Examples with GrantedPermission io.cdap.cdap.proto.security.GrantedPermission used on opensource projects

Search in sources :

Example 16 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class AuthorizationTest method testNamespaces.

@Test
public void testNamespaces() throws Exception {
    NamespaceAdmin namespaceAdmin = getNamespaceAdmin();
    AccessController accessController = getAccessController();
    try {
        namespaceAdmin.create(AUTH_NAMESPACE_META);
        Assert.fail("Namespace create should have failed because alice is not authorized on " + AUTH_NAMESPACE);
    } catch (UnauthorizedException expected) {
    // expected
    }
    createAuthNamespace();
    Assert.assertTrue(namespaceAdmin.list().contains(AUTH_NAMESPACE_META));
    namespaceAdmin.get(AUTH_NAMESPACE);
    // revoke privileges
    revokeAndAssertSuccess(AUTH_NAMESPACE);
    try {
        Assert.assertTrue(namespaceAdmin.list().isEmpty());
        namespaceAdmin.exists(AUTH_NAMESPACE);
        Assert.fail("Namespace existence check should fail since the privilege of alice has been revoked");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant privileges again
    grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE));
    namespaceAdmin.exists(AUTH_NAMESPACE);
    Assert.assertEquals(ImmutableSet.of(new GrantedPermission(AUTH_NAMESPACE, StandardPermission.GET), new GrantedPermission(AUTH_NAMESPACE, StandardPermission.UPDATE)), accessController.listGrants(ALICE));
    NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build();
    namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated);
    Assert.assertEquals(updated, namespaceAdmin.get(AUTH_NAMESPACE));
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) NamespaceAdmin(io.cdap.cdap.common.namespace.NamespaceAdmin) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Test(org.junit.Test)

Example 17 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class AuthorizationTest method createAuthNamespace.

private void createAuthNamespace() throws Exception {
    AccessController accessController = getAccessController();
    grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(StandardPermission.GET, StandardPermission.CREATE));
    getNamespaceAdmin().create(AUTH_NAMESPACE_META);
    Assert.assertEquals(ImmutableSet.of(new GrantedPermission(AUTH_NAMESPACE, StandardPermission.GET), new GrantedPermission(AUTH_NAMESPACE, StandardPermission.CREATE)), accessController.listGrants(ALICE));
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 18 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class AuthorizationTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
    AccessController accessController = getAccessController();
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) ImmutableSet(com.google.common.collect.ImmutableSet) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 19 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class AuthorizationTest method assertNoAccess.

private void assertNoAccess(Principal principal, final EntityId entityId) throws Exception {
    AccessController accessController = getAccessController();
    Predicate<GrantedPermission> entityFilter = new Predicate<GrantedPermission>() {

        @Override
        public boolean apply(GrantedPermission input) {
            return Authorizable.fromEntityId(entityId).equals(input.getAuthorizable());
        }
    };
    Assert.assertTrue(Sets.filter(accessController.listGrants(principal), entityFilter).isEmpty());
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Predicate(com.google.common.base.Predicate)

Example 20 with GrantedPermission

use of io.cdap.cdap.proto.security.GrantedPermission in project cdap by cdapio.

the class SystemArtifactsAuthorizationTest method testAuthorizationForSystemArtifacts.

@Test
public void testAuthorizationForSystemArtifacts() throws Exception {
    artifactRepository.addSystemArtifacts();
    // alice should not be able to refresh system artifacts because she does not have admin privileges on namespace
    // system
    SecurityRequestContext.setUserId(ALICE.getName());
    try {
        artifactRepository.addSystemArtifacts();
        Assert.fail("Adding system artifacts should have failed because alice does not have admin privileges on " + "the namespace system.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on the CDAP system namespace
    Authorizable authorizable = Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT);
    accessController.grant(authorizable, ALICE, Collections.singleton(StandardPermission.CREATE));
    Assert.assertEquals(Collections.singleton(new GrantedPermission(authorizable, StandardPermission.CREATE)), accessController.listGrants(ALICE));
    // refreshing system artifacts should succeed now
    artifactRepository.addSystemArtifacts();
    SecurityRequestContext.setUserId("bob");
    // deleting a system artifact should fail because bob does not have admin privileges on the artifact
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail("Deleting a system artifact should have failed because alice does not have admin privileges on " + "the artifact.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on test namespace
    SecurityRequestContext.setUserId(ALICE.getName());
    NamespaceId namespaceId = new NamespaceId("test");
    accessController.grant(Authorizable.fromEntityId(namespaceId), ALICE, EnumSet.allOf(StandardPermission.class));
    accessController.grant(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT), ALICE, EnumSet.of(StandardPermission.LIST));
    namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
    // test that system artifacts are available to everyone
    List<ArtifactSummary> artifacts = artifactRepository.getArtifactSummaries(namespaceId, true);
    Assert.assertEquals(1, artifacts.size());
    ArtifactSummary artifactSummary = artifacts.get(0);
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactSummary.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactSummary.getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactSummary.getScope().name().toLowerCase());
    // test the getArtifact API
    ArtifactDetail artifactDetail = artifactRepository.getArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    io.cdap.cdap.api.artifact.ArtifactId artifactId = artifactDetail.getDescriptor().getArtifactId();
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactId.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactId.getVersion().getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactId.getScope().name().toLowerCase());
    namespaceAdmin.delete(namespaceId);
    // enforce on the system artifact should fail in unit test, since we do not have auto-grant now
    try {
        accessController.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(StandardPermission.class));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    // deleting system artifact should succeed if alice has DELETE on the artifact
    accessController.grant(Authorizable.fromEntityId(SYSTEM_ARTIFACT), ALICE, EnumSet.of(StandardPermission.DELETE));
    artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    // clean up privilege
    accessController.revoke(Authorizable.fromEntityId(SYSTEM_ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId));
}
Also used : GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ArtifactSummary(io.cdap.cdap.api.artifact.ArtifactSummary) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) Authorizable(io.cdap.cdap.proto.security.Authorizable) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) Test(org.junit.Test)

Aggregations

GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)38 Test (org.junit.Test)16 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)12 Permission (io.cdap.cdap.proto.security.Permission)10 HashSet (java.util.HashSet)10 InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)8 AccessController (io.cdap.cdap.security.spi.authorization.AccessController)8 ImmutableSet (com.google.common.collect.ImmutableSet)6 Authorizable (io.cdap.cdap.proto.security.Authorizable)6 Principal (io.cdap.cdap.proto.security.Principal)6 Role (io.cdap.cdap.proto.security.Role)6 UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)6 Predicate (com.google.common.base.Predicate)4 NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)4 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)4 ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)4 ArtifactSummary (io.cdap.cdap.api.artifact.ArtifactSummary)2 SecureStoreMetadata (io.cdap.cdap.api.security.store.SecureStoreMetadata)2 MethodArgument (io.cdap.cdap.common.internal.remote.MethodArgument)2 NamespaceAdmin (io.cdap.cdap.common.namespace.NamespaceAdmin)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial