Search in sources :

Example 1 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class StreamAdminTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
    Authorizer authorizer = getAuthorizer();
    Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
    authorizer.grant(entityId, principal, actions);
    ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Action action : actions) {
        expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used : Action(co.cask.cdap.proto.security.Action) ImmutableSet(com.google.common.collect.ImmutableSet) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) Privilege(co.cask.cdap.proto.security.Privilege)

Example 2 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizationTest method testFlowStreamAuth.

@Test
@Category(SlowTests.class)
public void testFlowStreamAuth() throws Exception {
    createAuthNamespace();
    Authorizer authorizer = getAuthorizer();
    ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, StreamAuthApp.class);
    // After deploy, change Alice from ALL to ADMIN on the namespace
    authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
    authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
    final FlowManager flowManager = appManager.getFlowManager(StreamAuthApp.FLOW);
    StreamId streamId = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
    StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM));
    StreamManager streamManager2 = getStreamManager(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM2));
    streamManager.send("Auth");
    flowManager.start();
    Tasks.waitFor(true, new Callable<Boolean>() {

        @Override
        public Boolean call() throws Exception {
            DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
            return kvTable.get().read("Auth") != null;
        }
    }, 5, TimeUnit.SECONDS);
    flowManager.stop();
    flowManager.waitForRun(ProgramRunStatus.KILLED, 60, TimeUnit.SECONDS);
    // Now revoke read permission for Alice on that stream (revoke ALL and then grant everything other than READ)
    authorizer.revoke(streamId, ALICE, EnumSet.allOf(Action.class));
    authorizer.grant(streamId, ALICE, EnumSet.of(Action.WRITE, Action.ADMIN, Action.EXECUTE));
    streamManager.send("Security");
    streamManager2.send("Safety");
    try {
        flowManager.start();
    } catch (RuntimeException e) {
        Assert.assertTrue(e.getCause() instanceof UnauthorizedException);
    }
    authorizer.grant(streamId, ALICE, ImmutableSet.of(Action.READ));
    flowManager.start();
    Tasks.waitFor(true, new Callable<Boolean>() {

        @Override
        public Boolean call() throws Exception {
            DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
            return kvTable.get().read("Security") != null;
        }
    }, 5, TimeUnit.SECONDS);
    authorizer.revoke(streamId, ALICE, ImmutableSet.of(Action.READ));
    TimeUnit.MILLISECONDS.sleep(10);
    flowManager.stop();
    flowManager.waitForRuns(ProgramRunStatus.KILLED, 2, 5, TimeUnit.SECONDS);
    appManager.delete();
}
Also used : FlowManager(co.cask.cdap.test.FlowManager) ApplicationManager(co.cask.cdap.test.ApplicationManager) Action(co.cask.cdap.proto.security.Action) StreamId(co.cask.cdap.proto.id.StreamId) TimeoutException(java.util.concurrent.TimeoutException) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) IOException(java.io.IOException) ExecutionException(java.util.concurrent.ExecutionException) StreamManager(co.cask.cdap.test.StreamManager) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) DataSetManager(co.cask.cdap.test.DataSetManager) Category(org.junit.experimental.categories.Category) Test(org.junit.Test)

Example 3 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizerInstantiator method createAndInitializeAuthorizerInstance.

/**
   * Creates a new instance of the configured {@link Authorizer} extension, based on the provided extension jar
   * file.
   *
   * @return a new instance of the configured {@link Authorizer} extension
   */
private Authorizer createAndInitializeAuthorizerInstance(File authorizerExtensionJar) throws IOException, InvalidAuthorizerException {
    Class<? extends Authorizer> authorizerClass = loadAuthorizerClass(authorizerExtensionJar);
    // Set the context class loader to the AuthorizerClassLoader before creating a new instance of the extension,
    // so all classes required in this process are created from the AuthorizerClassLoader.
    ClassLoader oldClassLoader = ClassLoaders.setContextClassLoader(authorizerClassLoader);
    LOG.debug("Setting context classloader to {}. Old classloader was {}.", authorizerClassLoader, oldClassLoader);
    try {
        Authorizer authorizer;
        try {
            authorizer = instantiatorFactory.get(TypeToken.of(authorizerClass)).create();
        } catch (Exception e) {
            throw new InvalidAuthorizerException(String.format("Error while instantiating for authorizer extension %s. Please make sure that the extension " + "is a public class with a default constructor.", authorizerClass.getName()), e);
        }
        AuthorizationContext context = authorizationContextFactory.create(createExtensionProperties());
        try {
            authorizer.initialize(context);
        } catch (Exception e) {
            throw new InvalidAuthorizerException(String.format("Error while initializing authorizer extension %s.", authorizerClass.getName()), e);
        }
        return authorizer;
    } finally {
        // After the process of creation of a new instance has completed (success or failure), reset the context
        // classloader back to the original class loader.
        ClassLoaders.setContextClassLoader(oldClassLoader);
        LOG.debug("Resetting context classloader to {} from {}.", oldClassLoader, authorizerClassLoader);
    }
}
Also used : NoOpAuthorizer(co.cask.cdap.security.spi.authorization.NoOpAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) AuthorizationContext(co.cask.cdap.security.spi.authorization.AuthorizationContext) ZipException(java.util.zip.ZipException) IOException(java.io.IOException)

Example 4 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizerInstantiatorTest method assertDisabled.

private void assertDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature) throws IOException {
    try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) {
        Authorizer authorizer = instantiator.get();
        Assert.assertTrue(String.format("When %s is disabled, a %s must be returned, but got %s.", feature.name().toLowerCase(), NoOpAuthorizer.class.getSimpleName(), authorizer.getClass().getName()), authorizer instanceof NoOpAuthorizer);
    }
}
Also used : NoOpAuthorizer(co.cask.cdap.security.spi.authorization.NoOpAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) NoOpAuthorizer(co.cask.cdap.security.spi.authorization.NoOpAuthorizer)

Example 5 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizationTest method testNamespaces.

@Test
public void testNamespaces() throws Exception {
    NamespaceAdmin namespaceAdmin = getNamespaceAdmin();
    Authorizer authorizer = getAuthorizer();
    try {
        namespaceAdmin.create(AUTH_NAMESPACE_META);
        Assert.fail("Namespace create should have failed because alice is not authorized on " + instance);
    } catch (UnauthorizedException expected) {
    // expected
    }
    createAuthNamespace();
    // No authorization currently for listing and retrieving namespace
    namespaceAdmin.list();
    namespaceAdmin.get(AUTH_NAMESPACE);
    // revoke privileges
    revokeAndAssertSuccess(AUTH_NAMESPACE);
    try {
        namespaceAdmin.deleteDatasets(AUTH_NAMESPACE);
        Assert.fail("Namespace delete datasets should have failed because alice's privileges on the namespace have " + "been revoked");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant privileges again
    grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN));
    namespaceAdmin.deleteDatasets(AUTH_NAMESPACE);
    // deleting datasets does not revoke privileges.
    Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE));
    NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build();
    namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated);
}
Also used : NamespaceMeta(co.cask.cdap.proto.NamespaceMeta) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) NamespaceAdmin(co.cask.cdap.common.namespace.NamespaceAdmin) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) Privilege(co.cask.cdap.proto.security.Privilege) Test(org.junit.Test)

Aggregations

Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)19 InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)13 Action (co.cask.cdap.proto.security.Action)12 Test (org.junit.Test)10 Privilege (co.cask.cdap.proto.security.Privilege)7 ApplicationManager (co.cask.cdap.test.ApplicationManager)5 Category (org.junit.experimental.categories.Category)5 StreamId (co.cask.cdap.proto.id.StreamId)4 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)4 StreamManager (co.cask.cdap.test.StreamManager)4 DatasetId (co.cask.cdap.proto.id.DatasetId)3 NoOpAuthorizer (co.cask.cdap.security.spi.authorization.NoOpAuthorizer)3 IOException (java.io.IOException)3 ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)2 KeyValueTable (co.cask.cdap.api.dataset.lib.KeyValueTable)2 CConfiguration (co.cask.cdap.common.conf.CConfiguration)2 ArtifactId (co.cask.cdap.proto.id.ArtifactId)2 EntityId (co.cask.cdap.proto.id.EntityId)2 NamespaceId (co.cask.cdap.proto.id.NamespaceId)2 ProgramId (co.cask.cdap.proto.id.ProgramId)2