Example 1 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
Authorizer authorizer = get();
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
authorizer.createRole(admins);
// add another role
authorizer.createRole(engineers);
// listing role should show the added role
Set<Role> roles = authorizer.listAllRoles();
Set<Role> expectedRoles = new HashSet<>();
expectedRoles.add(admins);
expectedRoles.add(engineers);
Assert.assertEquals(expectedRoles, roles);
// creating a role which already exists should throw an exception
try {
authorizer.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (AlreadyExistsException expected) {
// expected
}
// drop an existing role
authorizer.dropRole(admins);
// the list should not have the dropped role
roles = authorizer.listAllRoles();
Assert.assertEquals(Collections.singleton(engineers), roles);
// dropping a non-existing role should throw exception
try {
authorizer.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (NotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
authorizer.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
authorizer.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (NotFoundException expected) {
// expectedRoles
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
// authorization checks with roles
NamespaceId ns1 = new NamespaceId("ns1");
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, Action.READ);
// give a permission to engineers role
authorizer.grant(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(Action.READ));
// check that a spiderman who has engineers role has access
authorizer.enforce(ns1, spiderman, Action.READ);
// list privileges for spiderman should have read action on ns1
Assert.assertEquals(Collections.singleton(new Privilege(ns1, Action.READ)), authorizer.listPrivileges(spiderman));
// revoke action from the role
authorizer.revoke(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(Action.READ));
// now the privileges for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listPrivileges(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, Action.READ);
// remove an user from a existing role
authorizer.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
authorizer.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (NotFoundException expected) {
// expectedRoles
}
}Example 2 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandlerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
client.createRole(admins);
// add another role
client.createRole(engineers);
// listing role should show the added role
Set<Role> roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(admins, engineers), roles);
// creating a role which already exists should throw an exception
try {
client.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (AlreadyExistsException expected) {
// expected
}
// drop an existing role
client.dropRole(admins);
// the list should not have the dropped role
roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(engineers), roles);
// dropping a non-existing role should throw exception
try {
client.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (co.cask.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
client.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
client.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (co.cask.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Sets.newHashSet(engineers), client.listRoles(spiderman));
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, Action.READ);
// give a permission to engineers role
client.grant(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(Action.READ));
// check that a spiderman who has engineers role has access
verifyAuthSuccess(ns1, spiderman, Action.READ);
// list privileges for spiderman should have read action on ns1
Assert.assertEquals(Sets.newHashSet(new Privilege(ns1, Action.READ)), client.listPrivileges(spiderman));
// revoke action from the role
client.revoke(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(Action.READ));
// now the privileges for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listPrivileges(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, Action.READ);
// remove an user from a existing role
client.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
client.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (co.cask.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
}
Also used :
Role(co.cask.cdap.proto.security.Role)
AlreadyExistsException(co.cask.cdap.security.spi.authorization.AlreadyExistsException)
Privilege(co.cask.cdap.proto.security.Privilege)
Principal(co.cask.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 3 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class CreateRoleCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
String roleName = arguments.get("role-name");
client.createRole(new Role(roleName));
output.printf("Successfully created role '%s'\n", roleName);
}
Also used :
Role(co.cask.cdap.proto.security.Role)
Example 4 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class ListRolesCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
String principalType = arguments.getOptional(ArgumentName.PRINCIPAL_TYPE.toString());
String principalName = arguments.getOptional(ArgumentName.PRINCIPAL_NAME.toString());
Set<Role> roles;
if (!(Strings.isNullOrEmpty(principalType) && Strings.isNullOrEmpty(principalName))) {
roles = client.listRoles(new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())));
} else {
roles = client.listAllRoles();
}
Table table = Table.builder().setHeader("Role").setRows(Lists.newArrayList(roles), new RowMaker<Role>() {
@Override
public List<?> makeRow(Role role) {
return Lists.newArrayList(role.getName());
}
}).build();
cliConfig.getTableRenderer().render(cliConfig, output, table);
}Example 5 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class AddRoleToPrincipalCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
String roleName = arguments.get("role-name");
String principalType = arguments.get("principal-type");
String principalName = arguments.get("principal-name");
client.addRoleToPrincipal(new Role(roleName), new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())));
output.printf("Successfully added role '%s' to '%s' '%s'\n", roleName, principalType, principalName);
}Aggregations
Role (co.cask.cdap.proto.security.Role)15
Principal (co.cask.cdap.proto.security.Principal)8
Path (javax.ws.rs.Path)4
NamespaceId (co.cask.cdap.proto.id.NamespaceId)3
Privilege (co.cask.cdap.proto.security.Privilege)3
HashSet (java.util.HashSet)3
Test (org.junit.Test)3
AlreadyExistsException (co.cask.cdap.security.spi.authorization.AlreadyExistsException)2
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)2
DELETE (javax.ws.rs.DELETE)2
PUT (javax.ws.rs.PUT)2
RowMaker (co.cask.cdap.cli.util.RowMaker)1
Table (co.cask.cdap.cli.util.table.Table)1
AuthorizationClient (co.cask.cdap.client.AuthorizationClient)1
FeatureDisabledException (co.cask.cdap.common.FeatureDisabledException)1
NotFoundException (co.cask.cdap.common.NotFoundException)1
UnauthenticatedException (co.cask.cdap.common.UnauthenticatedException)1
CommonNettyHttpServiceBuilder (co.cask.cdap.common.http.CommonNettyHttpServiceBuilder)1
Action (co.cask.cdap.proto.security.Action)1
MasterAuthenticationContext (co.cask.cdap.security.auth.context.MasterAuthenticationContext)1
