Example 16 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class DefaultSecureStoreServiceTest method testSecureStoreAccess.
@Test
public void testSecureStoreAccess() throws Exception {
final SecureKeyId secureKeyId1 = NamespaceId.DEFAULT.secureKey(KEY1);
SecurityRequestContext.setUserId(ALICE.getName());
try {
secureStoreManager.putSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
Assert.fail("Alice should not be able to store a key since she does not have WRITE privileges on the namespace");
} catch (UnauthorizedException expected) {
// expected
}
// Grant ALICE write access to the namespace
grantAndAssertSuccess(NamespaceId.DEFAULT, ALICE, EnumSet.of(Action.WRITE));
// Write should succeed
secureStoreManager.putSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
// Listing should return the value just written
Map<String, String> secureKeyListEntries = secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace());
Assert.assertEquals(1, secureKeyListEntries.size());
Assert.assertTrue(secureKeyListEntries.containsKey(KEY1));
Assert.assertEquals(DESCRIPTION1, secureKeyListEntries.get(KEY1));
revokeAndAssertSuccess(secureKeyId1, ALICE, EnumSet.allOf(Action.class));
// Should still be able to list the keys since ALICE has namespace access privilege
secureKeyListEntries = secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace());
Assert.assertEquals(1, secureKeyListEntries.size());
// Give BOB read access and verify that he can read the stored data
SecurityRequestContext.setUserId(BOB.getName());
grantAndAssertSuccess(NamespaceId.DEFAULT, BOB, EnumSet.of(Action.READ));
grantAndAssertSuccess(secureKeyId1, BOB, EnumSet.of(Action.READ));
Assert.assertEquals(VALUE1, new String(secureStore.getSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1).get(), Charsets.UTF_8));
secureKeyListEntries = secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace());
Assert.assertEquals(1, secureKeyListEntries.size());
// BOB should not be able to delete the key
try {
secureStoreManager.deleteSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1);
Assert.fail("Bob should not be able to delete a key since he does not have ADMIN privileges on the key");
} catch (UnauthorizedException expected) {
// expected
}
// Grant Bob ADMIN access and he should be able to delete the key
grantAndAssertSuccess(secureKeyId1, BOB, ImmutableSet.of(Action.ADMIN));
secureStoreManager.deleteSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1);
Assert.assertEquals(0, secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace()).size());
Predicate<Privilege> secureKeyIdFilter = new Predicate<Privilege>() {
@Override
public boolean apply(Privilege input) {
return input.getEntity().equals(secureKeyId1);
}
};
Assert.assertTrue(Sets.filter(authorizer.listPrivileges(ALICE), secureKeyIdFilter).isEmpty());
Assert.assertTrue(Sets.filter(authorizer.listPrivileges(BOB), secureKeyIdFilter).isEmpty());
}
Also used :
Action(co.cask.cdap.proto.security.Action)
SecureKeyId(co.cask.cdap.proto.id.SecureKeyId)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
Privilege(co.cask.cdap.proto.security.Privilege)
Predicate(com.google.common.base.Predicate)
Test(org.junit.Test)
Example 17 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class DefaultSecureStoreServiceTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
authorizer.grant(entityId, principal, actions);
ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Action action : actions) {
expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used :
Action(co.cask.cdap.proto.security.Action)
ImmutableSet(com.google.common.collect.ImmutableSet)
Privilege(co.cask.cdap.proto.security.Privilege)
Example 18 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class AuthorizationHandlerTest method verifyAuthSuccess.
private void verifyAuthSuccess(EntityId entity, Principal principal, Action action) throws Exception {
Set<Privilege> privileges = client.listPrivileges(principal);
Privilege privilegeToCheck = new Privilege(entity, action);
Assert.assertTrue(String.format("Expected principal %s to have the privilege %s, but found that it did not.", principal, privilegeToCheck), privileges.contains(privilegeToCheck));
}
Also used :
Privilege(co.cask.cdap.proto.security.Privilege)
Example 19 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class DatasetServiceAuthorizationTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
authorizer.grant(entityId, principal, actions);
ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Action action : actions) {
expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used :
Action(co.cask.cdap.proto.security.Action)
ImmutableSet(com.google.common.collect.ImmutableSet)
Privilege(co.cask.cdap.proto.security.Privilege)
Example 20 with Privilege
use of co.cask.cdap.proto.security.Privilege in project cdap by caskdata.
the class InMemoryAuthorizer method listPrivileges.
@Override
public Set<Privilege> listPrivileges(Principal principal) {
Set<Privilege> privileges = new HashSet<>();
// privileges for this principal
privileges.addAll(getPrivileges(principal));
// privileges for the role to which this principal belongs to if its not a role
if (principal.getType() != Principal.PrincipalType.ROLE) {
for (Role role : roleToPrincipals.keySet()) {
privileges.addAll(getPrivileges(role));
}
}
return Collections.unmodifiableSet(privileges);
}Aggregations
Privilege (co.cask.cdap.proto.security.Privilege)24
Action (co.cask.cdap.proto.security.Action)12
HashSet (java.util.HashSet)8
InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)7
Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)7
Test (org.junit.Test)7
ImmutableSet (com.google.common.collect.ImmutableSet)5
Principal (co.cask.cdap.proto.security.Principal)4
Role (co.cask.cdap.proto.security.Role)3
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)3
NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)2
NamespaceId (co.cask.cdap.proto.id.NamespaceId)2
Predicate (com.google.common.base.Predicate)2
ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)1
RowMaker (co.cask.cdap.cli.util.RowMaker)1
Table (co.cask.cdap.cli.util.table.Table)1
MethodArgument (co.cask.cdap.common.internal.remote.MethodArgument)1
NamespaceAdmin (co.cask.cdap.common.namespace.NamespaceAdmin)1
TopLevelDirectDataset (co.cask.cdap.data2.dataset2.customds.TopLevelDirectDataset)1
ByteCodeClassLoader (co.cask.cdap.internal.asm.ByteCodeClassLoader)1
