizationForSystemArtifacts() throws Exception {
artifactRepository.addSystemArtifacts();
// alice should not be able to refresh system artifacts because she does not have write privileges on the
// CDAP instance
SecurityRequestContext.setUserId(ALICE.getName());
try {
artifactRepository.addSystemArtifacts();
Assert.fail("Adding system artifacts should have failed because alice does not have write privileges on " + "the CDAP instance.");
} catch (UnauthorizedException expected) {
// expected
}
// grant alice write privileges on the CDAP instance
authorizer.grant(NamespaceId.SYSTEM, ALICE, Collections.singleton(Action.WRITE));
Assert.assertEquals(Collections.singleton(new Privilege(NamespaceId.SYSTEM, Action.WRITE)), authorizer.listPrivileges(ALICE));
// refreshing system artifacts should succeed now
artifactRepository.addSystemArtifacts();
SecurityRequestContext.setUserId("bob");
// deleting a system artifact should fail because bob does not have admin privileges on the artifact
try {
artifactRepository.deleteArtifact(SYSTEM_ARTIFACT.toId());
Assert.fail("Deleting a system artifact should have failed because alice does not have admin privileges on " + "the CDAP instance.");
} catch (UnauthorizedException expected) {
// expected
}
// grant alice admin privileges on the CDAP instance, so she can create a namespace
SecurityRequestContext.setUserId(ALICE.getName());
authorizer.grant(instance, ALICE, Collections.singleton(Action.ADMIN));
NamespaceId namespaceId = new NamespaceId("test");
namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
authorizer.revoke(instance);
// test that system artifacts are available to everyone
List<ArtifactSummary> artifacts = artifactRepository.getArtifactSummaries(namespaceId, true);
Assert.assertEquals(1, artifacts.size());
ArtifactSummary artifactSummary = artifacts.get(0);
Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactSummary.getName());
Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactSummary.getVersion());
Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactSummary.getScope().name().toLowerCase());
// test the getArtifact API
ArtifactDetail artifactDetail = artifactRepository.getArtifact(SYSTEM_ARTIFACT.toId());
co.cask.cdap.api.artifact.ArtifactId artifactId = artifactDetail.getDescriptor().getArtifactId();
Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactId.getName());
Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactId.getVersion().getVersion());
Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactId.getScope().name().toLowerCase());
namespaceAdmin.delete(namespaceId);
authorizer.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(Action.class));
authorizer.enforce(NamespaceId.SYSTEM, ALICE, Action.WRITE);
// deleting system artifact should succeed as alice, because alice added the artifacts, so she should have all
// privileges on it
artifactRepository.deleteArtifact(SYSTEM_ARTIFACT.toId());
}
Also used :
Action(co.cask.cdap.proto.security.Action)
ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary)
NamespaceMeta(co.cask.cdap.proto.NamespaceMeta)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
NamespaceId(co.cask.cdap.proto.id.NamespaceId)
Privilege(co.cask.cdap.proto.security.Privilege)
Test(org.junit.Test)
Example 8 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class DatasetClassRewriterTest method testConstructorDefaultAnnotation.
@Test
public void testConstructorDefaultAnnotation() throws Exception {
ByteCodeClassLoader classLoader = new ByteCodeClassLoader(getClass().getClassLoader());
classLoader.addClass(rewrite(TopLevelDirectDataset.class));
InMemoryAccessRecorder accessRecorder = new InMemoryAccessRecorder();
AuthorizationRecorder authorizationRecorder = new AuthorizationRecorder();
// Test constructor no default
createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], null);
Assert.assertEquals(ImmutableList.of(AccessType.UNKNOWN), accessRecorder.getLineageRecorded());
Assert.assertEquals(ImmutableList.of(AccessType.UNKNOWN), accessRecorder.getAuditRecorded());
Assert.assertEquals(1, authorizationRecorder.getPrivileges().size());
// Expects the enforcer still get called
Assert.assertNull(authorizationRecorder.getPrivileges().get(0));
accessRecorder.clear();
authorizationRecorder.clear();
// Test constructor default ReadOnly
createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], ReadOnly.class);
Assert.assertEquals(ImmutableList.of(AccessType.READ), accessRecorder.getLineageRecorded());
Assert.assertEquals(ImmutableList.of(AccessType.READ), accessRecorder.getAuditRecorded());
Assert.assertEquals(ImmutableList.of(new Privilege(DATASET_ID, Action.READ)), authorizationRecorder.getPrivileges());
accessRecorder.clear();
authorizationRecorder.clear();
// Test constructor default WriteOnly
createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], WriteOnly.class);
Assert.assertEquals(ImmutableList.of(AccessType.WRITE), accessRecorder.getLineageRecorded());
Assert.assertEquals(ImmutableList.of(AccessType.WRITE), accessRecorder.getAuditRecorded());
Assert.assertEquals(ImmutableList.of(new Privilege(DATASET_ID, Action.WRITE)), authorizationRecorder.getPrivileges());
accessRecorder.clear();
authorizationRecorder.clear();
// Test constructor default ReadWrite
createDataset(accessRecorder, authorizationRecorder, TopLevelDirectDataset.class.getName(), classLoader, new Class<?>[0], new Object[0], ReadWrite.class);
Assert.assertEquals(ImmutableList.of(AccessType.READ_WRITE), accessRecorder.getLineageRecorded());
Assert.assertEquals(ImmutableList.of(AccessType.READ_WRITE), accessRecorder.getAuditRecorded());
Assert.assertTrue(ImmutableSet.of(new Privilege(DATASET_ID, Action.READ), new Privilege(DATASET_ID, Action.WRITE)).containsAll(authorizationRecorder.getPrivileges()));
}
Also used :
ByteCodeClassLoader(co.cask.cdap.internal.asm.ByteCodeClassLoader)
TopLevelDirectDataset(co.cask.cdap.data2.dataset2.customds.TopLevelDirectDataset)
Privilege(co.cask.cdap.proto.security.Privilege)
Test(org.junit.Test)
Example 9 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class AuthorizerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
Authorizer authorizer = get();
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
authorizer.createRole(admins);
// add another role
authorizer.createRole(engineers);
// listing role should show the added role
Set<Role> roles = authorizer.listAllRoles();
Set<Role> expectedRoles = new HashSet<>();
expectedRoles.add(admins);
expectedRoles.add(engineers);
Assert.assertEquals(expectedRoles, roles);
// creating a role which already exists should throw an exception
try {
authorizer.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (RoleAlreadyExistsException expected) {
// expected
}
// drop an existing role
authorizer.dropRole(admins);
// the list should not have the dropped role
roles = authorizer.listAllRoles();
Assert.assertEquals(Collections.singleton(engineers), roles);
// dropping a non-existing role should throw exception
try {
authorizer.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (RoleNotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
authorizer.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
authorizer.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (RoleNotFoundException expected) {
// expectedRoles
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
// authorization checks with roles
NamespaceId ns1 = new NamespaceId("ns1");
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, Action.READ);
// give a permission to engineers role
authorizer.grant(ns1, engineers, Collections.singleton(Action.READ));
// check that a spiderman who has engineers role has access
authorizer.enforce(ns1, spiderman, Action.READ);
// list privileges for spiderman should have read action on ns1
Assert.assertEquals(Collections.singleton(new Privilege(ns1, Action.READ)), authorizer.listPrivileges(spiderman));
// revoke action from the role
authorizer.revoke(ns1, engineers, Collections.singleton(Action.READ));
// now the privileges for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listPrivileges(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, Action.READ);
// remove an user from a existing role
authorizer.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
authorizer.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (RoleNotFoundException expected) {
// expectedRoles
}
}Example 10 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class AuthorizerTest method testSimple.
@Test
public void testSimple() throws Exception {
Authorizer authorizer = get();
verifyAuthFailure(namespace, user, Action.READ);
authorizer.grant(namespace, user, Collections.singleton(Action.READ));
authorizer.enforce(namespace, user, Action.READ);
Set<Privilege> expectedPrivileges = new HashSet<>();
expectedPrivileges.add(new Privilege(namespace, Action.READ));
Assert.assertEquals(expectedPrivileges, authorizer.listPrivileges(user));
authorizer.revoke(namespace, user, Collections.singleton(Action.READ));
verifyAuthFailure(namespace, user, Action.READ);
}Aggregations
Privilege (co.cask.cdap.proto.security.Privilege)24
Action (co.cask.cdap.proto.security.Action)12
HashSet (java.util.HashSet)8
InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)7
Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7
Test (org.junit.Test)7
ImmutableSet (com.google.common.collect.ImmutableSet)5
Principal (co.cask.cdap.proto.security.Principal)4
Role (co.cask.cdap.proto.security.Role)3
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)3
NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)2
NamespaceId (co.cask.cdap.proto.id.NamespaceId)2
Predicate (com.google.common.base.Predicate)2
ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)1
RowMaker (co.cask.cdap.cli.util.RowMaker)1
Table (co.cask.cdap.cli.util.table.Table)1
MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)1
NamespaceAdmin (co.cask.cdap.common.namespace.NamespaceAdmin)1
TopLevelDirectDataset (co.cask.cdap.data2.dataset2.customds.TopLevelDirectDataset)1
ByteCodeClassLoader (co.cask.cdap.internal.asm.ByteCodeClassLoader)1
