Search in sources :

Example 1 with SecurityRole

use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.

the class JcrSecurityRoleProviderTest method testCreateRole.

@Test
public void testCreateRole() {
    String name = metadata.commit(() -> {
        SecurityRole role = createRole("feedEditor", "Editor", "Can edit feeds", FeedAccessControl.EDIT_DETAILS, FeedAccessControl.ENABLE_DISABLE, FeedAccessControl.EXPORT);
        assertThat(role).isNotNull().extracting("systemName", "title", "description").contains("feedEditor", "Editor", "Can edit feeds");
        assertThat(role.getAllowedActions().getAvailableActions().stream().flatMap(action -> action.stream())).extracting("systemName").contains(FeedAccessControl.ACCESS_DETAILS.getSystemName(), FeedAccessControl.EDIT_DETAILS.getSystemName(), FeedAccessControl.ENABLE_DISABLE.getSystemName(), FeedAccessControl.EXPORT.getSystemName());
        return role.getSystemName();
    }, MetadataAccess.SERVICE);
}
Also used : DirtiesContext(org.springframework.test.annotation.DirtiesContext) ModeShapeEngineConfig(com.thinkbiganalytics.metadata.modeshape.ModeShapeEngineConfig) Action(com.thinkbiganalytics.security.action.Action) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) RunWith(org.junit.runner.RunWith) JcrActionTreeBuilder(com.thinkbiganalytics.metadata.modeshape.security.action.JcrActionTreeBuilder) AllowedActions(com.thinkbiganalytics.security.action.AllowedActions) JcrTool(com.thinkbiganalytics.metadata.modeshape.support.JcrTool) Inject(javax.inject.Inject) SpringJUnit4ClassRunner(org.springframework.test.context.junit4.SpringJUnit4ClassRunner) SecurityRole(com.thinkbiganalytics.security.role.SecurityRole) FeedAccessControl(com.thinkbiganalytics.metadata.api.feed.security.FeedAccessControl) Node(javax.jcr.Node) JcrTestConfig(com.thinkbiganalytics.metadata.modeshape.JcrTestConfig) MetadataAccess(com.thinkbiganalytics.metadata.api.MetadataAccess) Before(org.junit.Before) ImmutableAllowedActions(com.thinkbiganalytics.security.role.ImmutableAllowedActions) ModeShapeAuthConfig(com.thinkbiganalytics.metadata.modeshape.security.ModeShapeAuthConfig) ClassMode(org.springframework.test.annotation.DirtiesContext.ClassMode) Test(org.junit.Test) SecurityRoleProvider(com.thinkbiganalytics.security.role.SecurityRoleProvider) List(java.util.List) SpringApplicationConfiguration(org.springframework.boot.test.SpringApplicationConfiguration) Optional(java.util.Optional) JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions) JcrUtil(com.thinkbiganalytics.metadata.modeshape.support.JcrUtil) JcrMetadataAccess(com.thinkbiganalytics.metadata.modeshape.JcrMetadataAccess) SecurityRole(com.thinkbiganalytics.security.role.SecurityRole) Test(org.junit.Test)

Example 2 with SecurityRole

use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.

the class JcrProjectProvider method createProject.

/**
 * Creates a new user with the specified name.
 *
 * @param name   the name of the Project
 * @param ensure {@code true} to return the Project if it already exists, or {@code false} to throw an exception
 * @return the Project
 * @throws MetadataRepositoryException if the user could not be created
 */
@Nonnull
private Project createProject(@Nonnull final String name, final boolean ensure) {
    final Session session = getSession();
    final String projPath = ProjectPaths.projectPath(name).toString();
    logger.debug("workspace= {}", session.getWorkspace().getName());
    try {
        Node projNode = session.getRootNode().getNode(ProjectPaths.PROJECTS.toString());
        if (session.getRootNode().hasNode(projPath)) {
            if (ensure) {
                return JcrUtil.getJcrObject(projNode, name, JcrProject.class);
            } else {
                // TODO specialize me..
                throw new RuntimeException(projPath);
            }
        } else {
            // project does not yet exist
            JcrProject newProject = JcrUtil.getOrCreateNode(projNode, name, JcrProject.NODE_TYPE, JcrProject.class);
            // grant (or deny) current user access to the project he is creating
            if (this.accessController.isEntityAccessControlled()) {
                List<SecurityRole> roles = this.roleProvider.getEntityRoles(SecurityRole.PROJECT);
                this.actionsProvider.getAvailableActions(AllowedActions.PROJECTS).ifPresent(actions -> newProject.enableAccessControl((JcrAllowedActions) actions, JcrMetadataAccess.getActiveUser(), roles));
            } else {
                this.actionsProvider.getAvailableActions(AllowedActions.PROJECTS).ifPresent(actions -> newProject.disableAccessControl((JcrAllowedActions) actions, JcrMetadataAccess.getActiveUser()));
            }
            return newProject;
        }
    } catch (RepositoryException e) {
        throw new MetadataRepositoryException("Failed attempting to create a new Project with name: " + name, e);
    }
}
Also used : JcrProject(com.thinkbiganalytics.metadata.modeshape.project.JcrProject) MetadataRepositoryException(com.thinkbiganalytics.metadata.modeshape.MetadataRepositoryException) SecurityRole(com.thinkbiganalytics.security.role.SecurityRole) JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions) Node(javax.jcr.Node) MetadataRepositoryException(com.thinkbiganalytics.metadata.modeshape.MetadataRepositoryException) RepositoryException(javax.jcr.RepositoryException) Session(javax.jcr.Session) Nonnull(javax.annotation.Nonnull)

Example 3 with SecurityRole

use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.

the class CheckEntityAccessControlAction method ensureTemplateAccessControl.

private void ensureTemplateAccessControl() {
    List<FeedManagerTemplate> templates = feedManagerTemplateProvider.findAll();
    if (templates != null) {
        List<SecurityRole> roles = this.roleProvider.getEntityRoles(SecurityRole.TEMPLATE);
        Optional<AllowedActions> allowedActions = this.actionsProvider.getAvailableActions(AllowedActions.TEMPLATE);
        templates.stream().forEach(template -> {
            Principal owner = template.getOwner() != null ? template.getOwner() : JcrMetadataAccess.getActiveUser();
            allowedActions.ifPresent(actions -> ((JcrFeedTemplate) template).enableAccessControl((JcrAllowedActions) actions, owner, roles));
        });
    }
}
Also used : SecurityRole(com.thinkbiganalytics.security.role.SecurityRole) JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions) AllowedActions(com.thinkbiganalytics.security.action.AllowedActions) JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions) FeedManagerTemplate(com.thinkbiganalytics.metadata.api.template.FeedManagerTemplate) Principal(java.security.Principal)

Example 4 with SecurityRole

use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.

the class CheckEntityAccessControlAction method createDefaultRoles.

private void createDefaultRoles() {
    // Create default roles
    SecurityRole feedEditor = createDefaultRole(SecurityRole.FEED, "editor", "Editor", "Allows a user to edit, enable/disable, start, delete and export feed. Allows access to job operations for feed. " + "If role inherited via a category, allows these operations for feeds under that category.", FeedAccessControl.EDIT_DETAILS, FeedAccessControl.DELETE, FeedAccessControl.ACCESS_OPS, FeedAccessControl.ENABLE_DISABLE, FeedAccessControl.START, FeedAccessControl.EXPORT);
    // admin can do everything the editor does + change perms
    createDefaultRole(SecurityRole.FEED, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", feedEditor, FeedAccessControl.CHANGE_PERMS);
    createDefaultRole(SecurityRole.FEED, "readOnly", "Read-Only", "Allows a user to view the feed and access job operations", FeedAccessControl.ACCESS_DETAILS, FeedAccessControl.ACCESS_OPS);
    SecurityRole templateEditor = createDefaultRole(SecurityRole.TEMPLATE, "editor", "Editor", "Allows a user to edit,export a template", TemplateAccessControl.ACCESS_TEMPLATE, TemplateAccessControl.EDIT_TEMPLATE, TemplateAccessControl.DELETE, TemplateAccessControl.CREATE_FEED, TemplateAccessControl.EXPORT);
    createDefaultRole(SecurityRole.TEMPLATE, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", templateEditor, TemplateAccessControl.CHANGE_PERMS);
    createDefaultRole(SecurityRole.TEMPLATE, "readOnly", "Read-Only", "Allows a user to view the template", TemplateAccessControl.ACCESS_TEMPLATE);
    SecurityRole categoryEditor = createDefaultRole(SecurityRole.CATEGORY, "editor", "Editor", "Allows a user to edit, export and delete category. Allows creating feeds under the category", CategoryAccessControl.ACCESS_CATEGORY, CategoryAccessControl.EDIT_DETAILS, CategoryAccessControl.EDIT_SUMMARY, CategoryAccessControl.CREATE_FEED, CategoryAccessControl.DELETE);
    createDefaultRole(SecurityRole.CATEGORY, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", categoryEditor, CategoryAccessControl.CHANGE_PERMS);
    createDefaultRole(SecurityRole.CATEGORY, "readOnly", "Read-Only", "Allows a user to view the category", CategoryAccessControl.ACCESS_CATEGORY);
    createDefaultRole(SecurityRole.CATEGORY, "feedCreator", "Feed Creator", "Allows a user to create a new feed using this category", CategoryAccessControl.ACCESS_DETAILS, CategoryAccessControl.CREATE_FEED);
    final SecurityRole datasourceEditor = createDefaultRole(SecurityRole.DATASOURCE, "editor", "Editor", "Allows a user to edit,delete datasources", DatasourceAccessControl.ACCESS_DATASOURCE, DatasourceAccessControl.EDIT_DETAILS, DatasourceAccessControl.EDIT_SUMMARY, DatasourceAccessControl.DELETE);
    createDefaultRole(SecurityRole.DATASOURCE, "admin", "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", datasourceEditor, DatasourceAccessControl.CHANGE_PERMS);
    createDefaultRole(SecurityRole.DATASOURCE, "readOnly", "Read-Only", "Allows a user to view the datasource", DatasourceAccessControl.ACCESS_DATASOURCE);
    final SecurityRole projectEditor = createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_EDITOR, "Editor", "Allows a user to edit, delete projects", ProjectAccessControl.ACCESS_PROJECT, ProjectAccessControl.EDIT_PROJECT, ProjectAccessControl.DELETE_PROJECT);
    createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_ADMIN, "Admin", "All capabilities defined in the 'Editor' role along with the ability to change the permissions", projectEditor, ProjectAccessControl.CHANGE_PERMS);
    createDefaultRole(SecurityRole.PROJECT, ProjectAccessControl.ROLE_READER, "Read-Only", "Allows a user to view the project", ProjectAccessControl.ACCESS_PROJECT);
}
Also used : SecurityRole(com.thinkbiganalytics.security.role.SecurityRole)

Example 5 with SecurityRole

use of com.thinkbiganalytics.security.role.SecurityRole in project kylo by Teradata.

the class JcrDatasourceProvider method ensureDatasourceDetails.

@Override
public <D extends DatasourceDetails> Optional<D> ensureDatasourceDetails(@Nonnull final Datasource.ID id, @Nonnull final Class<D> type) {
    try {
        // Ensure the data source exists
        final Optional<JcrUserDatasource> parent = Optional.ofNullable(getDatasource(id)).filter(JcrUserDatasource.class::isInstance).map(JcrUserDatasource.class::cast);
        if (!parent.isPresent()) {
            return Optional.empty();
        }
        // Create the details
        final Class<? extends JcrDatasourceDetails> implType = JcrUserDatasource.resolveDetailsClass(type);
        final boolean isNew = !hasEntityNode(parent.get().getPath(), JcrUserDatasource.DETAILS);
        final Node node = findOrCreateEntityNode(parent.get().getPath(), JcrUserDatasource.DETAILS, implType);
        @SuppressWarnings("unchecked") final D details = (D) JcrUtil.createJcrObject(node, implType);
        // Re-assign permissions to data source
        if (isNew) {
            final UsernamePrincipal owner = parent.map(JcrUserDatasource::getOwner).map(Principal::getName).map(UsernamePrincipal::new).orElse(JcrMetadataAccess.getActiveUser());
            if (accessController.isEntityAccessControlled()) {
                final List<SecurityRole> roles = roleProvider.getEntityRoles(SecurityRole.DATASOURCE);
                actionsProvider.getAvailableActions(AllowedActions.DATASOURCE).ifPresent(actions -> parent.get().enableAccessControl((JcrAllowedActions) actions, owner, roles));
            } else {
                actionsProvider.getAvailableActions(AllowedActions.DATASOURCE).ifPresent(actions -> parent.get().disableAccessControl((JcrAllowedActions) actions, owner));
            }
        }
        return Optional.of(details);
    } catch (final IllegalArgumentException e) {
        throw new MetadataException("Unable to create datasource details: " + type, e);
    }
}
Also used : SecurityRole(com.thinkbiganalytics.security.role.SecurityRole) Node(javax.jcr.Node) MetadataException(com.thinkbiganalytics.metadata.api.MetadataException) UsernamePrincipal(com.thinkbiganalytics.security.UsernamePrincipal) JcrAllowedActions(com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions) UsernamePrincipal(com.thinkbiganalytics.security.UsernamePrincipal) Principal(java.security.Principal)

Aggregations

SecurityRole (com.thinkbiganalytics.security.role.SecurityRole)11 JcrAllowedActions (com.thinkbiganalytics.metadata.modeshape.security.action.JcrAllowedActions)9 AllowedActions (com.thinkbiganalytics.security.action.AllowedActions)5 Principal (java.security.Principal)5 Node (javax.jcr.Node)5 MetadataRepositoryException (com.thinkbiganalytics.metadata.modeshape.MetadataRepositoryException)3 RepositoryException (javax.jcr.RepositoryException)3 MetadataException (com.thinkbiganalytics.metadata.api.MetadataException)2 JcrCategory (com.thinkbiganalytics.metadata.modeshape.category.JcrCategory)2 JcrTool (com.thinkbiganalytics.metadata.modeshape.support.JcrTool)2 MetadataAccess (com.thinkbiganalytics.metadata.api.MetadataAccess)1 Category (com.thinkbiganalytics.metadata.api.category.Category)1 CategoryNotFoundException (com.thinkbiganalytics.metadata.api.category.CategoryNotFoundException)1 Feed (com.thinkbiganalytics.metadata.api.feed.Feed)1 FeedAccessControl (com.thinkbiganalytics.metadata.api.feed.security.FeedAccessControl)1 FeedManagerTemplate (com.thinkbiganalytics.metadata.api.template.FeedManagerTemplate)1 JcrMetadataAccess (com.thinkbiganalytics.metadata.modeshape.JcrMetadataAccess)1 JcrTestConfig (com.thinkbiganalytics.metadata.modeshape.JcrTestConfig)1 ModeShapeEngineConfig (com.thinkbiganalytics.metadata.modeshape.ModeShapeEngineConfig)1 JcrFeed (com.thinkbiganalytics.metadata.modeshape.feed.JcrFeed)1