Example 16 with Authorizer
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizationTest method createAuthNamespace.
private void createAuthNamespace() throws Exception {
Authorizer authorizer = getAuthorizer();
grantAndAssertSuccess(instance, ALICE, ImmutableSet.of(Action.ADMIN));
getNamespaceAdmin().create(AUTH_NAMESPACE_META);
Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.READ), new Privilege(AUTH_NAMESPACE, Action.WRITE), new Privilege(AUTH_NAMESPACE, Action.EXECUTE)), authorizer.listPrivileges(ALICE));
}
Also used :
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
Privilege(co.cask.cdap.proto.security.Privilege)
Example 17 with Authorizer
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizationTest method assertNoAccess.
private void assertNoAccess(Principal principal, final EntityId entityId) throws Exception {
Authorizer authorizer = getAuthorizer();
Predicate<Privilege> entityFilter = new Predicate<Privilege>() {
@Override
public boolean apply(Privilege input) {
return entityId.equals(input.getEntity());
}
};
Assert.assertTrue(Sets.filter(authorizer.listPrivileges(principal), entityFilter).isEmpty());
}
Also used :
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
Privilege(co.cask.cdap.proto.security.Privilege)
Predicate(com.google.common.base.Predicate)
Example 18 with Authorizer
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizationTest method revokeAndAssertSuccess.
private void revokeAndAssertSuccess(final EntityId entityId) throws Exception {
Authorizer authorizer = getAuthorizer();
authorizer.revoke(entityId);
assertNoAccess(entityId);
}
Also used :
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
Example 19 with Authorizer
use of co.cask.cdap.security.spi.authorization.Authorizer in project cdap by caskdata.
the class AuthorizationTest method testSparkStreamAuth.
@Test
@Category(SlowTests.class)
public void testSparkStreamAuth() throws Exception {
createAuthNamespace();
Authorizer authorizer = getAuthorizer();
StreamId streamId = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, StreamAuthApp.class);
// After deploy, change Alice from ALL to ADMIN on the namespace
authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM));
streamManager.send("Hello");
final SparkManager sparkManager = appManager.getSparkManager(StreamAuthApp.SPARK);
sparkManager.start();
sparkManager.waitForRun(ProgramRunStatus.COMPLETED, 1, TimeUnit.MINUTES);
DataSetManager<KeyValueTable> kvManager = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
try (KeyValueTable kvTable = kvManager.get()) {
byte[] value = kvTable.read("Hello");
Assert.assertArrayEquals(Bytes.toBytes("Hello"), value);
}
streamManager.send("World");
// Revoke READ permission on STREAM for Alice
authorizer.revoke(streamId, ALICE, EnumSet.allOf(Action.class));
authorizer.grant(streamId, ALICE, EnumSet.of(Action.WRITE, Action.ADMIN, Action.EXECUTE));
sparkManager.start();
sparkManager.waitForRun(ProgramRunStatus.FAILED, 1, TimeUnit.MINUTES);
kvManager = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
try (KeyValueTable kvTable = kvManager.get()) {
byte[] value = kvTable.read("World");
Assert.assertNull(value);
}
// Grant ALICE, READ permission on STREAM and now Spark job should run successfully
authorizer.grant(streamId, ALICE, ImmutableSet.of(Action.READ));
sparkManager.start();
sparkManager.waitForRuns(ProgramRunStatus.COMPLETED, 2, 1, TimeUnit.MINUTES);
kvManager = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
try (KeyValueTable kvTable = kvManager.get()) {
byte[] value = kvTable.read("World");
Assert.assertArrayEquals(Bytes.toBytes("World"), value);
}
appManager.delete();
assertNoAccess(AUTH_NAMESPACE.app(StreamAuthApp.APP));
}
Also used :
StreamId(co.cask.cdap.proto.id.StreamId)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
Action(co.cask.cdap.proto.security.Action)
SparkManager(co.cask.cdap.test.SparkManager)
StreamManager(co.cask.cdap.test.StreamManager)
KeyValueTable(co.cask.cdap.api.dataset.lib.KeyValueTable)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
Category(org.junit.experimental.categories.Category)
Test(org.junit.Test)
Aggregations
Authorizer (co.cask.cdap.security.spi.authorization.Authorizer)19
InMemoryAuthorizer (co.cask.cdap.security.authorization.InMemoryAuthorizer)13
Action (co.cask.cdap.proto.security.Action)12
Test (org.junit.Test)10
Privilege (co.cask.cdap.proto.security.Privilege)7
ApplicationManager (co.cask.cdap.test.ApplicationManager)5
Category (org.junit.experimental.categories.Category)5
StreamId (co.cask.cdap.proto.id.StreamId)4
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)4
StreamManager (co.cask.cdap.test.StreamManager)4
DatasetId (co.cask.cdap.proto.id.DatasetId)3
NoOpAuthorizer (co.cask.cdap.security.spi.authorization.NoOpAuthorizer)3
IOException (java.io.IOException)3
ArtifactSummary (co.cask.cdap.api.artifact.ArtifactSummary)2
KeyValueTable (co.cask.cdap.api.dataset.lib.KeyValueTable)2
CConfiguration (co.cask.cdap.common.conf.CConfiguration)2
ArtifactId (co.cask.cdap.proto.id.ArtifactId)2
EntityId (co.cask.cdap.proto.id.EntityId)2
NamespaceId (co.cask.cdap.proto.id.NamespaceId)2
ProgramId (co.cask.cdap.proto.id.ProgramId)2
