Examples with Authorizer co.cask.cdap.security.spi.authorization.Authorizer used on opensource projects

Search in sources :

Example 11 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizerInstantiatorTest method testAuthorizerExtension.

@Test
public void testAuthorizerExtension() throws IOException, ClassNotFoundException {
    Manifest manifest = new Manifest();
    manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, ValidExternalAuthorizer.class.getName());
    Location externalAuthJar = AppJarHelper.createDeploymentJar(locationFactory, ValidExternalAuthorizer.class, manifest);
    CConfiguration cConfCopy = CConfiguration.copy(CCONF);
    cConfCopy.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString());
    cConfCopy.set(Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "config.path", "/path/config.ini");
    cConfCopy.set(Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "service.address", "http://foo.bar.co:5555");
    cConfCopy.set("foo." + Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "dont.include", "not.prefix.should.not.be.included");
    try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) {
        // should be able to load the ExternalAuthorizer class via the AuthorizerInstantiatorService
        Authorizer externalAuthorizer1 = instantiator.get();
        Assert.assertNotNull(externalAuthorizer1);
        Authorizer externalAuthorizer2 = instantiator.get();
        Assert.assertNotNull(externalAuthorizer2);
        // verify that get returns the same  instance each time it is called.
        Assert.assertEquals(externalAuthorizer1, externalAuthorizer2);
        ClassLoader authorizerClassLoader = externalAuthorizer1.getClass().getClassLoader();
        ClassLoader parent = authorizerClassLoader.getParent();
        // should be able to load the Authorizer interface via the parent
        parent.loadClass(Authorizer.class.getName());
        // should not be able to load the ExternalAuthorizer class via the parent class loader
        try {
            parent.loadClass(ValidExternalAuthorizer.class.getName());
            Assert.fail("Should not be able to load external authorizer classes via the parent classloader of the " + "Authorizer class loader.");
        } catch (ClassNotFoundException expected) {
        // expected
        }
        // should be able to load the ExternalAuthorizer class via the AuthorizerClassLoader
        authorizerClassLoader.loadClass(ValidExternalAuthorizer.class.getName());
        // have to do this because the external authorizer instance is created in a new classloader, so casting will
        // not work.
        Gson gson = new Gson();
        ValidExternalAuthorizer validAuthorizer = gson.fromJson(gson.toJson(externalAuthorizer1), ValidExternalAuthorizer.class);
        Properties expectedProps = new Properties();
        expectedProps.put("config.path", "/path/config.ini");
        expectedProps.put("service.address", "http://foo.bar.co:5555");
        Properties actualProps = validAuthorizer.getProperties();
        Assert.assertEquals(expectedProps, actualProps);
    }
}
Also used : NoOpAuthorizer(co.cask.cdap.security.spi.authorization.NoOpAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) Gson(com.google.gson.Gson) Manifest(java.util.jar.Manifest) Properties(java.util.Properties) CConfiguration(co.cask.cdap.common.conf.CConfiguration) Location(org.apache.twill.filesystem.Location) Test(org.junit.Test)

Example 12 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class DefaultAuthorizationEnforcerTest method testAuthEnforce.

@Test
public void testAuthEnforce() throws Exception {
    try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) {
        Authorizer authorizer = authorizerInstantiator.get();
        DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator);
        // update privileges for alice. Currently alice has not been granted any privileges.
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.ADMIN);
        // grant some test privileges
        DatasetId ds = NS.dataset("ds");
        authorizer.grant(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
        authorizer.grant(ds, BOB, ImmutableSet.of(Action.ADMIN));
        // auth enforcement for alice should succeed on ns for actions read and write
        authEnforcementService.enforce(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, EnumSet.allOf(Action.class));
        // since Alice has READ/WRITE on the NS, everything under that should have READ/WRITE as well.
        authEnforcementService.enforce(ds, ALICE, Action.READ);
        authEnforcementService.enforce(ds, ALICE, Action.WRITE);
        // Alice doesn't have Admin right on NS, hence should fail.
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.ADMIN);
        // also, even though bob's privileges were never updated, auth enforcement for bob should not fail,
        // because the LoadingCache should make a blocking call to retrieve his privileges
        authEnforcementService.enforce(ds, BOB, Action.ADMIN);
        // revoke all of alice's privileges
        authorizer.revoke(NS, ALICE, ImmutableSet.of(Action.READ));
        try {
            authEnforcementService.enforce(NS, ALICE, Action.READ);
            Assert.fail(String.format("Expected %s to not have '%s' privilege on %s but it does.", ALICE, Action.READ, NS));
        } catch (UnauthorizedException ignored) {
        // expected
        }
        authorizer.revoke(NS);
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.READ);
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.WRITE);
        authEnforcementService.enforce(ds, BOB, Action.ADMIN);
    }
}
Also used : Action(co.cask.cdap.proto.security.Action) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) DatasetId(co.cask.cdap.proto.id.DatasetId) Test(org.junit.Test)

Example 13 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizationTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
    Authorizer authorizer = getAuthorizer();
    Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
    authorizer.grant(entityId, principal, actions);
    ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Action action : actions) {
        expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal));
}
Also used : Action(co.cask.cdap.proto.security.Action) ImmutableSet(com.google.common.collect.ImmutableSet) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) Privilege(co.cask.cdap.proto.security.Privilege)

Example 14 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizationTest method cleanupTest.

@After
public void cleanupTest() throws Exception {
    Authorizer authorizer = getAuthorizer();
    grantAndAssertSuccess(AUTH_NAMESPACE, SecurityRequestContext.toPrincipal(), EnumSet.allOf(Action.class));
    // clean up. remove the namespace. all privileges on the namespace should be revoked
    getNamespaceAdmin().delete(AUTH_NAMESPACE);
    Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN)), authorizer.listPrivileges(ALICE));
    // revoke privileges on the instance
    revokeAndAssertSuccess(instance);
}
Also used : Action(co.cask.cdap.proto.security.Action) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) Privilege(co.cask.cdap.proto.security.Privilege) After(org.junit.After)

Example 15 with Authorizer

use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.

the class AuthorizationTest method testMRStreamAuth.

@Test
@Category(SlowTests.class)
public void testMRStreamAuth() throws Exception {
    createAuthNamespace();
    Authorizer authorizer = getAuthorizer();
    ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, StreamAuthApp.class);
    // After deploy, change Alice from ALL to ADMIN on the namespace
    authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
    authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
    StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM));
    streamManager.send("Hello");
    final MapReduceManager mrManager = appManager.getMapReduceManager(StreamAuthApp.MAPREDUCE);
    mrManager.start();
    // Since Alice had full permissions, she should be able to execute the MR job successfully
    mrManager.waitForRun(ProgramRunStatus.COMPLETED, 1, TimeUnit.MINUTES);
    DataSetManager<KeyValueTable> kvManager = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
    try (KeyValueTable kvTable = kvManager.get()) {
        byte[] value = kvTable.read("Hello");
        Assert.assertArrayEquals(Bytes.toBytes("Hello"), value);
    }
    ProgramId mrId = AUTH_NAMESPACE.app(StreamAuthApp.APP).mr(StreamAuthApp.MAPREDUCE);
    authorizer.grant(mrId.getNamespaceId(), BOB, ImmutableSet.of(Action.ADMIN));
    ArtifactSummary artifactSummary = appManager.getInfo().getArtifact();
    ArtifactId artifactId = AUTH_NAMESPACE.artifact(artifactSummary.getName(), artifactSummary.getVersion());
    authorizer.grant(artifactId, BOB, EnumSet.allOf(Action.class));
    authorizer.grant(mrId.getParent(), BOB, EnumSet.allOf(Action.class));
    authorizer.grant(mrId, BOB, EnumSet.allOf(Action.class));
    authorizer.grant(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM), BOB, EnumSet.of(Action.ADMIN));
    authorizer.grant(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE), BOB, EnumSet.allOf(Action.class));
    streamManager.send("World");
    // Switch user to Bob. Note that he doesn't have READ access on the stream.
    SecurityRequestContext.setUserId(BOB.getName());
    mrManager.start();
    mrManager.waitForRun(ProgramRunStatus.FAILED, 1, TimeUnit.MINUTES);
    kvManager = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
    try (KeyValueTable kvTable = kvManager.get()) {
        byte[] value = kvTable.read("World");
        Assert.assertNull(value);
    }
    // Now grant Bob, READ access on the stream. MR job should execute successfully now.
    authorizer.grant(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM), BOB, ImmutableSet.of(Action.READ));
    mrManager.start();
    mrManager.waitForRuns(ProgramRunStatus.COMPLETED, 2, 1, TimeUnit.MINUTES);
    kvManager = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
    try (KeyValueTable kvTable = kvManager.get()) {
        byte[] value = kvTable.read("World");
        Assert.assertEquals("World", Bytes.toString(value));
    }
    SecurityRequestContext.setUserId(ALICE.getName());
    appManager.delete();
    assertNoAccess(AUTH_NAMESPACE.app(StreamAuthApp.APP));
}
Also used : ApplicationManager(co.cask.cdap.test.ApplicationManager) Action(co.cask.cdap.proto.security.Action) ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary) MapReduceManager(co.cask.cdap.test.MapReduceManager) ArtifactId(co.cask.cdap.proto.id.ArtifactId) StreamManager(co.cask.cdap.test.StreamManager) KeyValueTable(co.cask.cdap.api.dataset.lib.KeyValueTable) InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) ProgramId(co.cask.cdap.proto.id.ProgramId) Category(org.junit.experimental.categories.Category) Test(org.junit.Test)

Aggregations

Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)19 InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)13 Action (co.cask.cdap.proto.security.Action)12 Test (org.junit.Test)10 Privilege (co.cask.cdap.proto.security.Privilege)7 ApplicationManager (co.cask.cdap.test.ApplicationManager)5 Category (org.junit.experimental.categories.Category)5 StreamId (co.cask.cdap.proto.id.StreamId)4 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)4 StreamManager (co.cask.cdap.test.StreamManager)4 DatasetId (co.cask.cdap.proto.id.DatasetId)3 NoOpAuthorizer (co.cask.cdap.security.spi.authorization.NoOpAuthorizer)3 IOException (java.io.IOException)3 ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)2 KeyValueTable (co.cask.cdap.api.dataset.lib.KeyValueTable)2 CConfiguration (co.cask.cdap.common.conf.CConfiguration)2 ArtifactId (co.cask.cdap.proto.id.ArtifactId)2 EntityId (co.cask.cdap.proto.id.EntityId)2 NamespaceId (co.cask.cdap.proto.id.NamespaceId)2 ProgramId (co.cask.cdap.proto.id.ProgramId)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial