Example 11 with EntityId
use of io.cdap.cdap.proto.id.EntityId in project cdap by caskdata.
the class AuthorizationEnforcementModule method getNoOpModules.
/**
* Returns an {@link AbstractModule} containing bindings for a No-Op Access Enforcer. These modules should primarily
* be used in workers in which user code is executed which should not have any owned data to enforce access on.
*/
public AbstractModule getNoOpModules() {
return new AbstractModule() {
@Override
protected void configure() {
bind(AccessEnforcer.class).to(NoOpAccessController.class).in(Scopes.SINGLETON);
bind(ContextAccessEnforcer.class).toInstance(new ContextAccessEnforcer() {
@Override
public void enforce(EntityId entity, Set<? extends Permission> permissions) {
// no-op
}
@Override
public void enforceOnParent(EntityType entityType, EntityId parentId, Permission permission) {
// no-op
}
@Override
public Set<? extends EntityId> isVisible(Set<? extends EntityId> entityIds) {
return entityIds;
}
});
}
};
}
Also used :
EntityId(io.cdap.cdap.proto.id.EntityId)
EntityType(io.cdap.cdap.proto.element.EntityType)
Set(java.util.Set)
Permission(io.cdap.cdap.proto.security.Permission)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
ContextAccessEnforcer(io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer)
AbstractModule(com.google.inject.AbstractModule)
Example 12 with EntityId
use of io.cdap.cdap.proto.id.EntityId in project cdap by caskdata.
the class InternalAccessEnforcerTest method testInternalAccessIsVisibleInvalidCredential.
@Test
public void testInternalAccessIsVisibleInvalidCredential() throws IOException {
NamespaceId ns = new NamespaceId("namespace");
Set<EntityId> entities = Collections.singleton(ns);
Credential credential = new Credential("invalid", Credential.CredentialType.INTERNAL);
Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
Assert.assertEquals(Collections.emptySet(), internalAccessEnforcer.isVisible(entities, principal));
}
Also used :
EntityId(io.cdap.cdap.proto.id.EntityId)
Credential(io.cdap.cdap.proto.security.Credential)
NamespaceId(io.cdap.cdap.proto.id.NamespaceId)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 13 with EntityId
use of io.cdap.cdap.proto.id.EntityId in project cdap by caskdata.
the class InternalAccessEnforcerTest method testInternalAccessIsVisibleSuccess.
@Test
public void testInternalAccessIsVisibleSuccess() throws IOException {
NamespaceId ns = new NamespaceId("namespace");
Set<EntityId> entities = Collections.singleton(ns);
long currentTime = System.currentTimeMillis();
UserIdentity userIdentity = new UserIdentity(SYSTEM_PRINCIPAL, UserIdentity.IdentifierType.INTERNAL, Collections.emptyList(), currentTime, currentTime + 5 * MINUTE_MILLIS);
String encodedIdentity = Base64.getEncoder().encodeToString(accessTokenCodec.encode(tokenManager.signIdentifier(userIdentity)));
Credential credential = new Credential(encodedIdentity, Credential.CredentialType.INTERNAL);
Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
Assert.assertEquals(entities, internalAccessEnforcer.isVisible(entities, principal));
}
Also used :
EntityId(io.cdap.cdap.proto.id.EntityId)
Credential(io.cdap.cdap.proto.security.Credential)
UserIdentity(io.cdap.cdap.security.auth.UserIdentity)
NamespaceId(io.cdap.cdap.proto.id.NamespaceId)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 14 with EntityId
use of io.cdap.cdap.proto.id.EntityId in project cdap by caskdata.
the class InternalAccessEnforcerTest method testInternalAccessIsVisibleNonInternalTokenType.
@Test
public void testInternalAccessIsVisibleNonInternalTokenType() throws IOException {
NamespaceId ns = new NamespaceId("namespace");
Set<EntityId> entities = Collections.singleton(ns);
long currentTime = System.currentTimeMillis();
UserIdentity userIdentity = new UserIdentity(SYSTEM_PRINCIPAL, UserIdentity.IdentifierType.EXTERNAL, Collections.emptyList(), currentTime, currentTime + 5 * MINUTE_MILLIS);
String encodedIdentity = Base64.getEncoder().encodeToString(accessTokenCodec.encode(tokenManager.signIdentifier(userIdentity)));
Credential credential = new Credential(encodedIdentity, Credential.CredentialType.INTERNAL);
Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
Assert.assertEquals(Collections.emptySet(), internalAccessEnforcer.isVisible(entities, principal));
}
Also used :
EntityId(io.cdap.cdap.proto.id.EntityId)
Credential(io.cdap.cdap.proto.security.Credential)
UserIdentity(io.cdap.cdap.security.auth.UserIdentity)
NamespaceId(io.cdap.cdap.proto.id.NamespaceId)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 15 with EntityId
use of io.cdap.cdap.proto.id.EntityId in project cdap by caskdata.
the class DefaultAccessEnforcerTest method testInternalIsVisible.
@Test
public void testInternalIsVisible() throws IOException, AccessException {
Principal userWithInternalCred = new Principal("system", Principal.PrincipalType.USER, null, new Credential("credential", Credential.CredentialType.INTERNAL));
CConfiguration cConfCopy = CConfiguration.copy(CCONF);
cConfCopy.setBoolean(Constants.Security.INTERNAL_AUTH_ENABLED, true);
ControllerWrapper controllerWrapper = createControllerWrapper(cConfCopy, SCONF, new NoOpAccessController());
AccessController accessController = controllerWrapper.accessController;
DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
Set<EntityId> namespaces = ImmutableSet.of(NS);
// Make sure that the actual access controller does not have access.
Assert.assertEquals(Collections.emptySet(), accessController.isVisible(namespaces, userWithInternalCred));
// The no-op access enforcer allows all requests through, so this should succeed if it is using the right
// access controller.
Assert.assertEquals(namespaces, accessEnforcer.isVisible(namespaces, userWithInternalCred));
// Verify the metrics context was called with correct metrics
verify(controllerWrapper.mockMetricsContext, times(1)).increment(Constants.Metrics.Authorization.INTERNAL_VISIBILITY_CHECK_COUNT, 1);
}
Also used :
EntityId(io.cdap.cdap.proto.id.EntityId)
Credential(io.cdap.cdap.proto.security.Credential)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
CConfiguration(io.cdap.cdap.common.conf.CConfiguration)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Aggregations
EntityId (io.cdap.cdap.proto.id.EntityId)92
Test (org.junit.Test)50
HashSet (java.util.HashSet)40
Set (java.util.Set)34
ApplicationId (io.cdap.cdap.proto.id.ApplicationId)32
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)32
Permission (io.cdap.cdap.proto.security.Permission)32
ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)30
StandardPermission (io.cdap.cdap.proto.security.StandardPermission)30
EnumSet (java.util.EnumSet)30
AccessPermission (io.cdap.cdap.proto.security.AccessPermission)28
ImmutableSet (com.google.common.collect.ImmutableSet)26
PartitionedFileSet (io.cdap.cdap.api.dataset.lib.PartitionedFileSet)26
GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)26
ProgramId (io.cdap.cdap.proto.id.ProgramId)24
Principal (io.cdap.cdap.proto.security.Principal)24
DatasetId (io.cdap.cdap.proto.id.DatasetId)20
ArtifactId (io.cdap.cdap.proto.id.ArtifactId)18
ApplicationManager (io.cdap.cdap.test.ApplicationManager)14
NamespacedEntityId (io.cdap.cdap.proto.id.NamespacedEntityId)12
