Search in sources :

Example 1 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class TetheringServerHandlerTest method setUp.

@Before
public void setUp() throws Exception {
    // Define all StructuredTable before starting any services that need StructuredTable
    StoreDefinition.createAllTables(injector.getInstance(StructuredTableAdmin.class));
    cConf.setBoolean(Constants.Tethering.TETHERING_SERVER_ENABLED, true);
    cConf.setInt(Constants.Tethering.CONNECTION_TIMEOUT_SECONDS, 1);
    List<Permission> tetheringPermissions = Arrays.asList(InstancePermission.TETHER);
    InMemoryAccessController inMemoryAccessController = new InMemoryAccessController();
    inMemoryAccessController.grant(Authorizable.fromEntityId(InstanceId.SELF), MASTER_PRINCIPAL, Collections.unmodifiableSet(new HashSet<>(tetheringPermissions)));
    ContextAccessEnforcer contextAccessEnforcer = new DefaultContextAccessEnforcer(new AuthenticationTestContext(), inMemoryAccessController);
    AuthenticationTestContext.actAsPrincipal(MASTER_PRINCIPAL);
    service = new CommonNettyHttpServiceBuilder(CConfiguration.create(), getClass().getSimpleName()).setHttpHandlers(new TetheringServerHandler(cConf, tetheringStore, messagingService, contextAccessEnforcer), new TetheringHandler(cConf, tetheringStore, messagingService)).build();
    service.start();
    config = ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build();
}
Also used : CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder) StructuredTableAdmin(io.cdap.cdap.spi.data.StructuredTableAdmin) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) InstancePermission(io.cdap.cdap.proto.security.InstancePermission) Permission(io.cdap.cdap.proto.security.Permission) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) AuthenticationTestContext(io.cdap.cdap.security.auth.context.AuthenticationTestContext) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) ContextAccessEnforcer(io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer) HashSet(java.util.HashSet) Before(org.junit.Before)

Example 2 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class DefaultSecureStoreServiceTest method revokeAndAssertSuccess.

private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<? extends Permission> permissions) throws Exception {
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.revoke(Authorizable.fromEntityId(entityId), principal, permissions);
    Set<GrantedPermission> revokedPrivileges = new HashSet<>();
    for (Permission permission : permissions) {
        revokedPrivileges.add(new GrantedPermission(entityId, permission));
    }
    Assert.assertEquals(Sets.difference(existingPrivileges, revokedPrivileges), accessController.listGrants(principal));
}
Also used : Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) HashSet(java.util.HashSet)

Example 3 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class DefaultSecureStoreServiceTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used : ImmutableSet(com.google.common.collect.ImmutableSet) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 4 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class ProgramLifecycleServiceAuthorizationTest method testProgramList.

@Test
public void testProgramList() throws Exception {
    SecurityRequestContext.setUserId(ALICE.getName());
    ApplicationId applicationId = NamespaceId.DEFAULT.app(AllProgramsApp.NAME);
    Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(applicationId, EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT, EnumSet.of(StandardPermission.GET)).put(NamespaceId.DEFAULT.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME3), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME), EnumSet.allOf(StandardPermission.class)).build();
    setUpPrivilegesAndExpectFailedDeploy(neededPrivileges);
    // now we should be able to deploy
    AppFabricTestHelper.deployApplication(Id.Namespace.DEFAULT, AllProgramsApp.class, null, cConf);
    // no auto grant now, the list will be empty for all program types
    for (ProgramType type : ProgramType.values()) {
        if (!ProgramType.CUSTOM_ACTION.equals(type)) {
            Assert.assertTrue(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
        }
    }
    // no auto grant now, need to have privileges on the program to be able to see the programs
    accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
    accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
    accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SPARK, AllProgramsApp.NoOpSpark.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
    accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
    accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR2.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
    accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKFLOW, AllProgramsApp.NoOpWorkflow.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
    for (ProgramType type : ProgramType.values()) {
        // Skip flow (until flow is completely removed from ProgramType)
        if (!ProgramType.CUSTOM_ACTION.equals(type)) {
            Assert.assertFalse(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
            SecurityRequestContext.setUserId("bob");
            Assert.assertTrue(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
            SecurityRequestContext.setUserId("alice");
        }
    }
}
Also used : EntityId(io.cdap.cdap.proto.id.EntityId) EnumSet(java.util.EnumSet) Set(java.util.Set) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) Permission(io.cdap.cdap.proto.security.Permission) AllProgramsApp(io.cdap.cdap.AllProgramsApp) ProgramType(io.cdap.cdap.proto.ProgramType) ApplicationId(io.cdap.cdap.proto.id.ApplicationId) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) Test(org.junit.Test)

Example 5 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class InMemoryAccessController method enforce.

private void enforce(EntityId entity, @Nullable EntityType childType, Principal principal, Set<? extends Permission> permissions) throws UnauthorizedException {
    // super users do not have any enforcement
    if (superUsers.contains(principal) || superUsers.contains(allSuperUsers)) {
        return;
    }
    // permissions allowed for this principal
    Set<? extends Permission> allowed = getPermissions(entity, childType, principal);
    if (allowed.containsAll(permissions)) {
        return;
    }
    Set<Permission> allowedForRoles = new HashSet<>();
    // permissions allowed for any of the roles to which this principal belongs if its not a role
    if (principal.getType() != Principal.PrincipalType.ROLE) {
        for (Role role : getRoles(principal)) {
            allowedForRoles.addAll(getPermissions(entity, role));
        }
    }
    if (!allowedForRoles.containsAll(permissions)) {
        throw new UnauthorizedException(principal, Sets.difference(permissions, allowed), entity, childType);
    }
}
Also used : Role(io.cdap.cdap.proto.security.Role) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Permission(io.cdap.cdap.proto.security.Permission) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) HashSet(java.util.HashSet)

Aggregations

Permission (io.cdap.cdap.proto.security.Permission)25 GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)20 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)19 HashSet (java.util.HashSet)18 ImmutableSet (com.google.common.collect.ImmutableSet)16 ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)16 EntityId (io.cdap.cdap.proto.id.EntityId)14 AccessPermission (io.cdap.cdap.proto.security.AccessPermission)14 EnumSet (java.util.EnumSet)14 Set (java.util.Set)14 PartitionedFileSet (io.cdap.cdap.api.dataset.lib.PartitionedFileSet)13 ApplicationId (io.cdap.cdap.proto.id.ApplicationId)9 Test (org.junit.Test)8 DatasetId (io.cdap.cdap.proto.id.DatasetId)7 ApplicationManager (io.cdap.cdap.test.ApplicationManager)7 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)6 ProgramId (io.cdap.cdap.proto.id.ProgramId)6 KeyValueTable (io.cdap.cdap.api.dataset.lib.KeyValueTable)5 NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)5 ArtifactId (io.cdap.cdap.proto.id.ArtifactId)5