Examples with GrantedPermission io.cdap.cdap.proto.security.GrantedPermission used on opensource projects

Search in sources :

Example 11 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class InMemoryAccessController method getPrivileges.

private Set<GrantedPermission> getPrivileges(Principal principal) {
    Set<GrantedPermission> result = new HashSet<>();
    for (Map.Entry<Authorizable, ConcurrentMap<Principal, Set<Permission>>> entry : privileges.entrySet()) {
        Authorizable authorizable = entry.getKey();
        Set<? extends Permission> permissions = getPermissions(authorizable, principal);
        for (Permission permission : permissions) {
            result.add(new GrantedPermission(authorizable, permission));
        }
    }
    return Collections.unmodifiableSet(result);
}
Also used : ConcurrentMap(java.util.concurrent.ConcurrentMap) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Permission(io.cdap.cdap.proto.security.Permission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Authorizable(io.cdap.cdap.proto.security.Authorizable) ConcurrentMap(java.util.concurrent.ConcurrentMap) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashSet(java.util.HashSet)

Example 12 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class DefaultSecureStoreServiceTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used : ImmutableSet(com.google.common.collect.ImmutableSet) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 13 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class DefaultSecureStoreServiceTest method testSecureStoreAccess.

@Test
public void testSecureStoreAccess() throws Exception {
    final SecureKeyId secureKeyId1 = NamespaceId.DEFAULT.secureKey(KEY1);
    SecurityRequestContext.setUserId(ALICE.getName());
    try {
        secureStoreManager.put(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
        Assert.fail("Alice should not be able to store a key since she does not have WRITE privileges on the namespace");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // Grant ALICE admin access to the secure key
    grantAndAssertSuccess(NamespaceId.DEFAULT, ALICE, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(Authorizable.fromEntityId(NamespaceId.DEFAULT, EntityType.SECUREKEY), ALICE, EnumSet.of(StandardPermission.LIST));
    grantAndAssertSuccess(secureKeyId1, ALICE, EnumSet.allOf(StandardPermission.class));
    // Write should succeed
    secureStoreManager.put(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
    // Listing should return the value just written
    List<SecureStoreMetadata> metadatas = secureStore.list(NamespaceId.DEFAULT.getNamespace());
    Assert.assertEquals(1, metadatas.size());
    Assert.assertEquals(KEY1, metadatas.get(0).getName());
    Assert.assertEquals(DESCRIPTION1, metadatas.get(0).getDescription());
    revokeAndAssertSuccess(secureKeyId1, ALICE, EnumSet.allOf(StandardPermission.class));
    // Should not be able to list the keys since ALICE does not have privilege on the secure key
    try {
        secureStore.list(NamespaceId.DEFAULT.getNamespace());
    } catch (UnauthorizedException e) {
    // expected
    }
    // Give BOB read access and verify that he can read the stored data
    SecurityRequestContext.setUserId(BOB.getName());
    grantAndAssertSuccess(NamespaceId.DEFAULT, BOB, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(secureKeyId1, BOB, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(Authorizable.fromEntityId(NamespaceId.DEFAULT, EntityType.SECUREKEY), BOB, EnumSet.of(StandardPermission.LIST));
    Assert.assertEquals(VALUE1, new String(secureStore.get(NamespaceId.DEFAULT.getNamespace(), KEY1).get(), Charsets.UTF_8));
    metadatas = secureStore.list(NamespaceId.DEFAULT.getNamespace());
    Assert.assertEquals(1, metadatas.size());
    // BOB should not be able to delete the key
    try {
        secureStoreManager.delete(NamespaceId.DEFAULT.getNamespace(), KEY1);
        Assert.fail("Bob should not be able to delete a key since he does not have ADMIN privileges on the key");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // Grant Bob ADMIN access and he should be able to delete the key
    grantAndAssertSuccess(secureKeyId1, BOB, ImmutableSet.of(StandardPermission.DELETE));
    secureStoreManager.delete(NamespaceId.DEFAULT.getNamespace(), KEY1);
    Assert.assertEquals(0, secureStore.list(NamespaceId.DEFAULT.getNamespace()).size());
    Predicate<GrantedPermission> secureKeyIdFilter = new Predicate<GrantedPermission>() {

        @Override
        public boolean apply(GrantedPermission input) {
            return input.getAuthorizable().equals(Authorizable.fromEntityId(secureKeyId1));
        }
    };
}
Also used : SecureKeyId(io.cdap.cdap.proto.id.SecureKeyId) SecureStoreMetadata(io.cdap.cdap.api.security.store.SecureStoreMetadata) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) Predicate(com.google.common.base.Predicate) Test(org.junit.Test)

Example 14 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class DefaultSecureStoreServiceTest method revokeAndAssertSuccess.

private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<? extends Permission> permissions) throws Exception {
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.revoke(Authorizable.fromEntityId(entityId), principal, permissions);
    Set<GrantedPermission> revokedPrivileges = new HashSet<>();
    for (Permission permission : permissions) {
        revokedPrivileges.add(new GrantedPermission(entityId, permission));
    }
    Assert.assertEquals(Sets.difference(existingPrivileges, revokedPrivileges), accessController.listGrants(principal));
}
Also used : Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) HashSet(java.util.HashSet)

Example 15 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class AccessControllerTest method testRBAC.

@Test
public void testRBAC() throws Exception {
    AccessController authorizer = get();
    Role admins = new Role("admins");
    Role engineers = new Role("engineers");
    // create a role
    authorizer.createRole(admins);
    // add another role
    authorizer.createRole(engineers);
    // listing role should show the added role
    Set<Role> roles = authorizer.listAllRoles();
    Set<Role> expectedRoles = new HashSet<>();
    expectedRoles.add(admins);
    expectedRoles.add(engineers);
    Assert.assertEquals(expectedRoles, roles);
    // creating a role which already exists should throw an exception
    try {
        authorizer.createRole(admins);
        Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
    } catch (AlreadyExistsException expected) {
    // expected
    }
    // drop an existing role
    authorizer.dropRole(admins);
    // the list should not have the dropped role
    roles = authorizer.listAllRoles();
    Assert.assertEquals(Collections.singleton(engineers), roles);
    // dropping a non-existing role should throw exception
    try {
        authorizer.dropRole(admins);
        Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
    } catch (NotFoundException expected) {
    // expected
    }
    // add an user to an existing role
    Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
    authorizer.addRoleToPrincipal(engineers, spiderman);
    // add an user to an non-existing role should throw an exception
    try {
        authorizer.addRoleToPrincipal(admins, spiderman);
        Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
    // check listing roles for spiderman have engineers role
    Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
    // authorization checks with roles
    NamespaceId ns1 = new NamespaceId("ns1");
    // check that spiderman who has engineers roles cannot read from ns1
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // give a permission to engineers role
    authorizer.grant(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
    // check that a spiderman who has engineers role has access
    authorizer.enforce(ns1, spiderman, StandardPermission.GET);
    // list privileges for spiderman should have read permission on ns1
    Assert.assertEquals(Collections.singleton(new GrantedPermission(ns1, StandardPermission.GET)), authorizer.listGrants(spiderman));
    // revoke permission from the role
    authorizer.revoke(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
    // now the privileges for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listGrants(spiderman));
    // check that the user of this role is not authorized to do the revoked operation
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // remove an user from a existing role
    authorizer.removeRoleFromPrincipal(engineers, spiderman);
    // check listing roles for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
    // remove an user from a non-existing role should throw exception
    try {
        authorizer.removeRoleFromPrincipal(admins, spiderman);
        Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
}
Also used : Role(io.cdap.cdap.proto.security.Role) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) Principal(io.cdap.cdap.proto.security.Principal) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)38 Test (org.junit.Test)16 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)12 Permission (io.cdap.cdap.proto.security.Permission)10 HashSet (java.util.HashSet)10 InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)8 AccessController (io.cdap.cdap.security.spi.authorization.AccessController)8 ImmutableSet (com.google.common.collect.ImmutableSet)6 Authorizable (io.cdap.cdap.proto.security.Authorizable)6 Principal (io.cdap.cdap.proto.security.Principal)6 Role (io.cdap.cdap.proto.security.Role)6 UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)6 Predicate (com.google.common.base.Predicate)4 NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)4 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)4 ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)4 ArtifactSummary (io.cdap.cdap.api.artifact.ArtifactSummary)2 SecureStoreMetadata (io.cdap.cdap.api.security.store.SecureStoreMetadata)2 MethodArgument (io.cdap.cdap.common.internal.remote.MethodArgument)2 NamespaceAdmin (io.cdap.cdap.common.namespace.NamespaceAdmin)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial