use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class StreamAdminTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
Authorizer authorizer = getAuthorizer();
Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
authorizer.grant(entityId, principal, actions);
ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Action action : actions) {
expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizationTest method testFlowStreamAuth.
@Test
@Category(SlowTests.class)
public void testFlowStreamAuth() throws Exception {
createAuthNamespace();
Authorizer authorizer = getAuthorizer();
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, StreamAuthApp.class);
// After deploy, change Alice from ALL to ADMIN on the namespace
authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
final FlowManager flowManager = appManager.getFlowManager(StreamAuthApp.FLOW);
StreamId streamId = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM));
StreamManager streamManager2 = getStreamManager(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM2));
streamManager.send("Auth");
flowManager.start();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
return kvTable.get().read("Auth") != null;
}
}, 5, TimeUnit.SECONDS);
flowManager.stop();
flowManager.waitForRun(ProgramRunStatus.KILLED, 60, TimeUnit.SECONDS);
// Now revoke read permission for Alice on that stream (revoke ALL and then grant everything other than READ)
authorizer.revoke(streamId, ALICE, EnumSet.allOf(Action.class));
authorizer.grant(streamId, ALICE, EnumSet.of(Action.WRITE, Action.ADMIN, Action.EXECUTE));
streamManager.send("Security");
streamManager2.send("Safety");
try {
flowManager.start();
} catch (RuntimeException e) {
Assert.assertTrue(e.getCause() instanceof UnauthorizedException);
}
authorizer.grant(streamId, ALICE, ImmutableSet.of(Action.READ));
flowManager.start();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
return kvTable.get().read("Security") != null;
}
}, 5, TimeUnit.SECONDS);
authorizer.revoke(streamId, ALICE, ImmutableSet.of(Action.READ));
TimeUnit.MILLISECONDS.sleep(10);
flowManager.stop();
flowManager.waitForRuns(ProgramRunStatus.KILLED, 2, 5, TimeUnit.SECONDS);
appManager.delete();
}
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizerInstantiator method createAndInitializeAuthorizerInstance.
/**
* Creates a new instance of the configured {@link Authorizer} extension, based on the provided extension jar
* file.
*
* @return a new instance of the configured {@link Authorizer} extension
*/
private Authorizer createAndInitializeAuthorizerInstance(File authorizerExtensionJar) throws IOException, InvalidAuthorizerException {
Class<? extends Authorizer> authorizerClass = loadAuthorizerClass(authorizerExtensionJar);
// Set the context class loader to the AuthorizerClassLoader before creating a new instance of the extension,
// so all classes required in this process are created from the AuthorizerClassLoader.
ClassLoader oldClassLoader = ClassLoaders.setContextClassLoader(authorizerClassLoader);
LOG.debug("Setting context classloader to {}. Old classloader was {}.", authorizerClassLoader, oldClassLoader);
try {
Authorizer authorizer;
try {
authorizer = instantiatorFactory.get(TypeToken.of(authorizerClass)).create();
} catch (Exception e) {
throw new InvalidAuthorizerException(String.format("Error while instantiating for authorizer extension %s. Please make sure that the extension " + "is a public class with a default constructor.", authorizerClass.getName()), e);
}
AuthorizationContext context = authorizationContextFactory.create(createExtensionProperties());
try {
authorizer.initialize(context);
} catch (Exception e) {
throw new InvalidAuthorizerException(String.format("Error while initializing authorizer extension %s.", authorizerClass.getName()), e);
}
return authorizer;
} finally {
// After the process of creation of a new instance has completed (success or failure), reset the context
// classloader back to the original class loader.
ClassLoaders.setContextClassLoader(oldClassLoader);
LOG.debug("Resetting context classloader to {} from {}.", oldClassLoader, authorizerClassLoader);
}
}
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizerInstantiatorTest method assertDisabled.
private void assertDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature) throws IOException {
try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) {
Authorizer authorizer = instantiator.get();
Assert.assertTrue(String.format("When %s is disabled, a %s must be returned, but got %s.", feature.name().toLowerCase(), NoOpAuthorizer.class.getSimpleName(), authorizer.getClass().getName()), authorizer instanceof NoOpAuthorizer);
}
}
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizationTest method testNamespaces.
@Test
public void testNamespaces() throws Exception {
NamespaceAdmin namespaceAdmin = getNamespaceAdmin();
Authorizer authorizer = getAuthorizer();
try {
namespaceAdmin.create(AUTH_NAMESPACE_META);
Assert.fail("Namespace create should have failed because alice is not authorized on " + instance);
} catch (UnauthorizedException expected) {
// expected
}
createAuthNamespace();
// No authorization currently for listing and retrieving namespace
namespaceAdmin.list();
namespaceAdmin.get(AUTH_NAMESPACE);
// revoke privileges
revokeAndAssertSuccess(AUTH_NAMESPACE);
try {
namespaceAdmin.deleteDatasets(AUTH_NAMESPACE);
Assert.fail("Namespace delete datasets should have failed because alice's privileges on the namespace have " + "been revoked");
} catch (UnauthorizedException expected) {
// expected
}
// grant privileges again
grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN));
namespaceAdmin.deleteDatasets(AUTH_NAMESPACE);
// deleting datasets does not revoke privileges.
Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE));
NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build();
namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated);
}
Aggregations