Examples with Authorizable io.cdap.cdap.proto.security.Authorizable used on opensource projects

Search in sources :

Example 1 with Authorizable

use of io.cdap.cdap.proto.security.Authorizable in project cdap by caskdata.

the class SystemArtifactsAuthorizationTest method testAuthorizationForSystemArtifacts.

@Test
public void testAuthorizationForSystemArtifacts() throws Exception {
    artifactRepository.addSystemArtifacts();
    // alice should not be able to refresh system artifacts because she does not have admin privileges on namespace
    // system
    SecurityRequestContext.setUserId(ALICE.getName());
    try {
        artifactRepository.addSystemArtifacts();
        Assert.fail("Adding system artifacts should have failed because alice does not have admin privileges on " + "the namespace system.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on the CDAP system namespace
    Authorizable authorizable = Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT);
    accessController.grant(authorizable, ALICE, Collections.singleton(StandardPermission.CREATE));
    Assert.assertEquals(Collections.singleton(new GrantedPermission(authorizable, StandardPermission.CREATE)), accessController.listGrants(ALICE));
    // refreshing system artifacts should succeed now
    artifactRepository.addSystemArtifacts();
    SecurityRequestContext.setUserId("bob");
    // deleting a system artifact should fail because bob does not have admin privileges on the artifact
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail("Deleting a system artifact should have failed because alice does not have admin privileges on " + "the artifact.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on test namespace
    SecurityRequestContext.setUserId(ALICE.getName());
    NamespaceId namespaceId = new NamespaceId("test");
    accessController.grant(Authorizable.fromEntityId(namespaceId), ALICE, EnumSet.allOf(StandardPermission.class));
    accessController.grant(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT), ALICE, EnumSet.of(StandardPermission.LIST));
    namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
    // test that system artifacts are available to everyone
    List<ArtifactSummary> artifacts = artifactRepository.getArtifactSummaries(namespaceId, true);
    Assert.assertEquals(1, artifacts.size());
    ArtifactSummary artifactSummary = artifacts.get(0);
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactSummary.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactSummary.getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactSummary.getScope().name().toLowerCase());
    // test the getArtifact API
    ArtifactDetail artifactDetail = artifactRepository.getArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    io.cdap.cdap.api.artifact.ArtifactId artifactId = artifactDetail.getDescriptor().getArtifactId();
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactId.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactId.getVersion().getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactId.getScope().name().toLowerCase());
    namespaceAdmin.delete(namespaceId);
    // enforce on the system artifact should fail in unit test, since we do not have auto-grant now
    try {
        accessController.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(StandardPermission.class));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    // deleting system artifact should succeed if alice has DELETE on the artifact
    accessController.grant(Authorizable.fromEntityId(SYSTEM_ARTIFACT), ALICE, EnumSet.of(StandardPermission.DELETE));
    artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    // clean up privilege
    accessController.revoke(Authorizable.fromEntityId(SYSTEM_ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId));
}
Also used : GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ArtifactSummary(io.cdap.cdap.api.artifact.ArtifactSummary) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) Authorizable(io.cdap.cdap.proto.security.Authorizable) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) Test(org.junit.Test)

Example 2 with Authorizable

use of io.cdap.cdap.proto.security.Authorizable in project cdap by caskdata.

the class RevokePermissionCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    Authorizable authorizable = Authorizable.fromString(arguments.get(ArgumentName.ENTITY.toString()));
    String principalName = arguments.getOptional("principal-name", null);
    String type = arguments.getOptional("principal-type", null);
    Principal.PrincipalType principalType = type != null ? Principal.PrincipalType.valueOf(type.toUpperCase()) : null;
    Principal principal = type != null ? new Principal(principalName, principalType) : null;
    String permissionsString = arguments.getOptional("permissions", null);
    Set<Permission> permissions = permissionsString == null ? null : PERMISSION_STRING_TO_SET.apply(permissionsString);
    client.revoke(authorizable, principal, permissions);
    if (principal == null && permissions == null) {
        // Revoked all permissions for all principals on the entity
        output.printf("Successfully revoked all permissions on entity '%s' for all principals", authorizable.toString());
    } else {
        // currently, the CLI only supports 2 scenarios:
        // 1. both permissions and principal are null - supported in the if block.
        // 2. both permissions and principal are non-null - supported here. So it should be ok to have preconditions here
        // to enforce that both are non-null. In fact, if only one of them is null, the CLI will fail to parse the
        // command.
        Preconditions.checkNotNull(permissions, "Permissions cannot be null when principal is not null in the revoke command");
        Preconditions.checkNotNull(principal, "Principal cannot be null when permissions is not null in the revoke command");
        output.printf("Successfully revoked permission(s) '%s' on entity '%s' for %s '%s'\n", Joiner.on(",").join(permissions), authorizable.toString(), principal.getType(), principal.getName());
    }
}
Also used : Permission(io.cdap.cdap.proto.security.Permission) Authorizable(io.cdap.cdap.proto.security.Authorizable) Principal(io.cdap.cdap.proto.security.Principal)

Example 3 with Authorizable

use of io.cdap.cdap.proto.security.Authorizable in project cdap by caskdata.

the class GrantPermissionCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    Authorizable authorizable = Authorizable.fromString(arguments.get(ArgumentName.ENTITY.toString()));
    String principalName = arguments.get("principal-name");
    Principal.PrincipalType principalType = Principal.PrincipalType.valueOf(arguments.get("principal-type").toUpperCase());
    Principal principal = new Principal(principalName, principalType);
    Set<Permission> permissions = PERMISSION_STRING_TO_SET.apply(arguments.get("permissions"));
    // permissions is not an optional argument so should never be null
    Preconditions.checkNotNull(permissions, "Permissions can never be null in the grant command.");
    client.grant(authorizable, principal, permissions);
    output.printf("Successfully granted permission(s) '%s' on entity '%s' to %s '%s'\n", Joiner.on(",").join(permissions), authorizable.toString(), principal.getType(), principal.getName());
}
Also used : Permission(io.cdap.cdap.proto.security.Permission) Authorizable(io.cdap.cdap.proto.security.Authorizable) Principal(io.cdap.cdap.proto.security.Principal)

Example 4 with Authorizable

use of io.cdap.cdap.proto.security.Authorizable in project cdap by caskdata.

the class InMemoryAccessController method getPrivileges.

private Set<GrantedPermission> getPrivileges(Principal principal) {
    Set<GrantedPermission> result = new HashSet<>();
    for (Map.Entry<Authorizable, ConcurrentMap<Principal, Set<Permission>>> entry : privileges.entrySet()) {
        Authorizable authorizable = entry.getKey();
        Set<? extends Permission> permissions = getPermissions(authorizable, principal);
        for (Permission permission : permissions) {
            result.add(new GrantedPermission(authorizable, permission));
        }
    }
    return Collections.unmodifiableSet(result);
}
Also used : ConcurrentMap(java.util.concurrent.ConcurrentMap) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Permission(io.cdap.cdap.proto.security.Permission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Authorizable(io.cdap.cdap.proto.security.Authorizable) ConcurrentMap(java.util.concurrent.ConcurrentMap) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashSet(java.util.HashSet)

Example 5 with Authorizable

use of io.cdap.cdap.proto.security.Authorizable in project cdap by caskdata.

the class DraftServiceTest method testDraftAuthorization.

@Test
public void testDraftAuthorization() throws Exception {
    user = ALICE_NAME;
    HttpResponse response;
    // Check Alice can't list requests
    expectedCode = HttpURLConnection.HTTP_FORBIDDEN;
    listDrafts(NamespaceId.DEFAULT.getNamespace(), false, "", "", "");
    // Grant her nesessary privilidges
    Authorizable namespaceAuthorizable = Authorizable.fromEntityId(NamespaceId.DEFAULT);
    getAccessController().grant(namespaceAuthorizable, ALICE_PRINCIPAL, EnumSet.of(StandardPermission.GET));
    // Check Alice can list requests now
    expectedCode = HttpURLConnection.HTTP_OK;
    listDrafts(NamespaceId.DEFAULT.getNamespace(), false, "", "", "");
    // Check Bob still can't do it
    user = "bob";
    expectedCode = HttpURLConnection.HTTP_FORBIDDEN;
    listDrafts(NamespaceId.DEFAULT.getNamespace(), false, "", "", "");
    // Check Alice can't do it for other namespace
    user = ALICE_NAME;
    listDrafts(TEST_NAMESPACE, false, "", "", "");
    // Check Alice can't create drafts
    NamespaceSummary namespace = new NamespaceSummary(NamespaceId.DEFAULT.getNamespace(), "", 0);
    DraftId draftId = new DraftId(namespace, "draft1", ALICE_NAME);
    // She can't delete it as well
    expectedCode = HttpURLConnection.HTTP_FORBIDDEN;
    deleteDraft(draftId);
    createBatchPipelineDraft(draftId, "TestPipeline1", "This is a test pipeline.");
    // Grant Alice create priviledge. Note that we don't differenciate create and update,
    // so update is used in both cases
    getAccessController().grant(namespaceAuthorizable, ALICE_PRINCIPAL, EnumSet.of(StandardPermission.UPDATE));
    // Now Alice should be able to create draft
    expectedCode = HttpURLConnection.HTTP_OK;
    createBatchPipelineDraft(draftId, "TestPipeline1", "This is a test pipeline.");
    // Bob still can't get the draft
    expectedCode = HttpURLConnection.HTTP_FORBIDDEN;
    user = "bob";
    getDraft(draftId);
    // Alice should be able to delete draft
    expectedCode = HttpURLConnection.HTTP_OK;
    user = ALICE_NAME;
    deleteDraft(draftId);
}
Also used : HttpResponse(io.cdap.common.http.HttpResponse) Authorizable(io.cdap.cdap.proto.security.Authorizable) NamespaceSummary(io.cdap.cdap.api.NamespaceSummary) DraftId(io.cdap.cdap.datapipeline.draft.DraftId) Test(org.junit.Test)

Aggregations

Authorizable (io.cdap.cdap.proto.security.Authorizable)6 Permission (io.cdap.cdap.proto.security.Permission)4 GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)3 Principal (io.cdap.cdap.proto.security.Principal)2 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)2 Test (org.junit.Test)2 ImmutableSet (com.google.common.collect.ImmutableSet)1 NamespaceSummary (io.cdap.cdap.api.NamespaceSummary)1 ArtifactSummary (io.cdap.cdap.api.artifact.ArtifactSummary)1 DraftId (io.cdap.cdap.datapipeline.draft.DraftId)1 NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)1 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)1 ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)1 UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)1 HttpResponse (io.cdap.common.http.HttpResponse)1 HashSet (java.util.HashSet)1 Map (java.util.Map)1 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1 ConcurrentMap (java.util.concurrent.ConcurrentMap)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial