Example 11 with UnauthorizedException
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationTest method testPrograms.
@Test
public void testPrograms() throws Exception {
createAuthNamespace();
grantAndAssertSuccess(AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()), ALICE, EnumSet.of(Action.ADMIN));
ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
final ProgramId serviceId = dummyAppId.service(DummyApp.Greeting.SERVICE_NAME);
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(dummyAppId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset("whom"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.stream("who"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)).put(serviceId, EnumSet.of(Action.EXECUTE, Action.ADMIN)).put(AUTH_NAMESPACE.dataset("customDataset"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
final ApplicationManager dummyAppManager = deployApplication(AUTH_NAMESPACE, DummyApp.class);
// alice should be able to start and stop programs in the app she deployed since she has execute privilege
dummyAppManager.startProgram(Id.Service.fromEntityId(serviceId));
ServiceManager greetingService = dummyAppManager.getServiceManager(serviceId.getProgram());
greetingService.waitForRun(ProgramRunStatus.RUNNING, 10, TimeUnit.SECONDS);
// alice should be able to set instances for the program
greetingService.setInstances(2);
Assert.assertEquals(2, greetingService.getProvisionedInstances());
// alice should also be able to save runtime arguments for all future runs of the program
Map<String, String> args = ImmutableMap.of("key", "value");
greetingService.setRuntimeArgs(args);
// Alice should be able to get runtime arguments as she has ADMIN on it
Assert.assertEquals(args, greetingService.getRuntimeArgs());
dummyAppManager.stopProgram(Id.Service.fromEntityId(serviceId));
greetingService.waitForRun(ProgramRunStatus.KILLED, 10, TimeUnit.SECONDS);
// Bob should not be able to start programs in dummy app because he does not have privileges on it
SecurityRequestContext.setUserId(BOB.getName());
try {
dummyAppManager.startProgram(Id.Service.fromEntityId(serviceId));
Assert.fail("Bob should not be able to start the service because he does not have execute privileges on it.");
} catch (RuntimeException expected) {
// noinspection ThrowableResultOfMethodCallIgnored
Assert.assertTrue(Throwables.getRootCause(expected) instanceof UnauthorizedException);
}
try {
dummyAppManager.getInfo();
Assert.fail("Bob should not be able to read the app info with out privileges");
} catch (Exception expected) {
// expected
}
// setting instances should fail because Bob does not have admin privileges on the program
try {
greetingService.setInstances(3);
Assert.fail("Setting instances should have failed because bob does not have admin privileges on the service.");
} catch (RuntimeException expected) {
// noinspection ThrowableResultOfMethodCallIgnored
Assert.assertTrue(Throwables.getRootCause(expected) instanceof UnauthorizedException);
}
try {
greetingService.setRuntimeArgs(args);
Assert.fail("Setting runtime arguments should have failed because bob does not have admin privileges on the " + "service");
} catch (UnauthorizedException expected) {
// expected
}
try {
greetingService.getRuntimeArgs();
Assert.fail("Getting runtime arguments should have failed because bob does not have one of READ, WRITE, ADMIN " + "privileges on the service");
} catch (UnauthorizedException expected) {
// expected
}
SecurityRequestContext.setUserId(ALICE.getName());
dummyAppManager.delete();
}
Also used :
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
ProgramId(co.cask.cdap.proto.id.ProgramId)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
TimeoutException(java.util.concurrent.TimeoutException)
EntityId(co.cask.cdap.proto.id.EntityId)
KeyValueTable(co.cask.cdap.api.dataset.lib.KeyValueTable)
ServiceManager(co.cask.cdap.test.ServiceManager)
DummyApp(co.cask.cdap.test.app.DummyApp)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
ApplicationId(co.cask.cdap.proto.id.ApplicationId)
Test(org.junit.Test)
Example 12 with UnauthorizedException
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationTest method testApps.
@Test
@Category(SlowTests.class)
public void testApps() throws Exception {
try {
deployApplication(NamespaceId.DEFAULT, DummyApp.class);
Assert.fail("App deployment should fail because alice does not have ADMIN privilege on the application");
} catch (UnauthorizedException e) {
// Expected
}
createAuthNamespace();
Authorizer authorizer = getAuthorizer();
ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(dummyAppId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset("whom"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.stream("who"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset("customDataset"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
// alice will not be able to deploy the app since she does not have privilege on the implicit dataset module
try {
deployApplication(AUTH_NAMESPACE, DummyApp.class);
Assert.fail();
} catch (UnauthorizedException e) {
// expected
}
// grant alice the required implicit type and module
grantAndAssertSuccess(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN));
cleanUpEntities.add(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()));
grantAndAssertSuccess(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN));
cleanUpEntities.add(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()));
// this time it should be successful
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DummyApp.class);
// Bob should not have any privileges on Alice's app
Assert.assertTrue("Bob should not have any privileges on alice's app", authorizer.listPrivileges(BOB).isEmpty());
// update should succeed because alice has admin privileges on the app
appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
// Update should fail for Bob
SecurityRequestContext.setUserId(BOB.getName());
try {
appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
Assert.fail("App update should have failed because Bob does not have admin privileges on the app.");
} catch (UnauthorizedException expected) {
// expected
}
// grant READ and WRITE to Bob
grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(Action.READ, Action.WRITE));
// delete should fail
try {
appManager.delete();
} catch (UnauthorizedException expected) {
// expected
}
// grant ADMIN to Bob. Now delete should succeed
grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(Action.ADMIN));
// deletion should succeed since BOB has privileges on the app
appManager.delete();
// Should still have the privilege for the app since we no longer revoke privileges after deletion of an entity
Assert.assertTrue(!getAuthorizer().isVisible(Collections.singleton(dummyAppId), BOB).isEmpty());
// bob should still have privileges granted to him
Assert.assertEquals(3, authorizer.listPrivileges(BOB).size());
// switch back to Alice
SecurityRequestContext.setUserId(ALICE.getName());
// Deploy a couple of apps in the namespace
// Deploy dummy app should be successful since we already pre-grant the required privileges
deployApplication(AUTH_NAMESPACE, DummyApp.class);
final ApplicationId appId = AUTH_NAMESPACE.app(AllProgramsApp.NAME);
Map<EntityId, Set<Action>> anotherAppNeededPrivilege = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME3), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.stream(AllProgramsApp.STREAM_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(ObjectMappedTable.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, anotherAppNeededPrivilege);
Map<EntityId, Set<Action>> bobDatasetPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(Action.ADMIN)).build();
Map<EntityId, Set<Action>> bobProgramPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId.program(ProgramType.FLOW, AllProgramsApp.NoOpFlow.NAME), EnumSet.of(Action.EXECUTE)).put(appId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME), EnumSet.of(Action.EXECUTE)).put(appId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME), EnumSet.of(Action.EXECUTE)).build();
setUpPrivilegeAndRegisterForDeletion(BOB, bobDatasetPrivileges);
setUpPrivilegeAndRegisterForDeletion(BOB, bobProgramPrivileges);
deployApplication(AUTH_NAMESPACE, AllProgramsApp.class);
// Switch to BOB since he does not have any privilege
SecurityRequestContext.setUserId(BOB.getName());
// deleting all apps should fail because bob does not have admin privileges on the apps and the namespace
try {
deleteAllApplications(AUTH_NAMESPACE);
Assert.fail("Deleting all applications in the namespace should have failed because bob does not have ADMIN " + "privilege on the workflow app.");
} catch (UnauthorizedException expected) {
// expected
}
ApplicationDetail applicationDetail = getAppDetail(appId);
Assert.assertEquals(bobDatasetPrivileges.keySet(), Sets.<EntityId>newHashSet(Iterables.transform(applicationDetail.getDatasets(), new Function<DatasetDetail, DatasetId>() {
@Override
public DatasetId apply(DatasetDetail input) {
return appId.getNamespaceId().dataset(input.getName());
}
})));
Assert.assertEquals(bobProgramPrivileges.keySet(), Sets.<EntityId>newHashSet(Iterables.transform(applicationDetail.getPrograms(), new Function<ProgramRecord, ProgramId>() {
@Override
public ProgramId apply(ProgramRecord input) {
return appId.program(input.getType(), input.getName());
}
})));
Assert.assertEquals(Collections.emptyList(), applicationDetail.getStreams());
// Switch to ALICE, deletion should be successful since ALICE has ADMIN privileges
SecurityRequestContext.setUserId(ALICE.getName());
deleteAllApplications(AUTH_NAMESPACE);
}
Also used :
DatasetDetail(co.cask.cdap.proto.DatasetDetail)
PrivilegedAction(java.security.PrivilegedAction)
Action(co.cask.cdap.proto.security.Action)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
AllProgramsApp(co.cask.cdap.AllProgramsApp)
ProgramId(co.cask.cdap.proto.id.ProgramId)
AppRequest(co.cask.cdap.proto.artifact.AppRequest)
DatasetId(co.cask.cdap.proto.id.DatasetId)
EntityId(co.cask.cdap.proto.id.EntityId)
ArtifactSummary(co.cask.cdap.api.artifact.ArtifactSummary)
ApplicationDetail(co.cask.cdap.proto.ApplicationDetail)
ProgramRecord(co.cask.cdap.proto.ProgramRecord)
KeyValueTable(co.cask.cdap.api.dataset.lib.KeyValueTable)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
DummyApp(co.cask.cdap.test.app.DummyApp)
ApplicationId(co.cask.cdap.proto.id.ApplicationId)
ObjectMappedTable(co.cask.cdap.api.dataset.lib.ObjectMappedTable)
Category(org.junit.experimental.categories.Category)
Test(org.junit.Test)
Example 13 with UnauthorizedException
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationTest method testScheduleAuth.
@Test
public void testScheduleAuth() throws Exception {
createAuthNamespace();
ApplicationId appId = AUTH_NAMESPACE.app(AppWithSchedule.class.getSimpleName());
Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(appId, EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.artifact(AppWithSchedule.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AppWithSchedule.INPUT_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.dataset(AppWithSchedule.OUTPUT_NAME), EnumSet.of(Action.ADMIN)).put(AUTH_NAMESPACE.datasetType(ObjectStore.class.getName()), EnumSet.of(Action.ADMIN)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, AppWithSchedule.class);
String workflowName = AppWithSchedule.SampleWorkflow.class.getSimpleName();
ProgramId workflowID = new ProgramId(AUTH_NAMESPACE.getNamespace(), AppWithSchedule.class.getSimpleName(), ProgramType.WORKFLOW, workflowName);
cleanUpEntities.add(workflowID);
final WorkflowManager workflowManager = appManager.getWorkflowManager(workflowName);
ScheduleManager scheduleManager = workflowManager.getSchedule(AppWithSchedule.EVERY_HOUR_SCHEDULE);
// switch to BOB
SecurityRequestContext.setUserId(BOB.getName());
// try to resume schedule as BOB. It should fail since BOB does not have execute privileges on the programs
try {
scheduleManager.resume();
Assert.fail("Resuming schedule should have failed since BOB does not have EXECUTE on the program");
} catch (UnauthorizedException e) {
// Expected
}
// bob should also not be able see the status of the schedule
try {
scheduleManager.status(HttpURLConnection.HTTP_FORBIDDEN);
Assert.fail("Getting schedule status should have failed since BOB does not have any privilege on the program");
} catch (UnauthorizedException e) {
// Expected
}
// give BOB READ permission in the workflow
grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.READ));
// switch to BOB
SecurityRequestContext.setUserId(BOB.getName());
// try to resume schedule as BOB. It should fail since BOB has READ but not EXECUTE on the workflow
try {
scheduleManager.resume();
Assert.fail("Resuming schedule should have failed since BOB does not have EXECUTE on the program");
} catch (UnauthorizedException e) {
// Expected
}
// but BOB should be able to get schedule status now
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
// give BOB EXECUTE permission in the workflow
grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.EXECUTE));
// switch to BOB
SecurityRequestContext.setUserId(BOB.getName());
// try to resume the schedule. This should pass and workflow should run
scheduleManager.resume();
Assert.assertEquals(ProgramScheduleStatus.SCHEDULED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
// suspend the schedule so that it does not start running again
scheduleManager.suspend();
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), scheduleManager.status(HttpURLConnection.HTTP_OK));
ScheduleId scheduleId = new ScheduleId(appId.getNamespace(), appId.getApplication(), appId.getVersion(), "testSchedule");
ScheduleDetail scheduleDetail = new ScheduleDetail(AUTH_NAMESPACE.getNamespace(), AppWithSchedule.class.getSimpleName(), "1.0-SNAPSHOT", "testSchedule", "Something 2", new ScheduleProgramInfo(SchedulableProgramType.WORKFLOW, workflowName), Collections.<String, String>emptyMap(), new TimeTrigger("*/1 * * * *"), Collections.<Constraint>emptyList(), TimeUnit.HOURS.toMillis(6), null);
try {
addSchedule(scheduleId, scheduleDetail);
Assert.fail("Adding schedule should fail since BOB does not have AMDIN on the app");
} catch (UnauthorizedException e) {
// expected
}
// grant BOB ADMIN on the app
grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN));
// add schedule should succeed
addSchedule(scheduleId, scheduleDetail);
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_OK));
// update schedule should succeed
updateSchedule(scheduleId, scheduleDetail);
Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_OK));
// revoke ADMIN from BOB
getAuthorizer().revoke(Authorizable.fromEntityId(appId), BOB, EnumSet.of(Action.ADMIN));
try {
// delete schedule should fail since we revoke the ADMIN privilege from BOB
deleteSchedule(scheduleId);
Assert.fail("Deleting schedule should fail since BOB does not have AMDIN on the app");
} catch (UnauthorizedException e) {
// expected
}
try {
updateSchedule(scheduleId, scheduleDetail);
Assert.fail("Updating schedule should fail since BOB does not have AMDIN on the app");
} catch (UnauthorizedException e) {
// expected
}
// grant BOB ADMIN on the app again
grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN));
deleteSchedule(scheduleId);
workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_NOT_FOUND);
// switch to Alice
SecurityRequestContext.setUserId(ALICE.getName());
}
Also used :
ScheduleManager(co.cask.cdap.test.ScheduleManager)
ObjectStore(co.cask.cdap.api.dataset.lib.ObjectStore)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
TimeTrigger(co.cask.cdap.internal.app.runtime.schedule.trigger.TimeTrigger)
WorkflowManager(co.cask.cdap.test.WorkflowManager)
AppWithSchedule(co.cask.cdap.test.app.AppWithSchedule)
ProgramId(co.cask.cdap.proto.id.ProgramId)
ScheduleId(co.cask.cdap.proto.id.ScheduleId)
EntityId(co.cask.cdap.proto.id.EntityId)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
ScheduleDetail(co.cask.cdap.proto.ScheduleDetail)
ApplicationId(co.cask.cdap.proto.id.ApplicationId)
ScheduleProgramInfo(co.cask.cdap.api.workflow.ScheduleProgramInfo)
Test(org.junit.Test)
Example 14 with UnauthorizedException
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationTest method testFlowStreamAuth.
@Test
@Category(SlowTests.class)
public void testFlowStreamAuth() throws Exception {
createAuthNamespace();
Authorizer authorizer = getAuthorizer();
// set up privilege to deploy the app
setUpPrivilegeToDeployStreamAuthApp();
StreamId streamId1 = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
StreamId streamId2 = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM2);
Map<EntityId, Set<Action>> additionalPrivileges = ImmutableMap.<EntityId, Set<Action>>builder().put(streamId1, EnumSet.of(Action.READ, Action.WRITE)).put(streamId2, EnumSet.of(Action.READ, Action.WRITE)).put(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE), EnumSet.of(Action.READ, Action.WRITE)).put(AUTH_NAMESPACE.app(StreamAuthApp.APP).flow(StreamAuthApp.FLOW), EnumSet.of(Action.EXECUTE)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, additionalPrivileges);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, StreamAuthApp.class);
final FlowManager flowManager = appManager.getFlowManager(StreamAuthApp.FLOW);
StreamManager streamManager = getStreamManager(streamId1);
StreamManager streamManager2 = getStreamManager(streamId2);
streamManager.send("Auth");
flowManager.start();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
return kvTable.get().read("Auth") != null;
}
}, 5, TimeUnit.SECONDS);
flowManager.stop();
flowManager.waitForRun(ProgramRunStatus.KILLED, 60, TimeUnit.SECONDS);
// Now revoke the privileges for ALICE on the stream and grant her ADMIN and WRITE
authorizer.revoke(Authorizable.fromEntityId(streamId1), ALICE, EnumSet.allOf(Action.class));
authorizer.grant(Authorizable.fromEntityId(streamId1), ALICE, EnumSet.of(Action.WRITE, Action.ADMIN));
streamManager.send("Security");
streamManager2.send("Safety");
try {
flowManager.start();
} catch (UnauthorizedException e) {
// Expected
}
flowManager.waitForStatus(false);
authorizer.grant(Authorizable.fromEntityId(streamId1), ALICE, ImmutableSet.of(Action.READ));
flowManager.start();
Tasks.waitFor(true, new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
DataSetManager<KeyValueTable> kvTable = getDataset(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE));
return kvTable.get().read("Security") != null;
}
}, 5, TimeUnit.SECONDS);
TimeUnit.MILLISECONDS.sleep(10);
flowManager.stop();
flowManager.waitForRuns(ProgramRunStatus.KILLED, 2, 5, TimeUnit.SECONDS);
appManager.delete();
}
Also used :
FlowManager(co.cask.cdap.test.FlowManager)
StreamId(co.cask.cdap.proto.id.StreamId)
PrivilegedAction(java.security.PrivilegedAction)
Action(co.cask.cdap.proto.security.Action)
ApplicationManager(co.cask.cdap.test.ApplicationManager)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
PartitionedFileSet(co.cask.cdap.api.dataset.lib.PartitionedFileSet)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
TimeoutException(java.util.concurrent.TimeoutException)
EntityId(co.cask.cdap.proto.id.EntityId)
StreamManager(co.cask.cdap.test.StreamManager)
InMemoryAuthorizer(co.cask.cdap.security.authorization.InMemoryAuthorizer)
Authorizer(co.cask.cdap.security.spi.authorization.Authorizer)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
DataSetManager(co.cask.cdap.test.DataSetManager)
Category(org.junit.experimental.categories.Category)
Test(org.junit.Test)
Example 15 with UnauthorizedException
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AuthorizationTest method testArtifacts.
@Test
public void testArtifacts() throws Exception {
String appArtifactName = "app-artifact";
String appArtifactVersion = "1.1.1";
try {
ArtifactId defaultNsArtifact = NamespaceId.DEFAULT.artifact(appArtifactName, appArtifactVersion);
addAppArtifact(defaultNsArtifact, ConfigTestApp.class);
Assert.fail("Should not be able to add an app artifact to the default namespace because alice does not have " + "admin privileges on the artifact.");
} catch (UnauthorizedException expected) {
// expected
}
String pluginArtifactName = "plugin-artifact";
String pluginArtifactVersion = "1.2.3";
try {
ArtifactId defaultNsArtifact = NamespaceId.DEFAULT.artifact(pluginArtifactName, pluginArtifactVersion);
addAppArtifact(defaultNsArtifact, ToStringPlugin.class);
Assert.fail("Should not be able to add a plugin artifact to the default namespace because alice does not have " + "admin privileges on the artifact.");
} catch (UnauthorizedException expected) {
// expected
}
// create a new namespace
createAuthNamespace();
ArtifactId appArtifactId = AUTH_NAMESPACE.artifact(appArtifactName, appArtifactVersion);
grantAndAssertSuccess(appArtifactId, ALICE, EnumSet.of(Action.ADMIN));
cleanUpEntities.add(appArtifactId);
ArtifactManager appArtifactManager = addAppArtifact(appArtifactId, ConfigTestApp.class);
ArtifactId pluginArtifactId = AUTH_NAMESPACE.artifact(pluginArtifactName, pluginArtifactVersion);
grantAndAssertSuccess(pluginArtifactId, ALICE, EnumSet.of(Action.ADMIN));
cleanUpEntities.add(pluginArtifactId);
ArtifactManager pluginArtifactManager = addPluginArtifact(pluginArtifactId, appArtifactId, ToStringPlugin.class);
// Bob should not be able to delete or write properties to artifacts since he does not have ADMIN permission on
// the artifacts
SecurityRequestContext.setUserId(BOB.getName());
try {
appArtifactManager.writeProperties(ImmutableMap.of("authorized", "no"));
Assert.fail("Writing properties to artifact should have failed because Bob does not have admin privileges on " + "the artifact");
} catch (UnauthorizedException expected) {
// expected
}
try {
appArtifactManager.delete();
Assert.fail("Deleting artifact should have failed because Bob does not have admin privileges on the artifact");
} catch (UnauthorizedException expected) {
// expected
}
try {
pluginArtifactManager.writeProperties(ImmutableMap.of("authorized", "no"));
Assert.fail("Writing properties to artifact should have failed because Bob does not have admin privileges on " + "the artifact");
} catch (UnauthorizedException expected) {
// expected
}
try {
pluginArtifactManager.removeProperties();
Assert.fail("Removing properties to artifact should have failed because Bob does not have admin privileges on " + "the artifact");
} catch (UnauthorizedException expected) {
// expected
}
try {
pluginArtifactManager.delete();
Assert.fail("Deleting artifact should have failed because Bob does not have admin privileges on the artifact");
} catch (UnauthorizedException expected) {
// expected
}
// alice should be permitted to update properties/delete artifact
SecurityRequestContext.setUserId(ALICE.getName());
appArtifactManager.writeProperties(ImmutableMap.of("authorized", "yes"));
appArtifactManager.removeProperties();
appArtifactManager.delete();
pluginArtifactManager.delete();
}
Also used :
ArtifactManager(co.cask.cdap.test.ArtifactManager)
ArtifactId(co.cask.cdap.proto.id.ArtifactId)
UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)
Test(org.junit.Test)
Aggregations
UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)49
Test (org.junit.Test)18
IOException (java.io.IOException)15
EntityId (co.cask.cdap.proto.id.EntityId)13
Principal (co.cask.cdap.proto.security.Principal)13
Action (co.cask.cdap.proto.security.Action)12
BadRequestException (co.cask.cdap.common.BadRequestException)11
ApplicationId (co.cask.cdap.proto.id.ApplicationId)10
NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)9
JsonSyntaxException (com.google.gson.JsonSyntaxException)9
ExecutionException (java.util.concurrent.ExecutionException)9
NotFoundException (co.cask.cdap.common.NotFoundException)8
NamespaceId (co.cask.cdap.proto.id.NamespaceId)7
DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)6
ConflictException (co.cask.cdap.common.ConflictException)6
StreamId (co.cask.cdap.proto.id.StreamId)6
ArtifactAlreadyExistsException (co.cask.cdap.common.ArtifactAlreadyExistsException)5
ArtifactNotFoundException (co.cask.cdap.common.ArtifactNotFoundException)5
WriteConflictException (co.cask.cdap.internal.app.runtime.artifact.WriteConflictException)5
NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)5
