Search in sources :

Example 1 with AuthorizationEnforcer

use of co.cask.cdap.security.spi.authorization.AuthorizationEnforcer in project cdap by caskdata.

the class AuthorizationBootstrapperTest method setup.

@BeforeClass
public static void setup() throws Exception {
    CConfiguration cConf = CConfiguration.create();
    cConf.set(Constants.CFG_LOCAL_DATA_DIR, TMP_FOLDER.newFolder().getAbsolutePath());
    cConf.setBoolean(Constants.Security.ENABLED, true);
    cConf.setBoolean(Constants.Security.KERBEROS_ENABLED, false);
    cConf.setBoolean(Constants.Security.Authorization.ENABLED, true);
    Location deploymentJar = AppJarHelper.createDeploymentJar(new LocalLocationFactory(TMP_FOLDER.newFolder()), InMemoryAuthorizer.class);
    cConf.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, deploymentJar.toURI().getPath());
    // make Alice an admin user, so she can create namespaces
    cConf.set(Constants.Security.Authorization.ADMIN_USERS, ADMIN_USER.getName());
    instanceId = new InstanceId(cConf.get(Constants.INSTANCE_NAME));
    // setup a system artifact
    File systemArtifactsDir = TMP_FOLDER.newFolder();
    cConf.set(Constants.AppFabric.SYSTEM_ARTIFACTS_DIR, systemArtifactsDir.getAbsolutePath());
    createSystemArtifact(systemArtifactsDir);
    Injector injector = Guice.createInjector(new AppFabricTestModule(cConf));
    namespaceQueryAdmin = injector.getInstance(NamespaceQueryAdmin.class);
    namespaceAdmin = injector.getInstance(NamespaceAdmin.class);
    defaultNamespaceEnsurer = new DefaultNamespaceEnsurer(namespaceAdmin);
    discoveryServiceClient = injector.getInstance(DiscoveryServiceClient.class);
    txManager = injector.getInstance(TransactionManager.class);
    datasetService = injector.getInstance(DatasetService.class);
    systemArtifactLoader = injector.getInstance(SystemArtifactLoader.class);
    authorizationBootstrapper = injector.getInstance(AuthorizationBootstrapper.class);
    artifactRepository = injector.getInstance(ArtifactRepository.class);
    dsFramework = injector.getInstance(DatasetFramework.class);
    authorizationEnforcer = injector.getInstance(AuthorizationEnforcer.class);
}
Also used : DiscoveryServiceClient(org.apache.twill.discovery.DiscoveryServiceClient) InstanceId(co.cask.cdap.proto.id.InstanceId) NamespaceAdmin(co.cask.cdap.common.namespace.NamespaceAdmin) DatasetService(co.cask.cdap.data2.datafabric.dataset.service.DatasetService) ArtifactRepository(co.cask.cdap.internal.app.runtime.artifact.ArtifactRepository) AuthorizationEnforcer(co.cask.cdap.security.spi.authorization.AuthorizationEnforcer) DefaultNamespaceEnsurer(co.cask.cdap.internal.app.namespace.DefaultNamespaceEnsurer) CConfiguration(co.cask.cdap.common.conf.CConfiguration) DatasetFramework(co.cask.cdap.data2.dataset2.DatasetFramework) AuthorizationBootstrapper(co.cask.cdap.security.authorization.AuthorizationBootstrapper) Injector(com.google.inject.Injector) TransactionManager(org.apache.tephra.TransactionManager) SystemArtifactLoader(co.cask.cdap.internal.app.runtime.artifact.SystemArtifactLoader) NamespaceQueryAdmin(co.cask.cdap.common.namespace.NamespaceQueryAdmin) AppFabricTestModule(co.cask.cdap.internal.guice.AppFabricTestModule) LocalLocationFactory(org.apache.twill.filesystem.LocalLocationFactory) File(java.io.File) Location(org.apache.twill.filesystem.Location) BeforeClass(org.junit.BeforeClass)

Example 2 with AuthorizationEnforcer

use of co.cask.cdap.security.spi.authorization.AuthorizationEnforcer in project cdap by caskdata.

the class DatasetServiceTestBase method initializeAndStartService.

protected static void initializeAndStartService(CConfiguration cConf) throws Exception {
    // TODO: this whole method is a mess. Streamline it!
    injector = Guice.createInjector(new ConfigModule(cConf), new DiscoveryRuntimeModule().getInMemoryModules(), new NonCustomLocationUnitTestModule().getModule(), new NamespaceClientRuntimeModule().getInMemoryModules(), new SystemDatasetRuntimeModule().getInMemoryModules(), new TransactionInMemoryModule(), new AuthorizationTestModule(), new AuthorizationEnforcementModule().getInMemoryModules(), new AuthenticationContextModules().getMasterModule(), new AbstractModule() {

        @Override
        protected void configure() {
            bind(MetricsCollectionService.class).to(NoOpMetricsCollectionService.class).in(Singleton.class);
            install(new FactoryModuleBuilder().implement(DatasetDefinitionRegistry.class, DefaultDatasetDefinitionRegistry.class).build(DatasetDefinitionRegistryFactory.class));
            // through the injector, we only need RemoteDatasetFramework in these tests
            bind(RemoteDatasetFramework.class);
            bind(OwnerStore.class).to(InMemoryOwnerStore.class);
            bind(OwnerAdmin.class).to(DefaultOwnerAdmin.class);
        }
    });
    AuthorizationEnforcer authEnforcer = injector.getInstance(AuthorizationEnforcer.class);
    AuthenticationContext authenticationContext = injector.getInstance(AuthenticationContext.class);
    DiscoveryService discoveryService = injector.getInstance(DiscoveryService.class);
    discoveryServiceClient = injector.getInstance(DiscoveryServiceClient.class);
    dsFramework = injector.getInstance(RemoteDatasetFramework.class);
    // Tx Manager to support working with datasets
    txManager = injector.getInstance(TransactionManager.class);
    txManager.startAndWait();
    TransactionSystemClient txSystemClient = injector.getInstance(TransactionSystemClient.class);
    TransactionSystemClientService txSystemClientService = new DelegatingTransactionSystemClientService(txSystemClient);
    NamespacedLocationFactory namespacedLocationFactory = injector.getInstance(NamespacedLocationFactory.class);
    SystemDatasetInstantiatorFactory datasetInstantiatorFactory = new SystemDatasetInstantiatorFactory(locationFactory, dsFramework, cConf);
    // ok to pass null, since the impersonator won't actually be called, if kerberos security is not enabled
    Impersonator impersonator = new DefaultImpersonator(cConf, null);
    DatasetAdminService datasetAdminService = new DatasetAdminService(dsFramework, cConf, locationFactory, datasetInstantiatorFactory, new NoOpMetadataStore(), impersonator);
    ImmutableSet<HttpHandler> handlers = ImmutableSet.<HttpHandler>of(new DatasetAdminOpHTTPHandler(datasetAdminService));
    MetricsCollectionService metricsCollectionService = injector.getInstance(MetricsCollectionService.class);
    opExecutorService = new DatasetOpExecutorService(cConf, discoveryService, metricsCollectionService, handlers);
    opExecutorService.startAndWait();
    Map<String, DatasetModule> defaultModules = injector.getInstance(Key.get(new TypeLiteral<Map<String, DatasetModule>>() {
    }, Constants.Dataset.Manager.DefaultDatasetModules.class));
    ImmutableMap<String, DatasetModule> modules = ImmutableMap.<String, DatasetModule>builder().putAll(defaultModules).putAll(DatasetMetaTableUtil.getModules()).build();
    registryFactory = injector.getInstance(DatasetDefinitionRegistryFactory.class);
    inMemoryDatasetFramework = new InMemoryDatasetFramework(registryFactory, modules);
    DiscoveryExploreClient exploreClient = new DiscoveryExploreClient(discoveryServiceClient, authenticationContext);
    ExploreFacade exploreFacade = new ExploreFacade(exploreClient, cConf);
    namespaceAdmin = injector.getInstance(NamespaceAdmin.class);
    namespaceAdmin.create(NamespaceMeta.DEFAULT);
    ownerAdmin = injector.getInstance(OwnerAdmin.class);
    NamespaceQueryAdmin namespaceQueryAdmin = injector.getInstance(NamespaceQueryAdmin.class);
    TransactionExecutorFactory txExecutorFactory = new DynamicTransactionExecutorFactory(txSystemClient);
    DatasetTypeManager typeManager = new DatasetTypeManager(cConf, locationFactory, txSystemClientService, txExecutorFactory, inMemoryDatasetFramework, impersonator);
    DatasetOpExecutor opExecutor = new InMemoryDatasetOpExecutor(dsFramework);
    DatasetInstanceManager instanceManager = new DatasetInstanceManager(txSystemClientService, txExecutorFactory, inMemoryDatasetFramework);
    DatasetTypeService noAuthTypeService = new DefaultDatasetTypeService(typeManager, namespaceAdmin, namespacedLocationFactory, cConf, impersonator, txSystemClientService, inMemoryDatasetFramework, defaultModules);
    DatasetTypeService typeService = new AuthorizationDatasetTypeService(noAuthTypeService, authEnforcer, authenticationContext);
    instanceService = new DatasetInstanceService(typeService, noAuthTypeService, instanceManager, opExecutor, exploreFacade, namespaceQueryAdmin, ownerAdmin, authEnforcer, authenticationContext);
    service = new DatasetService(cConf, discoveryService, discoveryServiceClient, metricsCollectionService, opExecutor, new HashSet<DatasetMetricsReporter>(), typeService, instanceService);
    // Start dataset service, wait for it to be discoverable
    service.startAndWait();
    waitForService(Constants.Service.DATASET_EXECUTOR);
    waitForService(Constants.Service.DATASET_MANAGER);
    // this usually happens while creating a namespace, however not doing that in data fabric tests
    Locations.mkdirsIfNotExists(namespacedLocationFactory.get(NamespaceId.DEFAULT));
}
Also used : RemoteDatasetFramework(co.cask.cdap.data2.datafabric.dataset.RemoteDatasetFramework) InMemoryDatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.InMemoryDatasetOpExecutor) AuthenticationContext(co.cask.cdap.security.spi.authentication.AuthenticationContext) DiscoveryServiceClient(org.apache.twill.discovery.DiscoveryServiceClient) DatasetAdminOpHTTPHandler(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetAdminOpHTTPHandler) TransactionInMemoryModule(org.apache.tephra.runtime.TransactionInMemoryModule) AuthorizationEnforcer(co.cask.cdap.security.spi.authorization.AuthorizationEnforcer) NamespacedLocationFactory(co.cask.cdap.common.namespace.NamespacedLocationFactory) NoOpMetricsCollectionService(co.cask.cdap.common.metrics.NoOpMetricsCollectionService) ExploreFacade(co.cask.cdap.explore.client.ExploreFacade) DynamicTransactionExecutorFactory(co.cask.cdap.data.runtime.DynamicTransactionExecutorFactory) TransactionExecutorFactory(co.cask.cdap.data2.transaction.TransactionExecutorFactory) NoOpMetadataStore(co.cask.cdap.data2.metadata.store.NoOpMetadataStore) DatasetDefinitionRegistryFactory(co.cask.cdap.data2.dataset2.DatasetDefinitionRegistryFactory) SystemDatasetRuntimeModule(co.cask.cdap.data.runtime.SystemDatasetRuntimeModule) DiscoveryRuntimeModule(co.cask.cdap.common.guice.DiscoveryRuntimeModule) InMemoryDatasetFramework(co.cask.cdap.data2.dataset2.InMemoryDatasetFramework) HashSet(java.util.HashSet) HttpHandler(co.cask.http.HttpHandler) DatasetInstanceManager(co.cask.cdap.data2.datafabric.dataset.instance.DatasetInstanceManager) MetricsCollectionService(co.cask.cdap.api.metrics.MetricsCollectionService) NoOpMetricsCollectionService(co.cask.cdap.common.metrics.NoOpMetricsCollectionService) AuthenticationContextModules(co.cask.cdap.security.auth.context.AuthenticationContextModules) DefaultOwnerAdmin(co.cask.cdap.security.impersonation.DefaultOwnerAdmin) OwnerAdmin(co.cask.cdap.security.impersonation.OwnerAdmin) NamespaceAdmin(co.cask.cdap.common.namespace.NamespaceAdmin) NonCustomLocationUnitTestModule(co.cask.cdap.common.guice.NonCustomLocationUnitTestModule) DatasetTypeManager(co.cask.cdap.data2.datafabric.dataset.type.DatasetTypeManager) TransactionManager(org.apache.tephra.TransactionManager) AuthorizationEnforcementModule(co.cask.cdap.security.authorization.AuthorizationEnforcementModule) DelegatingTransactionSystemClientService(co.cask.cdap.data2.transaction.DelegatingTransactionSystemClientService) NamespaceClientRuntimeModule(co.cask.cdap.common.namespace.guice.NamespaceClientRuntimeModule) ConfigModule(co.cask.cdap.common.guice.ConfigModule) FactoryModuleBuilder(com.google.inject.assistedinject.FactoryModuleBuilder) DynamicTransactionExecutorFactory(co.cask.cdap.data.runtime.DynamicTransactionExecutorFactory) DatasetModule(co.cask.cdap.api.dataset.module.DatasetModule) TransactionSystemClient(org.apache.tephra.TransactionSystemClient) DiscoveryExploreClient(co.cask.cdap.explore.client.DiscoveryExploreClient) SystemDatasetInstantiatorFactory(co.cask.cdap.data.dataset.SystemDatasetInstantiatorFactory) TypeLiteral(com.google.inject.TypeLiteral) NamespaceQueryAdmin(co.cask.cdap.common.namespace.NamespaceQueryAdmin) TransactionSystemClientService(co.cask.cdap.data2.transaction.TransactionSystemClientService) DelegatingTransactionSystemClientService(co.cask.cdap.data2.transaction.DelegatingTransactionSystemClientService) DiscoveryService(org.apache.twill.discovery.DiscoveryService) DatasetAdminService(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetAdminService) DatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetOpExecutor) InMemoryDatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.InMemoryDatasetOpExecutor) AuthorizationTestModule(co.cask.cdap.security.authorization.AuthorizationTestModule) Impersonator(co.cask.cdap.security.impersonation.Impersonator) DefaultImpersonator(co.cask.cdap.security.impersonation.DefaultImpersonator) DefaultImpersonator(co.cask.cdap.security.impersonation.DefaultImpersonator) InMemoryOwnerStore(co.cask.cdap.security.impersonation.InMemoryOwnerStore) OwnerStore(co.cask.cdap.security.impersonation.OwnerStore) AbstractModule(com.google.inject.AbstractModule) DatasetOpExecutorService(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetOpExecutorService)

Example 3 with AuthorizationEnforcer

use of co.cask.cdap.security.spi.authorization.AuthorizationEnforcer in project cdap by caskdata.

the class ContextManager method createContext.

// this method is called by the mappers/reducers of jobs launched by Hive.
private static Context createContext(Configuration conf) throws IOException {
    // Create context needs to happen only when running in as a MapReduce job.
    // In other cases, ContextManager will be initialized using saveContext method.
    CConfiguration cConf = ConfigurationUtil.get(conf, Constants.Explore.CCONF_KEY, CConfCodec.INSTANCE);
    Configuration hConf = ConfigurationUtil.get(conf, Constants.Explore.HCONF_KEY, HConfCodec.INSTANCE);
    Injector injector = createInjector(cConf, hConf);
    ZKClientService zkClientService = injector.getInstance(ZKClientService.class);
    zkClientService.startAndWait();
    DatasetFramework datasetFramework = injector.getInstance(DatasetFramework.class);
    StreamAdmin streamAdmin = injector.getInstance(StreamAdmin.class);
    SystemDatasetInstantiatorFactory datasetInstantiatorFactory = injector.getInstance(SystemDatasetInstantiatorFactory.class);
    AuthenticationContext authenticationContext = injector.getInstance(AuthenticationContext.class);
    AuthorizationEnforcer authorizationEnforcer = injector.getInstance(AuthorizationEnforcer.class);
    return new Context(datasetFramework, streamAdmin, zkClientService, datasetInstantiatorFactory, authenticationContext, authorizationEnforcer);
}
Also used : DatasetFramework(co.cask.cdap.data2.dataset2.DatasetFramework) AuthenticationContext(co.cask.cdap.security.spi.authentication.AuthenticationContext) StreamAdmin(co.cask.cdap.data2.transaction.stream.StreamAdmin) SystemDatasetInstantiatorFactory(co.cask.cdap.data.dataset.SystemDatasetInstantiatorFactory) AuthenticationContext(co.cask.cdap.security.spi.authentication.AuthenticationContext) CConfiguration(co.cask.cdap.common.conf.CConfiguration) Configuration(org.apache.hadoop.conf.Configuration) ZKClientService(org.apache.twill.zookeeper.ZKClientService) Injector(com.google.inject.Injector) AuthorizationEnforcer(co.cask.cdap.security.spi.authorization.AuthorizationEnforcer) CConfiguration(co.cask.cdap.common.conf.CConfiguration)

Example 4 with AuthorizationEnforcer

use of co.cask.cdap.security.spi.authorization.AuthorizationEnforcer in project cdap by caskdata.

the class RemoteDatasetFrameworkTest method before.

@Before
public void before() throws Exception {
    cConf.set(Constants.Service.MASTER_SERVICES_BIND_ADDRESS, "localhost");
    cConf.setBoolean(Constants.Dangerous.UNRECOVERABLE_RESET, true);
    Configuration txConf = HBaseConfiguration.create();
    CConfigurationUtil.copyTxProperties(cConf, txConf);
    // ok to pass null, since the impersonator won't actually be called, if kerberos security is not enabled
    Impersonator impersonator = new DefaultImpersonator(cConf, null);
    // TODO: Refactor to use injector for everything
    Injector injector = Guice.createInjector(new ConfigModule(cConf, txConf), new DiscoveryRuntimeModule().getInMemoryModules(), new AuthorizationTestModule(), new AuthorizationEnforcementModule().getInMemoryModules(), new AuthenticationContextModules().getMasterModule(), new TransactionInMemoryModule(), new AbstractModule() {

        @Override
        protected void configure() {
            bind(MetricsCollectionService.class).to(NoOpMetricsCollectionService.class).in(Singleton.class);
            install(new FactoryModuleBuilder().implement(DatasetDefinitionRegistry.class, DefaultDatasetDefinitionRegistry.class).build(DatasetDefinitionRegistryFactory.class));
            // through the injector, we only need RemoteDatasetFramework in these tests
            bind(RemoteDatasetFramework.class);
        }
    });
    // Tx Manager to support working with datasets
    txManager = new TransactionManager(txConf);
    txManager.startAndWait();
    InMemoryTxSystemClient txSystemClient = new InMemoryTxSystemClient(txManager);
    TransactionSystemClientService txSystemClientService = new DelegatingTransactionSystemClientService(txSystemClient);
    DiscoveryService discoveryService = injector.getInstance(DiscoveryService.class);
    DiscoveryServiceClient discoveryServiceClient = injector.getInstance(DiscoveryServiceClient.class);
    MetricsCollectionService metricsCollectionService = injector.getInstance(MetricsCollectionService.class);
    AuthenticationContext authenticationContext = injector.getInstance(AuthenticationContext.class);
    framework = new RemoteDatasetFramework(cConf, discoveryServiceClient, registryFactory, authenticationContext);
    SystemDatasetInstantiatorFactory datasetInstantiatorFactory = new SystemDatasetInstantiatorFactory(locationFactory, framework, cConf);
    DatasetAdminService datasetAdminService = new DatasetAdminService(framework, cConf, locationFactory, datasetInstantiatorFactory, new NoOpMetadataStore(), impersonator);
    ImmutableSet<HttpHandler> handlers = ImmutableSet.<HttpHandler>of(new DatasetAdminOpHTTPHandler(datasetAdminService));
    opExecutorService = new DatasetOpExecutorService(cConf, discoveryService, metricsCollectionService, handlers);
    opExecutorService.startAndWait();
    ImmutableMap<String, DatasetModule> modules = ImmutableMap.<String, DatasetModule>builder().put("memoryTable", new InMemoryTableModule()).put("core", new CoreDatasetsModule()).putAll(DatasetMetaTableUtil.getModules()).build();
    InMemoryDatasetFramework mdsFramework = new InMemoryDatasetFramework(registryFactory, modules);
    DiscoveryExploreClient exploreClient = new DiscoveryExploreClient(discoveryServiceClient, authenticationContext);
    ExploreFacade exploreFacade = new ExploreFacade(exploreClient, cConf);
    TransactionExecutorFactory txExecutorFactory = new DynamicTransactionExecutorFactory(txSystemClient);
    AuthorizationEnforcer authorizationEnforcer = injector.getInstance(AuthorizationEnforcer.class);
    DatasetTypeManager typeManager = new DatasetTypeManager(cConf, locationFactory, txSystemClientService, txExecutorFactory, mdsFramework, impersonator);
    DatasetInstanceManager instanceManager = new DatasetInstanceManager(txSystemClientService, txExecutorFactory, mdsFramework);
    DatasetTypeService noAuthTypeService = new DefaultDatasetTypeService(typeManager, namespaceQueryAdmin, namespacedLocationFactory, cConf, impersonator, txSystemClientService, mdsFramework, DEFAULT_MODULES);
    DatasetTypeService typeService = new AuthorizationDatasetTypeService(noAuthTypeService, authorizationEnforcer, authenticationContext);
    DatasetOpExecutor opExecutor = new LocalDatasetOpExecutor(cConf, discoveryServiceClient, opExecutorService, authenticationContext);
    DatasetInstanceService instanceService = new DatasetInstanceService(typeService, noAuthTypeService, instanceManager, opExecutor, exploreFacade, namespaceQueryAdmin, ownerAdmin, authorizationEnforcer, authenticationContext);
    instanceService.setAuditPublisher(inMemoryAuditPublisher);
    service = new DatasetService(cConf, discoveryService, discoveryServiceClient, metricsCollectionService, new InMemoryDatasetOpExecutor(framework), new HashSet<DatasetMetricsReporter>(), typeService, instanceService);
    // Start dataset service, wait for it to be discoverable
    service.startAndWait();
    EndpointStrategy endpointStrategy = new RandomEndpointStrategy(discoveryServiceClient.discover(Constants.Service.DATASET_MANAGER));
    Preconditions.checkNotNull(endpointStrategy.pick(5, TimeUnit.SECONDS), "%s service is not up after 5 seconds", service);
    createNamespace(NamespaceId.SYSTEM);
    createNamespace(NAMESPACE_ID);
}
Also used : InMemoryDatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.InMemoryDatasetOpExecutor) DiscoveryServiceClient(org.apache.twill.discovery.DiscoveryServiceClient) AuthenticationContext(co.cask.cdap.security.spi.authentication.AuthenticationContext) DatasetAdminOpHTTPHandler(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetAdminOpHTTPHandler) Configuration(org.apache.hadoop.conf.Configuration) HBaseConfiguration(org.apache.hadoop.hbase.HBaseConfiguration) TransactionInMemoryModule(org.apache.tephra.runtime.TransactionInMemoryModule) DatasetService(co.cask.cdap.data2.datafabric.dataset.service.DatasetService) AuthorizationEnforcer(co.cask.cdap.security.spi.authorization.AuthorizationEnforcer) DatasetTypeService(co.cask.cdap.data2.datafabric.dataset.service.DatasetTypeService) AuthorizationDatasetTypeService(co.cask.cdap.data2.datafabric.dataset.service.AuthorizationDatasetTypeService) DefaultDatasetTypeService(co.cask.cdap.data2.datafabric.dataset.service.DefaultDatasetTypeService) ExploreFacade(co.cask.cdap.explore.client.ExploreFacade) DynamicTransactionExecutorFactory(co.cask.cdap.data.runtime.DynamicTransactionExecutorFactory) TransactionExecutorFactory(co.cask.cdap.data2.transaction.TransactionExecutorFactory) NoOpMetadataStore(co.cask.cdap.data2.metadata.store.NoOpMetadataStore) EndpointStrategy(co.cask.cdap.common.discovery.EndpointStrategy) RandomEndpointStrategy(co.cask.cdap.common.discovery.RandomEndpointStrategy) Injector(com.google.inject.Injector) DiscoveryRuntimeModule(co.cask.cdap.common.guice.DiscoveryRuntimeModule) InMemoryDatasetFramework(co.cask.cdap.data2.dataset2.InMemoryDatasetFramework) HashSet(java.util.HashSet) HttpHandler(co.cask.http.HttpHandler) DatasetInstanceManager(co.cask.cdap.data2.datafabric.dataset.instance.DatasetInstanceManager) MetricsCollectionService(co.cask.cdap.api.metrics.MetricsCollectionService) NoOpMetricsCollectionService(co.cask.cdap.common.metrics.NoOpMetricsCollectionService) AuthenticationContextModules(co.cask.cdap.security.auth.context.AuthenticationContextModules) DefaultDatasetDefinitionRegistry(co.cask.cdap.data2.dataset2.DefaultDatasetDefinitionRegistry) DatasetDefinitionRegistry(co.cask.cdap.api.dataset.module.DatasetDefinitionRegistry) InMemoryTxSystemClient(org.apache.tephra.inmemory.InMemoryTxSystemClient) DatasetTypeManager(co.cask.cdap.data2.datafabric.dataset.type.DatasetTypeManager) InMemoryTableModule(co.cask.cdap.data2.dataset2.module.lib.inmemory.InMemoryTableModule) Singleton(com.google.inject.Singleton) TransactionManager(org.apache.tephra.TransactionManager) LocalDatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.LocalDatasetOpExecutor) AuthorizationEnforcementModule(co.cask.cdap.security.authorization.AuthorizationEnforcementModule) DelegatingTransactionSystemClientService(co.cask.cdap.data2.transaction.DelegatingTransactionSystemClientService) ConfigModule(co.cask.cdap.common.guice.ConfigModule) FactoryModuleBuilder(com.google.inject.assistedinject.FactoryModuleBuilder) DynamicTransactionExecutorFactory(co.cask.cdap.data.runtime.DynamicTransactionExecutorFactory) DatasetModule(co.cask.cdap.api.dataset.module.DatasetModule) DiscoveryExploreClient(co.cask.cdap.explore.client.DiscoveryExploreClient) SystemDatasetInstantiatorFactory(co.cask.cdap.data.dataset.SystemDatasetInstantiatorFactory) DefaultDatasetDefinitionRegistry(co.cask.cdap.data2.dataset2.DefaultDatasetDefinitionRegistry) CoreDatasetsModule(co.cask.cdap.data2.dataset2.lib.table.CoreDatasetsModule) DatasetInstanceService(co.cask.cdap.data2.datafabric.dataset.service.DatasetInstanceService) TransactionSystemClientService(co.cask.cdap.data2.transaction.TransactionSystemClientService) DelegatingTransactionSystemClientService(co.cask.cdap.data2.transaction.DelegatingTransactionSystemClientService) DiscoveryService(org.apache.twill.discovery.DiscoveryService) DatasetAdminService(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetAdminService) LocalDatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.LocalDatasetOpExecutor) DatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetOpExecutor) InMemoryDatasetOpExecutor(co.cask.cdap.data2.datafabric.dataset.service.executor.InMemoryDatasetOpExecutor) AuthorizationDatasetTypeService(co.cask.cdap.data2.datafabric.dataset.service.AuthorizationDatasetTypeService) DefaultImpersonator(co.cask.cdap.security.impersonation.DefaultImpersonator) Impersonator(co.cask.cdap.security.impersonation.Impersonator) DefaultImpersonator(co.cask.cdap.security.impersonation.DefaultImpersonator) AuthorizationTestModule(co.cask.cdap.security.authorization.AuthorizationTestModule) AbstractModule(com.google.inject.AbstractModule) DatasetOpExecutorService(co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetOpExecutorService) DefaultDatasetTypeService(co.cask.cdap.data2.datafabric.dataset.service.DefaultDatasetTypeService) RandomEndpointStrategy(co.cask.cdap.common.discovery.RandomEndpointStrategy) Before(org.junit.Before)

Example 5 with AuthorizationEnforcer

use of co.cask.cdap.security.spi.authorization.AuthorizationEnforcer in project cdap by caskdata.

the class PreviewDatasetFramework method getDataset.

@Nullable
@Override
public <T extends Dataset> T getDataset(final DatasetId datasetInstanceId, final Map<String, String> arguments, @Nullable final ClassLoader classLoader, final DatasetClassLoaderProvider classLoaderProvider, @Nullable final Iterable<? extends EntityId> owners, final AccessType accessType) throws DatasetManagementException, IOException {
    Principal principal = authenticationContext.getPrincipal();
    try {
        AuthorizationEnforcer enforcer;
        final boolean isUserDataset = DatasetsUtil.isUserDataset(datasetInstanceId);
        // only for the datasets from the real space enforce the authorization.
        if (isUserDataset && actualDatasetFramework.hasInstance(datasetInstanceId)) {
            enforcer = authorizationEnforcer;
        } else {
            enforcer = NOOP_ENFORCER;
        }
        return DefaultDatasetRuntimeContext.execute(enforcer, NOOP_DATASET_ACCESS_RECORDER, principal, datasetInstanceId, null, new Callable<T>() {

            @Override
            public T call() throws Exception {
                if (isUserDataset && actualDatasetFramework.hasInstance(datasetInstanceId)) {
                    return actualDatasetFramework.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType);
                }
                return localDatasetFramework.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType);
            }
        });
    } catch (IOException | DatasetManagementException e) {
        throw e;
    } catch (Exception e) {
        throw new DatasetManagementException("Failed to create dataset instance: " + datasetInstanceId, e);
    }
}
Also used : DatasetManagementException(co.cask.cdap.api.dataset.DatasetManagementException) AuthorizationEnforcer(co.cask.cdap.security.spi.authorization.AuthorizationEnforcer) IOException(java.io.IOException) Principal(co.cask.cdap.proto.security.Principal) DatasetManagementException(co.cask.cdap.api.dataset.DatasetManagementException) IOException(java.io.IOException) Nullable(javax.annotation.Nullable)

Aggregations

AuthorizationEnforcer (co.cask.cdap.security.spi.authorization.AuthorizationEnforcer)7 SystemDatasetInstantiatorFactory (co.cask.cdap.data.dataset.SystemDatasetInstantiatorFactory)3 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)2 DatasetModule (co.cask.cdap.api.dataset.module.DatasetModule)2 MetricsCollectionService (co.cask.cdap.api.metrics.MetricsCollectionService)2 CConfiguration (co.cask.cdap.common.conf.CConfiguration)2 ConfigModule (co.cask.cdap.common.guice.ConfigModule)2 DiscoveryRuntimeModule (co.cask.cdap.common.guice.DiscoveryRuntimeModule)2 NoOpMetricsCollectionService (co.cask.cdap.common.metrics.NoOpMetricsCollectionService)2 NamespaceAdmin (co.cask.cdap.common.namespace.NamespaceAdmin)2 NamespaceQueryAdmin (co.cask.cdap.common.namespace.NamespaceQueryAdmin)2 DynamicTransactionExecutorFactory (co.cask.cdap.data.runtime.DynamicTransactionExecutorFactory)2 DatasetInstanceManager (co.cask.cdap.data2.datafabric.dataset.instance.DatasetInstanceManager)2 DatasetService (co.cask.cdap.data2.datafabric.dataset.service.DatasetService)2 DatasetAdminOpHTTPHandler (co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetAdminOpHTTPHandler)2 DatasetAdminService (co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetAdminService)2 DatasetOpExecutor (co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetOpExecutor)2 DatasetOpExecutorService (co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetOpExecutorService)2 InMemoryDatasetOpExecutor (co.cask.cdap.data2.datafabric.dataset.service.executor.InMemoryDatasetOpExecutor)2 DatasetTypeManager (co.cask.cdap.data2.datafabric.dataset.type.DatasetTypeManager)2