Example 11 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class InMemoryAuthorizer method listPrivileges.
@Override
public Set<Privilege> listPrivileges(Principal principal) {
Set<Privilege> privileges = new HashSet<>();
// privileges for this principal
privileges.addAll(getPrivileges(principal));
// privileges for the role to which this principal belongs to if its not a role
if (principal.getType() != Principal.PrincipalType.ROLE) {
for (Role role : roleToPrincipals.keySet()) {
privileges.addAll(getPrivileges(role));
}
}
return Collections.unmodifiableSet(privileges);
}Example 12 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationCLITest method testAuthorizationCLI.
@Test
public void testAuthorizationCLI() throws Exception {
Role role = new Role("admins");
Principal principal = new Principal("spiderman", Principal.PrincipalType.USER);
NamespaceId namespaceId = new NamespaceId("ns1");
testCommandOutputContains(cli, String.format("create namespace %s", namespaceId.getNamespace()), String.format("Namespace '%s' created successfully", namespaceId.getNamespace()));
// test creating role
testCommandOutputContains(cli, "create role " + role.getName(), String.format("Successfully created role '%s'", role.getName()));
// test add role to principal
testCommandOutputContains(cli, String.format("add role %s to %s %s", role.getName(), principal.getType(), principal.getName()), String.format("Successfully added role '%s' to '%s' '%s'", role.getName(), principal.getType(), principal.getName()));
// test listing all roles
String output = getCommandOutput(cli, "list roles");
List<String> lines = Arrays.asList(output.split("\\r?\\n"));
Assert.assertEquals(2, lines.size());
// 0 is just the table headers
Assert.assertEquals(role.getName(), lines.get(1));
// test listing roles for a principal
output = getCommandOutput(cli, String.format("list roles for %s %s", principal.getType(), principal.getName()));
lines = Arrays.asList(output.split("\\r?\\n"));
Assert.assertEquals(2, lines.size());
Assert.assertEquals(role.getName(), lines.get(1));
// test grant action. also tests case insensitivity of Action and Principal.PrincipalType
testCommandOutputContains(cli, String.format("grant actions %s on entity %s to %s %s", Action.READ.name().toLowerCase(), namespaceId.toString(), principal.getType().name().toLowerCase(), principal.getName()), String.format("Successfully granted action(s) '%s' on entity '%s' to %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
// test listing privilege
output = getCommandOutput(cli, String.format("list privileges for %s %s", principal.getType(), principal.getName()));
lines = Arrays.asList(output.split("\\r?\\n"));
Assert.assertEquals(2, lines.size());
Assert.assertArrayEquals(new String[] { namespaceId.toString(), Action.READ.name() }, lines.get(1).split(","));
// test revoke actions
testCommandOutputContains(cli, String.format("revoke actions %s on entity %s from %s %s", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()), String.format("Successfully revoked action(s) '%s' on entity '%s' for %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
// grant and perform revoke on the entity
testCommandOutputContains(cli, String.format("grant actions %s on entity %s to %s %s", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()), String.format("Successfully granted action(s) '%s' on entity '%s' to %s '%s'", Action.READ, namespaceId.toString(), principal.getType(), principal.getName()));
testCommandOutputContains(cli, String.format("revoke all on entity %s ", namespaceId.toString()), String.format("Successfully revoked all actions on entity '%s' for all principals", namespaceId.toString()));
// test remove role from principal
testCommandOutputContains(cli, String.format("remove role %s from %s %s", role.getName(), principal.getType(), principal.getName()), String.format("Successfully removed role '%s' from %s '%s'", role.getName(), principal.getType(), principal.getName()));
// test remove role (which doesn't exist) from principal
Role nonexistentRole = new Role("nonexistent_role");
testCommandOutputContains(cli, String.format("remove role %s from %s %s", nonexistentRole.getName(), principal.getType(), principal.getName()), String.format("Error: %s not found", nonexistentRole));
}
Also used :
Role(co.cask.cdap.proto.security.Role)
NamespaceId(co.cask.cdap.proto.id.NamespaceId)
Principal(co.cask.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 13 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandler method createRole.
/**
******************************************************************************************************************
* Role Management : For Role Based Access Control
*******************************************************************************************************************
*/
@Path("/roles/{role-name}")
@PUT
public void createRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String roleName) throws Exception {
ensureSecurityEnabled();
authorizer.createRole(new Role(roleName));
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, HttpResponseStatus.OK);
}Example 14 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandler method addRoleToPrincipal.
@Path("/{principal-type}/{principal-name}/roles/{role-name}")
@PUT
public void addRoleToPrincipal(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String principalType, @PathParam("principal-name") String principalName, @PathParam("role-name") String roleName) throws Exception {
ensureSecurityEnabled();
Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase()));
authorizer.addRoleToPrincipal(new Role(roleName), principal);
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, HttpResponseStatus.OK);
}Example 15 with Role
use of co.cask.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandlerTest method testDisabled.
private void testDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature, String configSetting) throws Exception {
final InMemoryAuthorizer authorizer = new InMemoryAuthorizer();
NettyHttpService service = new CommonNettyHttpServiceBuilder(cConf, getClass().getSimpleName()).setHttpHandlers(new AuthorizationHandler(authorizer, new AuthorizerInstantiator(cConf, FACTORY) {
@Override
public Authorizer get() {
return authorizer;
}
}, cConf, authorizer, new MasterAuthenticationContext(), entityExistenceVerifier)).build();
service.start();
try {
final AuthorizationClient client = new AuthorizationClient(ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build());
final NamespaceId ns1 = Ids.namespace("ns1");
final Role admins = new Role("admins");
// Test that the right exception is thrown when any Authorization REST API is called with authorization disabled
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.grant(Authorizable.fromEntityId(ns1), admin, ImmutableSet.of(Action.READ));
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.revoke(Authorizable.fromEntityId(ns1), admin, ImmutableSet.of(Action.READ));
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.revoke(Authorizable.fromEntityId(ns1));
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.listPrivileges(admin);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.addRoleToPrincipal(admins, admin);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.removeRoleFromPrincipal(admins, admin);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.createRole(admins);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.dropRole(admins);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.listAllRoles();
}
}, feature, configSetting);
} finally {
service.stop();
}
}
Also used :
MasterAuthenticationContext(co.cask.cdap.security.auth.context.MasterAuthenticationContext)
CommonNettyHttpServiceBuilder(co.cask.cdap.common.http.CommonNettyHttpServiceBuilder)
AuthorizerInstantiator(co.cask.cdap.security.authorization.AuthorizerInstantiator)
FeatureDisabledException(co.cask.cdap.common.FeatureDisabledException)
IOException(java.io.IOException)
AlreadyExistsException(co.cask.cdap.security.spi.authorization.AlreadyExistsException)
UnauthenticatedException(co.cask.cdap.common.UnauthenticatedException)
NotFoundException(co.cask.cdap.common.NotFoundException)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
Role(co.cask.cdap.proto.security.Role)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
NettyHttpService(co.cask.http.NettyHttpService)
AuthorizationClient(co.cask.cdap.client.AuthorizationClient)
NamespaceId(co.cask.cdap.proto.id.NamespaceId)
Aggregations
Role (co.cask.cdap.proto.security.Role)15
Principal (co.cask.cdap.proto.security.Principal)8
Path (javax.ws.rs.Path)4
NamespaceId (co.cask.cdap.proto.id.NamespaceId)3
Privilege (co.cask.cdap.proto.security.Privilege)3
HashSet (java.util.HashSet)3
Test (org.junit.Test)3
AlreadyExistsException (co.cask.cdap.security.spi.authorization.AlreadyExistsException)2
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)2
DELETE (javax.ws.rs.DELETE)2
PUT (javax.ws.rs.PUT)2
RowMaker (co.cask.cdap.cli.util.RowMaker)1
Table (co.cask.cdap.cli.util.table.Table)1
AuthorizationClient (co.cask.cdap.client.AuthorizationClient)1
FeatureDisabledException (co.cask.cdap.common.FeatureDisabledException)1
NotFoundException (co.cask.cdap.common.NotFoundException)1
UnauthenticatedException (co.cask.cdap.common.UnauthenticatedException)1
CommonNettyHttpServiceBuilder (co.cask.cdap.common.http.CommonNettyHttpServiceBuilder)1
Action (co.cask.cdap.proto.security.Action)1
MasterAuthenticationContext (co.cask.cdap.security.auth.context.MasterAuthenticationContext)1
