use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class TetheringServerHandlerTest method setUp.
@Before
public void setUp() throws Exception {
// Define all StructuredTable before starting any services that need StructuredTable
StoreDefinition.createAllTables(injector.getInstance(StructuredTableAdmin.class));
cConf.setBoolean(Constants.Tethering.TETHERING_SERVER_ENABLED, true);
cConf.setInt(Constants.Tethering.CONNECTION_TIMEOUT_SECONDS, 1);
List<Permission> tetheringPermissions = Arrays.asList(InstancePermission.TETHER);
InMemoryAccessController inMemoryAccessController = new InMemoryAccessController();
inMemoryAccessController.grant(Authorizable.fromEntityId(InstanceId.SELF), MASTER_PRINCIPAL, Collections.unmodifiableSet(new HashSet<>(tetheringPermissions)));
ContextAccessEnforcer contextAccessEnforcer = new DefaultContextAccessEnforcer(new AuthenticationTestContext(), inMemoryAccessController);
AuthenticationTestContext.actAsPrincipal(MASTER_PRINCIPAL);
service = new CommonNettyHttpServiceBuilder(CConfiguration.create(), getClass().getSimpleName()).setHttpHandlers(new TetheringServerHandler(cConf, tetheringStore, messagingService, contextAccessEnforcer), new TetheringHandler(cConf, tetheringStore, messagingService)).build();
service.start();
config = ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build();
}
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class DefaultSecureStoreServiceTest method revokeAndAssertSuccess.
private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<? extends Permission> permissions) throws Exception {
Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
accessController.revoke(Authorizable.fromEntityId(entityId), principal, permissions);
Set<GrantedPermission> revokedPrivileges = new HashSet<>();
for (Permission permission : permissions) {
revokedPrivileges.add(new GrantedPermission(entityId, permission));
}
Assert.assertEquals(Sets.difference(existingPrivileges, revokedPrivileges), accessController.listGrants(principal));
}
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class DefaultSecureStoreServiceTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
accessController.grant(authorizable, principal, permissions);
ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Permission permission : permissions) {
expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class ProgramLifecycleServiceAuthorizationTest method testProgramList.
@Test
public void testProgramList() throws Exception {
SecurityRequestContext.setUserId(ALICE.getName());
ApplicationId applicationId = NamespaceId.DEFAULT.app(AllProgramsApp.NAME);
Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(applicationId, EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT, EnumSet.of(StandardPermission.GET)).put(NamespaceId.DEFAULT.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME3), EnumSet.allOf(StandardPermission.class)).put(NamespaceId.DEFAULT.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME), EnumSet.allOf(StandardPermission.class)).build();
setUpPrivilegesAndExpectFailedDeploy(neededPrivileges);
// now we should be able to deploy
AppFabricTestHelper.deployApplication(Id.Namespace.DEFAULT, AllProgramsApp.class, null, cConf);
// no auto grant now, the list will be empty for all program types
for (ProgramType type : ProgramType.values()) {
if (!ProgramType.CUSTOM_ACTION.equals(type)) {
Assert.assertTrue(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
}
}
// no auto grant now, need to have privileges on the program to be able to see the programs
accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SPARK, AllProgramsApp.NoOpSpark.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR2.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
accessController.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKFLOW, AllProgramsApp.NoOpWorkflow.NAME)), ALICE, Collections.singleton(ApplicationPermission.EXECUTE));
for (ProgramType type : ProgramType.values()) {
// Skip flow (until flow is completely removed from ProgramType)
if (!ProgramType.CUSTOM_ACTION.equals(type)) {
Assert.assertFalse(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
SecurityRequestContext.setUserId("bob");
Assert.assertTrue(programLifecycleService.list(NamespaceId.DEFAULT, type).isEmpty());
SecurityRequestContext.setUserId("alice");
}
}
}
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class InMemoryAccessController method enforce.
private void enforce(EntityId entity, @Nullable EntityType childType, Principal principal, Set<? extends Permission> permissions) throws UnauthorizedException {
// super users do not have any enforcement
if (superUsers.contains(principal) || superUsers.contains(allSuperUsers)) {
return;
}
// permissions allowed for this principal
Set<? extends Permission> allowed = getPermissions(entity, childType, principal);
if (allowed.containsAll(permissions)) {
return;
}
Set<Permission> allowedForRoles = new HashSet<>();
// permissions allowed for any of the roles to which this principal belongs if its not a role
if (principal.getType() != Principal.PrincipalType.ROLE) {
for (Role role : getRoles(principal)) {
allowedForRoles.addAll(getPermissions(entity, role));
}
}
if (!allowedForRoles.containsAll(permissions)) {
throw new UnauthorizedException(principal, Sets.difference(permissions, allowed), entity, childType);
}
}
Aggregations