Examples with GrantedPermission io.cdap.cdap.proto.security.GrantedPermission used on opensource projects

Example 6 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by caskdata.

the class AccessControllerTest method testRBAC.

@Test
public void testRBAC() throws Exception {
    AccessController authorizer = get();
    Role admins = new Role("admins");
    Role engineers = new Role("engineers");
    // create a role
    authorizer.createRole(admins);
    // add another role
    authorizer.createRole(engineers);
    // listing role should show the added role
    Set<Role> roles = authorizer.listAllRoles();
    Set<Role> expectedRoles = new HashSet<>();
    expectedRoles.add(admins);
    expectedRoles.add(engineers);
    Assert.assertEquals(expectedRoles, roles);
    // creating a role which already exists should throw an exception
    try {
        authorizer.createRole(admins);
        Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
    } catch (AlreadyExistsException expected) {
    // expected
    }
    // drop an existing role
    authorizer.dropRole(admins);
    // the list should not have the dropped role
    roles = authorizer.listAllRoles();
    Assert.assertEquals(Collections.singleton(engineers), roles);
    // dropping a non-existing role should throw exception
    try {
        authorizer.dropRole(admins);
        Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
    } catch (NotFoundException expected) {
    // expected
    }
    // add an user to an existing role
    Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
    authorizer.addRoleToPrincipal(engineers, spiderman);
    // add an user to an non-existing role should throw an exception
    try {
        authorizer.addRoleToPrincipal(admins, spiderman);
        Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
    // check listing roles for spiderman have engineers role
    Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
    // authorization checks with roles
    NamespaceId ns1 = new NamespaceId("ns1");
    // check that spiderman who has engineers roles cannot read from ns1
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // give a permission to engineers role
    authorizer.grant(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
    // check that a spiderman who has engineers role has access
    authorizer.enforce(ns1, spiderman, StandardPermission.GET);
    // list privileges for spiderman should have read permission on ns1
    Assert.assertEquals(Collections.singleton(new GrantedPermission(ns1, StandardPermission.GET)), authorizer.listGrants(spiderman));
    // revoke permission from the role
    authorizer.revoke(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
    // now the privileges for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listGrants(spiderman));
    // check that the user of this role is not authorized to do the revoked operation
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // remove an user from a existing role
    authorizer.removeRoleFromPrincipal(engineers, spiderman);
    // check listing roles for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
    // remove an user from a non-existing role should throw exception
    try {
        authorizer.removeRoleFromPrincipal(admins, spiderman);
        Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
}

Example 7 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by caskdata.

the class AuthorizationTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
    AccessController accessController = getAccessController();
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}

Example 8 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class AuthorizationHandlerTest method verifyAuthSuccess.

private void verifyAuthSuccess(EntityId entity, Principal principal, Permission permission) throws Exception {
    Set<GrantedPermission> grantedPermissions = client.listGrants(principal);
    GrantedPermission grantedPermissionToCheck = new GrantedPermission(entity, permission);
    Assert.assertTrue(String.format("Expected principal %s to have the grantedPermission %s, but found that it did not.", principal, grantedPermissionToCheck), grantedPermissions.contains(grantedPermissionToCheck));
}

Example 9 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class AuthorizationHandlerTest method testRBAC.

@Test
public void testRBAC() throws Exception {
    Role admins = new Role("admins");
    Role engineers = new Role("engineers");
    // create a role
    client.createRole(admins);
    // add another role
    client.createRole(engineers);
    // listing role should show the added role
    Set<Role> roles = client.listAllRoles();
    Assert.assertEquals(Sets.newHashSet(admins, engineers), roles);
    // creating a role which already exists should throw an exception
    try {
        client.createRole(admins);
        Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
    } catch (AlreadyExistsException expected) {
    // expected
    }
    // drop an existing role
    client.dropRole(admins);
    // the list should not have the dropped role
    roles = client.listAllRoles();
    Assert.assertEquals(Sets.newHashSet(engineers), roles);
    // dropping a non-existing role should throw exception
    try {
        client.dropRole(admins);
        Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
    } catch (io.cdap.cdap.security.spi.authorization.NotFoundException expected) {
    // expected
    }
    // add an user to an existing role
    Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
    client.addRoleToPrincipal(engineers, spiderman);
    // add an user to an non-existing role should throw an exception
    try {
        client.addRoleToPrincipal(admins, spiderman);
        Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
    } catch (io.cdap.cdap.security.spi.authorization.NotFoundException expected) {
    // expected
    }
    // check listing roles for spiderman have engineers role
    Assert.assertEquals(Sets.newHashSet(engineers), client.listRoles(spiderman));
    // check that spiderman who has engineers roles cannot read from ns1
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // give a permission to engineers role
    client.grant(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(StandardPermission.GET));
    // check that a spiderman who has engineers role has access
    verifyAuthSuccess(ns1, spiderman, StandardPermission.GET);
    // list grantedPermissions for spiderman should have read permission on ns1
    Assert.assertEquals(Sets.newHashSet(new GrantedPermission(ns1, StandardPermission.GET)), client.listGrants(spiderman));
    // revoke permission from the role
    client.revoke(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(StandardPermission.GET));
    // now the grantedPermissions for spiderman should be empty
    Assert.assertEquals(new HashSet<>(), client.listGrants(spiderman));
    // check that the user of this role is not authorized to do the revoked operation
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // remove an user from a existing role
    client.removeRoleFromPrincipal(engineers, spiderman);
    // check listing roles for spiderman should be empty
    Assert.assertEquals(new HashSet<>(), client.listRoles(spiderman));
    // remove an user from a non-existing role should throw exception
    try {
        client.removeRoleFromPrincipal(admins, spiderman);
        Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
    } catch (io.cdap.cdap.security.spi.authorization.NotFoundException expected) {
    // expected
    }
}

Example 10 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class InMemoryAccessController method listGrants.

@Override
public Set<GrantedPermission> listGrants(Principal principal) {
    Set<GrantedPermission> privileges = new HashSet<>();
    // privileges for this principal
    privileges.addAll(getPrivileges(principal));
    // privileges for the role to which this principal belongs to if its not a role
    if (principal.getType() != Principal.PrincipalType.ROLE) {
        for (Role role : roleToPrincipals.keySet()) {
            privileges.addAll(getPrivileges(role));
        }
    }
    return Collections.unmodifiableSet(privileges);
}