use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class JcrSecurityRoleProviderTest method testCreateRole.
@Test
public void testCreateRole() {
String name = metadata.commit(() -> {
SecurityRole role = createRole("feedEditor", "Editor", "Can edit feeds", FeedAccessControl.EDIT_DETAILS, FeedAccessControl.ENABLE_DISABLE, FeedAccessControl.EXPORT);
assertThat(role).isNotNull().extracting("systemName", "title", "description").contains("feedEditor", "Editor", "Can edit feeds");
assertThat(role.getAllowedActions().getAvailableActions().stream().flatMap(action -> action.stream())).extracting("systemName").contains(FeedAccessControl.ACCESS_DETAILS.getSystemName(), FeedAccessControl.EDIT_DETAILS.getSystemName(), FeedAccessControl.ENABLE_DISABLE.getSystemName(), FeedAccessControl.EXPORT.getSystemName());
return role.getSystemName();
}, MetadataAccess.SERVICE);
}
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class JcrProjectProvider method createProject.
/**
* Creates a new user with the specified name.
*
* @param name the name of the Project
* @param ensure {@code true} to return the Project if it already exists, or {@code false} to throw an exception
* @return the Project
* @throws MetadataRepositoryException if the user could not be created
*/
@Nonnull
private Project createProject(@Nonnull final String name, final boolean ensure) {
final Session session = getSession();
final String projPath = ProjectPaths.projectPath(name).toString();
logger.debug("workspace= {}", session.getWorkspace().getName());
try {
Node projNode = session.getRootNode().getNode(ProjectPaths.PROJECTS.toString());
if (session.getRootNode().hasNode(projPath)) {
if (ensure) {
return JcrUtil.getJcrObject(projNode, name, JcrProject.class);
} else {
// TODO specialize me..
throw new RuntimeException(projPath);
}
} else {
// project does not yet exist
JcrProject newProject = JcrUtil.getOrCreateNode(projNode, name, JcrProject.NODE_TYPE, JcrProject.class);
// grant (or deny) current user access to the project he is creating
if (this.accessController.isEntityAccessControlled()) {
List<SecurityRole> roles = this.roleProvider.getEntityRoles(SecurityRole.PROJECT);
this.actionsProvider.getAvailableActions(AllowedActions.PROJECTS).ifPresent(actions -> newProject.enableAccessControl((JcrAllowedActions) actions, JcrMetadataAccess.getActiveUser(), roles));
} else {
this.actionsProvider.getAvailableActions(AllowedActions.PROJECTS).ifPresent(actions -> newProject.disableAccessControl((JcrAllowedActions) actions, JcrMetadataAccess.getActiveUser()));
}
return newProject;
}
} catch (RepositoryException e) {
throw new MetadataRepositoryException("Failed attempting to create a new Project with name: " + name, e);
}
}
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class CheckEntityAccessControlAction method ensureTemplateAccessControl.
private void ensureTemplateAccessControl() {
List<FeedManagerTemplate> templates = feedManagerTemplateProvider.findAll();
if (templates != null) {
List<SecurityRole> roles = this.roleProvider.getEntityRoles(SecurityRole.TEMPLATE);
Optional<AllowedActions> allowedActions = this.actionsProvider.getAvailableActions(AllowedActions.TEMPLATE);
templates.stream().forEach(template -> {
Principal owner = template.getOwner() != null ? template.getOwner() : JcrMetadataAccess.getActiveUser();
allowedActions.ifPresent(actions -> ((JcrFeedTemplate) template).enableAccessControl((JcrAllowedActions) actions, owner, roles));
});
}
}
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class CheckEntityAccessControlAction method createDefaultRoles.
private void createDefaultRoles() {
// Create default roles
SecurityRole feedEditor = createDefaultRole(SecurityRole.FEED, "editor", "Editor", "Allows a user to edit, enable/disable, start, delete and export feed. Allows access to job operations for feed. " + "If role inherited via a category, allows these operations for feeds under that category.", FeedAccessControl.EDIT_DETAILS, FeedAccessControl.DELETE, FeedAccessControl.ACCESS_OPS, FeedAccessControl.ENABLE_DISABLE, FeedAccessControl.START, FeedAccessControl.EXPORT);
// admin can do everything the editor does + change perms
createDefaultRole(SecurityRole.FEED, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", feedEditor, FeedAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.FEED, "readOnly", "Read-Only", "Allows a user to view the feed and access job operations", FeedAccessControl.ACCESS_DETAILS, FeedAccessControl.ACCESS_OPS);
SecurityRole templateEditor = createDefaultRole(SecurityRole.TEMPLATE, "editor", "Editor", "Allows a user to edit,export a template", TemplateAccessControl.ACCESS_TEMPLATE, TemplateAccessControl.EDIT_TEMPLATE, TemplateAccessControl.DELETE, TemplateAccessControl.CREATE_FEED, TemplateAccessControl.EXPORT);
createDefaultRole(SecurityRole.TEMPLATE, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", templateEditor, TemplateAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.TEMPLATE, "readOnly", "Read-Only", "Allows a user to view the template", TemplateAccessControl.ACCESS_TEMPLATE);
SecurityRole categoryEditor = createDefaultRole(SecurityRole.CATEGORY, "editor", "Editor", "Allows a user to edit, export and delete category. Allows creating feeds under the category", CategoryAccessControl.ACCESS_CATEGORY, CategoryAccessControl.EDIT_DETAILS, CategoryAccessControl.EDIT_SUMMARY, CategoryAccessControl.CREATE_FEED, CategoryAccessControl.DELETE);
createDefaultRole(SecurityRole.CATEGORY, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", categoryEditor, CategoryAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.CATEGORY, "readOnly", "Read-Only", "Allows a user to view the category", CategoryAccessControl.ACCESS_CATEGORY);
createDefaultRole(SecurityRole.CATEGORY, "feedCreator", "Feed Creator", "Allows a user to create a new feed using this category", CategoryAccessControl.ACCESS_DETAILS, CategoryAccessControl.CREATE_FEED);
final SecurityRole datasourceEditor = createDefaultRole(SecurityRole.DATASOURCE, "editor", "Editor", "Allows a user to edit,delete datasources", DatasourceAccessControl.ACCESS_DATASOURCE, DatasourceAccessControl.EDIT_DETAILS, DatasourceAccessControl.EDIT_SUMMARY, DatasourceAccessControl.DELETE);
createDefaultRole(SecurityRole.DATASOURCE, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", datasourceEditor, DatasourceAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.DATASOURCE, "readOnly", "Read-Only", "Allows a user to view the datasource", DatasourceAccessControl.ACCESS_DATASOURCE);
final SecurityRole projectEditor = createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_EDITOR, "Editor", "Allows a user to edit, delete projects", ProjectAccessControl.ACCESS_PROJECT, ProjectAccessControl.EDIT_PROJECT, ProjectAccessControl.DELETE_PROJECT);
createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_ADMIN, "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", projectEditor, ProjectAccessControl.CHANGE_PERMS);
createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_READER, "Read-Only", "Allows a user to view the project", ProjectAccessControl.ACCESS_PROJECT);
}
use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.
the class JcrDatasourceProvider method ensureDatasourceDetails.
@Override
public <D extends DatasourceDetails> Optional<D> ensureDatasourceDetails(@Nonnull final Datasource.ID id, @Nonnull final Class<D> type) {
try {
// Ensure the data source exists
final Optional<JcrUserDatasource> parent = Optional.ofNullable(getDatasource(id)).filter(JcrUserDatasource.class::isInstance).map(JcrUserDatasource.class::cast);
if (!parent.isPresent()) {
return Optional.empty();
}
// Create the details
final Class<? extends JcrDatasourceDetails> implType = JcrUserDatasource.resolveDetailsClass(type);
final boolean isNew = !hasEntityNode(parent.get().getPath(), JcrUserDatasource.DETAILS);
final Node node = findOrCreateEntityNode(parent.get().getPath(), JcrUserDatasource.DETAILS, implType);
@SuppressWarnings("unchecked") final D details = (D) JcrUtil.createJcrObject(node, implType);
// Re-assign permissions to data source
if (isNew) {
final UsernamePrincipal owner = parent.map(JcrUserDatasource::getOwner).map(Principal::getName).map(UsernamePrincipal::new).orElse(JcrMetadataAccess.getActiveUser());
if (accessController.isEntityAccessControlled()) {
final List<SecurityRole> roles = roleProvider.getEntityRoles(SecurityRole.DATASOURCE);
actionsProvider.getAvailableActions(AllowedActions.DATASOURCE).ifPresent(actions -> parent.get().enableAccessControl((JcrAllowedActions) actions, owner, roles));
} else {
actionsProvider.getAvailableActions(AllowedActions.DATASOURCE).ifPresent(actions -> parent.get().disableAccessControl((JcrAllowedActions) actions, owner));
}
}
return Optional.of(details);
} catch (final IllegalArgumentException e) {
throw new MetadataException("Unable to create datasource details: " + type, e);
}
}
Aggregations