use of co.cask.cdap.security.impersonation.OwnerAdmin in project cdap by caskdata.
the class StreamAdminTest method testOwner.
@Test
public void testOwner() throws Exception {
// create a stream with owner
StreamAdmin streamAdmin = getStreamAdmin();
OwnerAdmin ownerAdmin = getOwnerAdmin();
StreamId stream = FOO_NAMESPACE.stream("stream");
Properties properties = new Properties();
String ownerPrincipal = "user/somehost@somekdc.net";
KerberosPrincipalId principalId = new KerberosPrincipalId(ownerPrincipal);
properties.put(Constants.Security.PRINCIPAL, ownerPrincipal);
try {
streamAdmin.create(stream, properties);
Assert.fail();
} catch (UnauthorizedException e) {
// expected since user does not have privilege on the stream and the owner principal
}
// grant privilege on the stream to the user
grantAndAssertSuccess(stream, USER, EnumSet.of(Action.ADMIN));
try {
streamAdmin.create(stream, properties);
Assert.fail();
} catch (UnauthorizedException e) {
// expected since user doesn ot have privilege on the owner principal
}
// grant privilege to the owner principal
grantAndAssertSuccess(principalId, USER, EnumSet.of(Action.ADMIN));
// creation should work this time
streamAdmin.create(stream, properties);
Assert.assertTrue(streamAdmin.exists(stream));
// Check that the owner information got stored in owner store
Assert.assertTrue(ownerAdmin.exists(stream));
// also verify that we are able to get owner information back in properties
Assert.assertEquals(ownerPrincipal, streamAdmin.getProperties(stream).getOwnerPrincipal());
// updating stream owner should fail
try {
streamAdmin.updateConfig(stream, new StreamProperties(1L, null, null, null, "user/somekdc.net"));
Assert.fail();
} catch (UnauthorizedException e) {
// expected
}
// trying to create same stream with different owner should fail
properties.put(Constants.Security.PRINCIPAL, "someOtherUser/someHost@somekdc.net");
try {
streamAdmin.create(stream, properties);
Assert.fail("Should have failed to add the same stream with different owner");
} catch (UnauthorizedException e) {
// expected
}
// ensure that the previous owner still exists
Assert.assertEquals(ownerPrincipal, streamAdmin.getProperties(stream).getOwnerPrincipal());
// drop the stream which should also delete the owner info
streamAdmin.drop(stream);
Assert.assertFalse(ownerAdmin.exists(stream));
// clean up the privileges
revokeAndAssertSuccess(stream, USER, EnumSet.of(Action.ADMIN));
revokeAndAssertSuccess(principalId, USER, EnumSet.of(Action.ADMIN));
}
use of co.cask.cdap.security.impersonation.OwnerAdmin in project cdap by caskdata.
the class HBaseFileStreamAdminTest method init.
@BeforeClass
public static void init() throws Exception {
InMemoryZKServer zkServer = InMemoryZKServer.builder().setDataDir(tmpFolder.newFolder()).build();
zkServer.startAndWait();
Configuration hConf = testHBase.getConfiguration();
addCConfProperties(cConf);
cConf.setInt(Constants.Stream.CONTAINER_INSTANCES, 1);
cConf.set(Constants.CFG_LOCAL_DATA_DIR, tmpFolder.newFolder().getAbsolutePath());
cConf.set(Constants.Zookeeper.QUORUM, zkServer.getConnectionStr());
Injector injector = Guice.createInjector(new ConfigModule(cConf, hConf), new ZKClientModule(), new NonCustomLocationUnitTestModule().getModule(), new DiscoveryRuntimeModule().getInMemoryModules(), new TransactionMetricsModule(), new DataSetsModules().getInMemoryModules(), new SystemDatasetRuntimeModule().getInMemoryModules(), new ExploreClientModule(), new ViewAdminModules().getInMemoryModules(), new AuditModule().getInMemoryModules(), new AuthorizationTestModule(), new AuthorizationEnforcementModule().getInMemoryModules(), new AuthenticationContextModules().getNoOpModule(), Modules.override(new DataFabricModules().getDistributedModules(), new StreamAdminModules().getDistributedModules()).with(new AbstractModule() {
@Override
protected void configure() {
bind(TransactionStateStorage.class).to(NoOpTransactionStateStorage.class);
bind(TransactionSystemClient.class).to(InMemoryTxSystemClient.class).in(Singleton.class);
bind(StreamMetaStore.class).to(InMemoryStreamMetaStore.class);
bind(NotificationFeedManager.class).to(NoOpNotificationFeedManager.class);
bind(NamespaceQueryAdmin.class).to(SimpleNamespaceQueryAdmin.class);
bind(UGIProvider.class).to(UnsupportedUGIProvider.class);
bind(OwnerAdmin.class).to(DefaultOwnerAdmin.class);
}
}));
ZKClientService zkClientService = injector.getInstance(ZKClientService.class);
zkClientService.startAndWait();
streamAdmin = injector.getInstance(StreamAdmin.class);
txManager = TxInMemory.getTransactionManager(injector.getInstance(TransactionSystemClient.class));
fileWriterFactory = injector.getInstance(StreamFileWriterFactory.class);
streamCoordinatorClient = injector.getInstance(StreamCoordinatorClient.class);
inMemoryAuditPublisher = injector.getInstance(InMemoryAuditPublisher.class);
authorizer = injector.getInstance(AuthorizerInstantiator.class).get();
ownerAdmin = injector.getInstance(OwnerAdmin.class);
setupNamespaces(injector.getInstance(NamespacedLocationFactory.class));
txManager.startAndWait();
streamCoordinatorClient.startAndWait();
}
use of co.cask.cdap.security.impersonation.OwnerAdmin in project cdap by caskdata.
the class LevelDBFileStreamAdminTest method init.
@BeforeClass
public static void init() throws Exception {
CConfiguration cConf = CConfiguration.create();
cConf.set(Constants.CFG_LOCAL_DATA_DIR, tmpFolder.newFolder().getAbsolutePath());
addCConfProperties(cConf);
Injector injector = Guice.createInjector(new ConfigModule(cConf), new NonCustomLocationUnitTestModule().getModule(), new SystemDatasetRuntimeModule().getInMemoryModules(), new DataSetsModules().getInMemoryModules(), new DataFabricLevelDBModule(), new TransactionMetricsModule(), new DiscoveryRuntimeModule().getInMemoryModules(), new ExploreClientModule(), new ViewAdminModules().getInMemoryModules(), new AuditModule().getInMemoryModules(), new AuthorizationTestModule(), new AuthorizationEnforcementModule().getInMemoryModules(), new AuthenticationContextModules().getNoOpModule(), Modules.override(new StreamAdminModules().getStandaloneModules()).with(new AbstractModule() {
@Override
protected void configure() {
bind(StreamMetaStore.class).to(InMemoryStreamMetaStore.class);
bind(NotificationFeedManager.class).to(NoOpNotificationFeedManager.class);
bind(UGIProvider.class).to(UnsupportedUGIProvider.class);
bind(OwnerAdmin.class).to(DefaultOwnerAdmin.class);
bind(NamespaceQueryAdmin.class).to(SimpleNamespaceQueryAdmin.class);
}
}));
streamAdmin = injector.getInstance(StreamAdmin.class);
txManager = injector.getInstance(TransactionManager.class);
fileWriterFactory = injector.getInstance(StreamFileWriterFactory.class);
streamCoordinatorClient = injector.getInstance(StreamCoordinatorClient.class);
inMemoryAuditPublisher = injector.getInstance(InMemoryAuditPublisher.class);
authorizer = injector.getInstance(AuthorizerInstantiator.class).get();
ownerAdmin = injector.getInstance(OwnerAdmin.class);
streamCoordinatorClient.startAndWait();
setupNamespaces(injector.getInstance(NamespacedLocationFactory.class));
txManager.startAndWait();
}
use of co.cask.cdap.security.impersonation.OwnerAdmin in project cdap by caskdata.
the class AbstractDatasetFrameworkTest method setup.
@BeforeClass
public static void setup() throws Exception {
cConf = CConfiguration.create();
File dataDir = new File(TMP_FOLDER.newFolder(), "data");
cConf.set(Constants.CFG_LOCAL_DATA_DIR, dataDir.getAbsolutePath());
final Injector injector = Guice.createInjector(new ConfigModule(cConf), new NonCustomLocationUnitTestModule().getModule(), new TransactionInMemoryModule(), new NamespaceClientRuntimeModule().getInMemoryModules(), new AuditModule().getInMemoryModules(), new AbstractModule() {
@Override
protected void configure() {
bind(OwnerStore.class).to(InMemoryOwnerStore.class).in(Scopes.SINGLETON);
bind(OwnerAdmin.class).to(DefaultOwnerAdmin.class);
}
});
locationFactory = injector.getInstance(LocationFactory.class);
namespacedLocationFactory = injector.getInstance(NamespacedLocationFactory.class);
txExecutorFactory = injector.getInstance(TransactionExecutorFactory.class);
registryFactory = new DatasetDefinitionRegistryFactory() {
@Override
public DatasetDefinitionRegistry create() {
DefaultDatasetDefinitionRegistry registry = new DefaultDatasetDefinitionRegistry();
injector.injectMembers(registry);
return registry;
}
};
namespaceAdmin = injector.getInstance(NamespaceAdmin.class);
namespaceQueryAdmin = injector.getInstance(NamespaceQueryAdmin.class);
ownerAdmin = injector.getInstance(OwnerAdmin.class);
inMemoryAuditPublisher = injector.getInstance(InMemoryAuditPublisher.class);
namespaceAdmin.create(new NamespaceMeta.Builder().setName(NAMESPACE_ID).build());
}
use of co.cask.cdap.security.impersonation.OwnerAdmin in project cdap by caskdata.
the class DatasetServiceTestBase method initializeAndStartService.
protected static void initializeAndStartService(CConfiguration cConf) throws Exception {
// TODO: this whole method is a mess. Streamline it!
injector = Guice.createInjector(new ConfigModule(cConf), new DiscoveryRuntimeModule().getInMemoryModules(), new NonCustomLocationUnitTestModule().getModule(), new NamespaceClientRuntimeModule().getInMemoryModules(), new SystemDatasetRuntimeModule().getInMemoryModules(), new TransactionInMemoryModule(), new AuthorizationTestModule(), new AuthorizationEnforcementModule().getInMemoryModules(), new AuthenticationContextModules().getMasterModule(), new AbstractModule() {
@Override
protected void configure() {
bind(MetricsCollectionService.class).to(NoOpMetricsCollectionService.class).in(Singleton.class);
install(new FactoryModuleBuilder().implement(DatasetDefinitionRegistry.class, DefaultDatasetDefinitionRegistry.class).build(DatasetDefinitionRegistryFactory.class));
// through the injector, we only need RemoteDatasetFramework in these tests
bind(RemoteDatasetFramework.class);
bind(OwnerStore.class).to(InMemoryOwnerStore.class);
bind(OwnerAdmin.class).to(DefaultOwnerAdmin.class);
}
});
AuthorizationEnforcer authEnforcer = injector.getInstance(AuthorizationEnforcer.class);
AuthenticationContext authenticationContext = injector.getInstance(AuthenticationContext.class);
DiscoveryService discoveryService = injector.getInstance(DiscoveryService.class);
discoveryServiceClient = injector.getInstance(DiscoveryServiceClient.class);
dsFramework = injector.getInstance(RemoteDatasetFramework.class);
// Tx Manager to support working with datasets
txManager = injector.getInstance(TransactionManager.class);
txManager.startAndWait();
TransactionSystemClient txSystemClient = injector.getInstance(TransactionSystemClient.class);
TransactionSystemClientService txSystemClientService = new DelegatingTransactionSystemClientService(txSystemClient);
NamespacedLocationFactory namespacedLocationFactory = injector.getInstance(NamespacedLocationFactory.class);
SystemDatasetInstantiatorFactory datasetInstantiatorFactory = new SystemDatasetInstantiatorFactory(locationFactory, dsFramework, cConf);
// ok to pass null, since the impersonator won't actually be called, if kerberos security is not enabled
Impersonator impersonator = new DefaultImpersonator(cConf, null);
DatasetAdminService datasetAdminService = new DatasetAdminService(dsFramework, cConf, locationFactory, datasetInstantiatorFactory, new NoOpMetadataStore(), impersonator);
ImmutableSet<HttpHandler> handlers = ImmutableSet.<HttpHandler>of(new DatasetAdminOpHTTPHandler(datasetAdminService));
MetricsCollectionService metricsCollectionService = injector.getInstance(MetricsCollectionService.class);
opExecutorService = new DatasetOpExecutorService(cConf, discoveryService, metricsCollectionService, handlers);
opExecutorService.startAndWait();
Map<String, DatasetModule> defaultModules = injector.getInstance(Key.get(new TypeLiteral<Map<String, DatasetModule>>() {
}, Constants.Dataset.Manager.DefaultDatasetModules.class));
ImmutableMap<String, DatasetModule> modules = ImmutableMap.<String, DatasetModule>builder().putAll(defaultModules).putAll(DatasetMetaTableUtil.getModules()).build();
registryFactory = injector.getInstance(DatasetDefinitionRegistryFactory.class);
inMemoryDatasetFramework = new InMemoryDatasetFramework(registryFactory, modules);
DiscoveryExploreClient exploreClient = new DiscoveryExploreClient(discoveryServiceClient, authenticationContext);
ExploreFacade exploreFacade = new ExploreFacade(exploreClient, cConf);
namespaceAdmin = injector.getInstance(NamespaceAdmin.class);
namespaceAdmin.create(NamespaceMeta.DEFAULT);
ownerAdmin = injector.getInstance(OwnerAdmin.class);
NamespaceQueryAdmin namespaceQueryAdmin = injector.getInstance(NamespaceQueryAdmin.class);
TransactionExecutorFactory txExecutorFactory = new DynamicTransactionExecutorFactory(txSystemClient);
DatasetTypeManager typeManager = new DatasetTypeManager(cConf, locationFactory, txSystemClientService, txExecutorFactory, inMemoryDatasetFramework, impersonator);
DatasetOpExecutor opExecutor = new InMemoryDatasetOpExecutor(dsFramework);
DatasetInstanceManager instanceManager = new DatasetInstanceManager(txSystemClientService, txExecutorFactory, inMemoryDatasetFramework);
DatasetTypeService noAuthTypeService = new DefaultDatasetTypeService(typeManager, namespaceAdmin, namespacedLocationFactory, cConf, impersonator, txSystemClientService, inMemoryDatasetFramework, defaultModules);
DatasetTypeService typeService = new AuthorizationDatasetTypeService(noAuthTypeService, authEnforcer, authenticationContext);
instanceService = new DatasetInstanceService(typeService, noAuthTypeService, instanceManager, opExecutor, exploreFacade, namespaceQueryAdmin, ownerAdmin, authEnforcer, authenticationContext);
service = new DatasetService(cConf, discoveryService, discoveryServiceClient, metricsCollectionService, opExecutor, new HashSet<DatasetMetricsReporter>(), typeService, instanceService);
// Start dataset service, wait for it to be discoverable
service.startAndWait();
waitForService(Constants.Service.DATASET_EXECUTOR);
waitForService(Constants.Service.DATASET_MANAGER);
// this usually happens while creating a namespace, however not doing that in data fabric tests
Locations.mkdirsIfNotExists(namespacedLocationFactory.get(NamespaceId.DEFAULT));
}
Aggregations