use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class ArtifactRepository method ensureAccess.
/**
* Ensures that the logged-in user has a {@link Action privilege} on the specified dataset instance.
*
* @param artifactId the {@link co.cask.cdap.proto.id.ArtifactId} to check for privileges
* @throws UnauthorizedException if the logged in user has no {@link Action privileges} on the specified dataset
*/
private void ensureAccess(co.cask.cdap.proto.id.ArtifactId artifactId) throws Exception {
// No authorization for system artifacts
if (NamespaceId.SYSTEM.equals(artifactId.getParent())) {
return;
}
Principal principal = authenticationContext.getPrincipal();
Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
if (!filter.apply(artifactId)) {
throw new UnauthorizedException(principal, artifactId);
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationHandlerTest method testAuthorizationForPrivileges.
@Test
public void testAuthorizationForPrivileges() throws Exception {
Principal bob = new Principal("bob", Principal.PrincipalType.USER);
Principal alice = new Principal("alice", Principal.PrincipalType.USER);
// olduser has been set as admin in the beginning of this test. admin has been configured as a superuser.
String oldUser = getCurrentUser();
setCurrentUser(alice.getName());
try {
try {
client.grant(ns1, bob, EnumSet.allOf(Action.class));
Assert.fail(String.format("alice should not be able to grant privileges to bob on namespace %s because she " + "does not have admin privileges on the namespace.", ns1));
} catch (UnauthorizedException expected) {
// expected
}
setCurrentUser(oldUser);
// admin should be able to grant since he is a super user
client.grant(ns1, alice, ImmutableSet.of(Action.ADMIN));
// now alice should be able to grant privileges on ns since she has ADMIN privileges
setCurrentUser(alice.getName());
client.grant(ns1, bob, EnumSet.allOf(Action.class));
// revoke alice's permissions as admin
setCurrentUser(oldUser);
client.revoke(ns1);
// revoking bob's privileges as alice should fail
setCurrentUser(alice.getName());
try {
client.revoke(ns1, bob, EnumSet.allOf(Action.class));
Assert.fail(String.format("alice should not be able to revoke bob's privileges on namespace %s because she " + "does not have admin privileges on the namespace.", ns1));
} catch (UnauthorizedException expected) {
// expected
}
// grant alice privileges as admin again
setCurrentUser(oldUser);
client.grant(ns1, alice, EnumSet.allOf(Action.class));
// Now alice should be able to revoke bob's privileges
setCurrentUser(alice.getName());
client.revoke(ns1, bob, EnumSet.allOf(Action.class));
} finally {
setCurrentUser(oldUser);
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationBootstrapperTest method test.
@Test
public void test() throws Exception {
final Principal systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
// initial state: no privileges for system or admin users
Predicate<EntityId> systemUserFilter = authorizationEnforcer.createFilter(systemUser);
Predicate<EntityId> adminUserFilter = authorizationEnforcer.createFilter(ADMIN_USER);
Assert.assertFalse(systemUserFilter.apply(instanceId));
Assert.assertFalse(systemUserFilter.apply(NamespaceId.SYSTEM));
Assert.assertFalse(adminUserFilter.apply(NamespaceId.DEFAULT));
// privileges should be granted after running bootstrap
authorizationBootstrapper.run();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
Predicate<EntityId> systemUserFilter = authorizationEnforcer.createFilter(systemUser);
Predicate<EntityId> adminUserFilter = authorizationEnforcer.createFilter(ADMIN_USER);
return systemUserFilter.apply(instanceId) && systemUserFilter.apply(NamespaceId.SYSTEM) && adminUserFilter.apply(NamespaceId.DEFAULT);
}
}, 10, TimeUnit.SECONDS);
txManager.startAndWait();
datasetService.startAndWait();
waitForService(Constants.Service.DATASET_MANAGER);
defaultNamespaceEnsurer.startAndWait();
systemArtifactLoader.startAndWait();
waitForService(defaultNamespaceEnsurer);
waitForService(systemArtifactLoader);
// ensure that the default namespace was created, and that the system user has privileges to access it
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
try {
return namespaceQueryAdmin.exists(NamespaceId.DEFAULT);
} catch (Exception e) {
return false;
}
}
}, 10, TimeUnit.SECONDS);
Assert.assertTrue(defaultNamespaceEnsurer.isRunning());
// ensure that the system artifact was deployed, and that the system user has privileges to access it
// this will throw an ArtifactNotFoundException if the artifact was not deployed, and UnauthorizedException if
// the user does not have required privileges
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
try {
artifactRepository.getArtifact(SYSTEM_ARTIFACT.toId());
return true;
} catch (Exception e) {
return false;
}
}
}, 20, TimeUnit.SECONDS);
Assert.assertTrue(systemArtifactLoader.isRunning());
// ensure that system datasets can be created by the system user
Dataset systemDataset = DatasetsUtil.getOrCreateDataset(dsFramework, NamespaceId.SYSTEM.dataset("system-dataset"), Table.class.getName(), DatasetProperties.EMPTY, Collections.<String, String>emptyMap());
Assert.assertNotNull(systemDataset);
// as part of bootstrapping, admin users were also granted admin privileges on the CDAP instance, so they can
// create namespaces
SecurityRequestContext.setUserId(ADMIN_USER.getName());
namespaceAdmin.create(new NamespaceMeta.Builder().setName("success").build());
SecurityRequestContext.setUserId("bob");
try {
namespaceAdmin.create(new NamespaceMeta.Builder().setName("failure").build());
Assert.fail("Bob should not have been able to create a namespace since he is not an admin user");
} catch (UnauthorizedException expected) {
// expected
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class FileStreamAdmin method ensureAccess.
private <T extends EntityId> void ensureAccess(T entityId) throws Exception {
Principal principal = authenticationContext.getPrincipal();
Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
if (!filter.apply(entityId)) {
throw new UnauthorizedException(principal, entityId);
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationTest method testNamespaces.
@Test
public void testNamespaces() throws Exception {
NamespaceAdmin namespaceAdmin = getNamespaceAdmin();
Authorizer authorizer = getAuthorizer();
try {
namespaceAdmin.create(AUTH_NAMESPACE_META);
Assert.fail("Namespace create should have failed because alice is not authorized on " + AUTH_NAMESPACE);
} catch (UnauthorizedException expected) {
// expected
}
createAuthNamespace();
Assert.assertTrue(namespaceAdmin.list().contains(AUTH_NAMESPACE_META));
namespaceAdmin.get(AUTH_NAMESPACE);
// revoke privileges
revokeAndAssertSuccess(AUTH_NAMESPACE);
try {
Assert.assertTrue(namespaceAdmin.list().isEmpty());
namespaceAdmin.exists(AUTH_NAMESPACE);
Assert.fail("Namespace existence check should fail since the privilege of alice has been revoked");
} catch (UnauthorizedException expected) {
// expected
}
// grant privileges again
grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN));
namespaceAdmin.exists(AUTH_NAMESPACE);
Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE));
NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build();
namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated);
Assert.assertEquals(updated, namespaceAdmin.get(AUTH_NAMESPACE));
}
Aggregations