Search in sources :

Example 1 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by caskdata.

the class RemotePrivilegesHandler method listPrivileges.

@POST
@Path("/listPrivileges")
public void listPrivileges(FullHttpRequest request, HttpResponder responder) throws Exception {
    Iterator<MethodArgument> arguments = parseArguments(request);
    Principal principal = deserializeNext(arguments);
    LOG.trace("Listing grantedPermissions for principal {}", principal);
    Set<GrantedPermission> grantedPermissions = permissionManager.listGrants(principal);
    LOG.debug("Returning grantedPermissions for principal {} as {}", principal, grantedPermissions);
    responder.sendJson(HttpResponseStatus.OK, GSON.toJson(grantedPermissions));
}
Also used : MethodArgument(io.cdap.cdap.common.internal.remote.MethodArgument) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Principal(io.cdap.cdap.proto.security.Principal) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 2 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by caskdata.

the class DefaultSecureStoreServiceTest method testSecureStoreAccess.

@Test
public void testSecureStoreAccess() throws Exception {
    final SecureKeyId secureKeyId1 = NamespaceId.DEFAULT.secureKey(KEY1);
    SecurityRequestContext.setUserId(ALICE.getName());
    try {
        secureStoreManager.put(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
        Assert.fail("Alice should not be able to store a key since she does not have WRITE privileges on the namespace");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // Grant ALICE admin access to the secure key
    grantAndAssertSuccess(NamespaceId.DEFAULT, ALICE, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(Authorizable.fromEntityId(NamespaceId.DEFAULT, EntityType.SECUREKEY), ALICE, EnumSet.of(StandardPermission.LIST));
    grantAndAssertSuccess(secureKeyId1, ALICE, EnumSet.allOf(StandardPermission.class));
    // Write should succeed
    secureStoreManager.put(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
    // Listing should return the value just written
    List<SecureStoreMetadata> metadatas = secureStore.list(NamespaceId.DEFAULT.getNamespace());
    Assert.assertEquals(1, metadatas.size());
    Assert.assertEquals(KEY1, metadatas.get(0).getName());
    Assert.assertEquals(DESCRIPTION1, metadatas.get(0).getDescription());
    revokeAndAssertSuccess(secureKeyId1, ALICE, EnumSet.allOf(StandardPermission.class));
    // Should not be able to list the keys since ALICE does not have privilege on the secure key
    try {
        secureStore.list(NamespaceId.DEFAULT.getNamespace());
    } catch (UnauthorizedException e) {
    // expected
    }
    // Give BOB read access and verify that he can read the stored data
    SecurityRequestContext.setUserId(BOB.getName());
    grantAndAssertSuccess(NamespaceId.DEFAULT, BOB, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(secureKeyId1, BOB, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(Authorizable.fromEntityId(NamespaceId.DEFAULT, EntityType.SECUREKEY), BOB, EnumSet.of(StandardPermission.LIST));
    Assert.assertEquals(VALUE1, new String(secureStore.get(NamespaceId.DEFAULT.getNamespace(), KEY1).get(), Charsets.UTF_8));
    metadatas = secureStore.list(NamespaceId.DEFAULT.getNamespace());
    Assert.assertEquals(1, metadatas.size());
    // BOB should not be able to delete the key
    try {
        secureStoreManager.delete(NamespaceId.DEFAULT.getNamespace(), KEY1);
        Assert.fail("Bob should not be able to delete a key since he does not have ADMIN privileges on the key");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // Grant Bob ADMIN access and he should be able to delete the key
    grantAndAssertSuccess(secureKeyId1, BOB, ImmutableSet.of(StandardPermission.DELETE));
    secureStoreManager.delete(NamespaceId.DEFAULT.getNamespace(), KEY1);
    Assert.assertEquals(0, secureStore.list(NamespaceId.DEFAULT.getNamespace()).size());
    Predicate<GrantedPermission> secureKeyIdFilter = new Predicate<GrantedPermission>() {

        @Override
        public boolean apply(GrantedPermission input) {
            return input.getAuthorizable().equals(Authorizable.fromEntityId(secureKeyId1));
        }
    };
}
Also used : SecureKeyId(io.cdap.cdap.proto.id.SecureKeyId) SecureStoreMetadata(io.cdap.cdap.api.security.store.SecureStoreMetadata) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) Predicate(com.google.common.base.Predicate) Test(org.junit.Test)

Example 3 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by caskdata.

the class DefaultSecureStoreServiceTest method revokeAndAssertSuccess.

private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<? extends Permission> permissions) throws Exception {
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.revoke(Authorizable.fromEntityId(entityId), principal, permissions);
    Set<GrantedPermission> revokedPrivileges = new HashSet<>();
    for (Permission permission : permissions) {
        revokedPrivileges.add(new GrantedPermission(entityId, permission));
    }
    Assert.assertEquals(Sets.difference(existingPrivileges, revokedPrivileges), accessController.listGrants(principal));
}
Also used : Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) HashSet(java.util.HashSet)

Example 4 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by caskdata.

the class DefaultSecureStoreServiceTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used : ImmutableSet(com.google.common.collect.ImmutableSet) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 5 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by caskdata.

the class InMemoryAccessController method listGrants.

@Override
public Set<GrantedPermission> listGrants(Principal principal) {
    Set<GrantedPermission> privileges = new HashSet<>();
    // privileges for this principal
    privileges.addAll(getPrivileges(principal));
    // privileges for the role to which this principal belongs to if its not a role
    if (principal.getType() != Principal.PrincipalType.ROLE) {
        for (Role role : roleToPrincipals.keySet()) {
            privileges.addAll(getPrivileges(role));
        }
    }
    return Collections.unmodifiableSet(privileges);
}
Also used : Role(io.cdap.cdap.proto.security.Role) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) HashSet(java.util.HashSet)

Aggregations

GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)19 Test (org.junit.Test)8 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)6 Permission (io.cdap.cdap.proto.security.Permission)5 HashSet (java.util.HashSet)5 InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)4 AccessController (io.cdap.cdap.security.spi.authorization.AccessController)4 ImmutableSet (com.google.common.collect.ImmutableSet)3 Authorizable (io.cdap.cdap.proto.security.Authorizable)3 Principal (io.cdap.cdap.proto.security.Principal)3 Role (io.cdap.cdap.proto.security.Role)3 UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)3 Predicate (com.google.common.base.Predicate)2 NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)2 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)2 ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)2 ArtifactSummary (io.cdap.cdap.api.artifact.ArtifactSummary)1 SecureStoreMetadata (io.cdap.cdap.api.security.store.SecureStoreMetadata)1 MethodArgument (io.cdap.cdap.common.internal.remote.MethodArgument)1 NamespaceAdmin (io.cdap.cdap.common.namespace.NamespaceAdmin)1