Examples with Permission io.cdap.cdap.proto.security.Permission used on opensource projects

Search in sources :

Example 11 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class AuthorizationTest method testAddDropPartitions.

@Test
public void testAddDropPartitions() throws Exception {
    createAuthNamespace();
    ApplicationId appId = AUTH_NAMESPACE.app(PartitionTestApp.class.getSimpleName());
    DatasetId datasetId = AUTH_NAMESPACE.dataset(PartitionTestApp.PFS_NAME);
    ArtifactId artifact = AUTH_NAMESPACE.artifact(PartitionTestApp.class.getSimpleName(), "1.0-SNAPSHOT");
    Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(appId, EnumSet.of(StandardPermission.CREATE, StandardPermission.GET)).put(artifact, EnumSet.of(StandardPermission.CREATE)).put(datasetId, EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.datasetType(PartitionedFileSet.class.getName()), EnumSet.of(StandardPermission.UPDATE)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    ProgramId programId = appId.program(ProgramType.SERVICE, PartitionTestApp.PFS_SERVICE_NAME);
    grantAndAssertSuccess(AUTH_NAMESPACE, BOB, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(programId, BOB, ImmutableSet.of(StandardPermission.GET, ApplicationPermission.EXECUTE));
    cleanUpEntities.add(programId);
    grantAndAssertSuccess(datasetId, BOB, EnumSet.of(StandardPermission.GET));
    cleanUpEntities.add(datasetId);
    // new privilege required due to capability validations
    grantAndAssertSuccess(artifact, BOB, EnumSet.of(StandardPermission.GET));
    ApplicationManager appMgr = deployApplication(AUTH_NAMESPACE, PartitionTestApp.class);
    SecurityRequestContext.setUserId(BOB.getName());
    String partition = "p1";
    String subPartition = "1";
    String text = "some random text for pfs";
    ServiceManager pfsService = appMgr.getServiceManager(PartitionTestApp.PFS_SERVICE_NAME);
    pfsService.start();
    pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);
    URL pfsURL = pfsService.getServiceURL();
    String apiPath = String.format("partitions/%s/subpartitions/%s", partition, subPartition);
    URL url = new URL(pfsURL, apiPath);
    HttpResponse response;
    try {
        response = executeAuthenticated(HttpRequest.post(url).withBody(text));
        // should fail because bob does not have write privileges on the dataset
        Assert.assertEquals(500, response.getResponseCode());
    } finally {
        pfsService.stop();
        pfsService.waitForRun(ProgramRunStatus.KILLED, 1, TimeUnit.MINUTES);
    }
    // grant read and write on dataset and restart
    grantAndAssertSuccess(datasetId, BOB, EnumSet.of(StandardPermission.UPDATE, StandardPermission.GET));
    pfsService.start();
    pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);
    pfsURL = pfsService.getServiceURL();
    url = new URL(pfsURL, apiPath);
    try {
        response = executeAuthenticated(HttpRequest.post(url).withBody(text));
        // should succeed now because bob was granted write privileges on the dataset
        Assert.assertEquals(200, response.getResponseCode());
        // make sure that the partition was added
        response = executeAuthenticated(HttpRequest.get(url));
        Assert.assertEquals(200, response.getResponseCode());
        Assert.assertEquals(text, response.getResponseBodyAsString());
        // drop the partition
        response = executeAuthenticated(HttpRequest.delete(url));
        Assert.assertEquals(200, response.getResponseCode());
    } finally {
        pfsService.stop();
        pfsService.waitForRuns(ProgramRunStatus.KILLED, 2, 1, TimeUnit.MINUTES);
        SecurityRequestContext.setUserId(ALICE.getName());
    }
}
Also used : ApplicationManager(io.cdap.cdap.test.ApplicationManager) PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) ArtifactId(io.cdap.cdap.proto.id.ArtifactId) HttpResponse(io.cdap.common.http.HttpResponse) PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet) ProgramId(io.cdap.cdap.proto.id.ProgramId) URL(java.net.URL) DatasetId(io.cdap.cdap.proto.id.DatasetId) EntityId(io.cdap.cdap.proto.id.EntityId) ServiceManager(io.cdap.cdap.test.ServiceManager) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ApplicationId(io.cdap.cdap.proto.id.ApplicationId) Test(org.junit.Test)

Example 12 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class AuthorizationTest method testCrossNSDatasetAccessWithAuthMapReduce.

private void testCrossNSDatasetAccessWithAuthMapReduce(MapReduceManager mrManager) throws Exception {
    NamespaceMeta inputDatasetNS = new NamespaceMeta.Builder().setName("inputNS").build();
    NamespaceId inputDatasetNSId = inputDatasetNS.getNamespaceId();
    NamespaceMeta outputDatasetNS = new NamespaceMeta.Builder().setName("outputNS").build();
    NamespaceId outputDatasetNSId = outputDatasetNS.getNamespaceId();
    DatasetId table1Id = inputDatasetNSId.dataset("table1");
    DatasetId table2Id = outputDatasetNSId.dataset("table2");
    Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(inputDatasetNSId, EnumSet.allOf(StandardPermission.class)).put(outputDatasetNSId, EnumSet.allOf(StandardPermission.class)).put(table1Id, EnumSet.allOf(StandardPermission.class)).put(table2Id, EnumSet.of(StandardPermission.CREATE, StandardPermission.GET, StandardPermission.DELETE)).put(inputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(StandardPermission.UPDATE)).put(outputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(StandardPermission.UPDATE)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    getNamespaceAdmin().create(inputDatasetNS);
    getNamespaceAdmin().create(outputDatasetNS);
    addDatasetInstance(table1Id, "keyValueTable").create();
    addDatasetInstance(table2Id, "keyValueTable").create();
    addDummyData(inputDatasetNSId, "table1");
    Map<String, String> argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, inputDatasetNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "table1", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, outputDatasetNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "table2");
    // Switch to BOB and run the  mapreduce job. The job will fail at the runtime since BOB does not have permission
    // on the input and output datasets in another namespaces.
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(argsForMR, mrManager);
    // Switch back to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2");
    // give privilege to BOB on the input dataset
    grantAndAssertSuccess(inputDatasetNS.getNamespaceId().dataset("table1"), BOB, EnumSet.of(StandardPermission.GET));
    // switch back to bob and try running again. this will still fail since bob does not have access on the output
    // dataset
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(argsForMR, mrManager);
    // Switch back to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2");
    // give privilege to BOB on the output dataset
    grantAndAssertSuccess(outputDatasetNS.getNamespaceId().dataset("table2"), BOB, EnumSet.of(StandardPermission.GET, StandardPermission.UPDATE));
    // switch back to BOB and run MR again. this should work
    SecurityRequestContext.setUserId(BOB.getName());
    mrManager.start(argsForMR);
    mrManager.waitForRun(ProgramRunStatus.COMPLETED, 60, TimeUnit.SECONDS);
    // Verify results as alice
    SecurityRequestContext.setUserId(ALICE.getName());
    verifyDummyData(outputDatasetNS.getNamespaceId(), "table2");
    getNamespaceAdmin().delete(inputDatasetNS.getNamespaceId());
    getNamespaceAdmin().delete(outputDatasetNS.getNamespaceId());
}
Also used : EntityId(io.cdap.cdap.proto.id.EntityId) PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) DatasetId(io.cdap.cdap.proto.id.DatasetId)

Example 13 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class AuthorizationTest method testCrossNSSystemDatasetAccessWithAuthMapReduce.

private void testCrossNSSystemDatasetAccessWithAuthMapReduce(MapReduceManager mrManager) throws Exception {
    addDatasetInstance(NamespaceId.SYSTEM.dataset("table1"), "keyValueTable").create();
    addDatasetInstance(NamespaceId.SYSTEM.dataset("table2"), "keyValueTable").create();
    NamespaceMeta otherNS = new NamespaceMeta.Builder().setName("otherNS").build();
    NamespaceId otherNsId = otherNS.getNamespaceId();
    DatasetId datasetId = otherNsId.dataset("otherTable");
    Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(otherNsId, EnumSet.of(StandardPermission.GET, StandardPermission.CREATE, StandardPermission.DELETE)).put(datasetId, EnumSet.of(StandardPermission.GET, StandardPermission.CREATE, StandardPermission.DELETE)).put(otherNsId.datasetType("keyValueTable"), EnumSet.of(StandardPermission.UPDATE)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    getNamespaceAdmin().create(otherNS);
    addDatasetInstance(datasetId, "keyValueTable").create();
    addDummyData(NamespaceId.SYSTEM, "table1");
    // first test that reading system namespace fails with valid table as output
    Map<String, String> argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "table1", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, otherNS.getNamespaceId().getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "otherTable");
    // give privilege to BOB on all the datasets
    grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(StandardPermission.GET));
    grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(StandardPermission.UPDATE));
    grantAndAssertSuccess(otherNS.getNamespaceId().dataset("otherTable"), BOB, ALL_STANDARD_PERMISSIONS);
    // Switch to BOB and run the  mapreduce job. The job will fail at the runtime since BOB is trying to read from
    // system namespace
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(argsForMR, mrManager);
    assertDatasetIsEmpty(otherNS.getNamespaceId(), "otherTable");
    // now try reading a table from valid namespace and writing to system namespace
    argsForMR = ImmutableMap.of(DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NS, otherNS.getName(), DatasetCrossNSAccessWithMAPApp.INPUT_DATASET_NAME, "otherTable", DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), DatasetCrossNSAccessWithMAPApp.OUTPUT_DATASET_NAME, "table2");
    addDummyData(otherNS.getNamespaceId(), "otherTable");
    // verify that the program fails
    assertProgramFailure(argsForMR, mrManager);
    assertDatasetIsEmpty(NamespaceId.SYSTEM, "table2");
    // switch to back to ALICE
    SecurityRequestContext.setUserId(ALICE.getName());
    // cleanup
    deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table1"));
    deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table2"));
    getNamespaceAdmin().delete(otherNS.getNamespaceId());
}
Also used : EntityId(io.cdap.cdap.proto.id.EntityId) PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) DatasetId(io.cdap.cdap.proto.id.DatasetId)

Example 14 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class AuthorizationTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
    AccessController accessController = getAccessController();
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) ImmutableSet(com.google.common.collect.ImmutableSet) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 15 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class RevokePermissionCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    Authorizable authorizable = Authorizable.fromString(arguments.get(ArgumentName.ENTITY.toString()));
    String principalName = arguments.getOptional("principal-name", null);
    String type = arguments.getOptional("principal-type", null);
    Principal.PrincipalType principalType = type != null ? Principal.PrincipalType.valueOf(type.toUpperCase()) : null;
    Principal principal = type != null ? new Principal(principalName, principalType) : null;
    String permissionsString = arguments.getOptional("permissions", null);
    Set<Permission> permissions = permissionsString == null ? null : PERMISSION_STRING_TO_SET.apply(permissionsString);
    client.revoke(authorizable, principal, permissions);
    if (principal == null && permissions == null) {
        // Revoked all permissions for all principals on the entity
        output.printf("Successfully revoked all permissions on entity '%s' for all principals", authorizable.toString());
    } else {
        // currently, the CLI only supports 2 scenarios:
        // 1. both permissions and principal are null - supported in the if block.
        // 2. both permissions and principal are non-null - supported here. So it should be ok to have preconditions here
        // to enforce that both are non-null. In fact, if only one of them is null, the CLI will fail to parse the
        // command.
        Preconditions.checkNotNull(permissions, "Permissions cannot be null when principal is not null in the revoke command");
        Preconditions.checkNotNull(principal, "Principal cannot be null when permissions is not null in the revoke command");
        output.printf("Successfully revoked permission(s) '%s' on entity '%s' for %s '%s'\n", Joiner.on(",").join(permissions), authorizable.toString(), principal.getType(), principal.getName());
    }
}
Also used : Permission(io.cdap.cdap.proto.security.Permission) Authorizable(io.cdap.cdap.proto.security.Authorizable) Principal(io.cdap.cdap.proto.security.Principal)

Aggregations

Permission (io.cdap.cdap.proto.security.Permission)25 GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)20 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)19 HashSet (java.util.HashSet)18 ImmutableSet (com.google.common.collect.ImmutableSet)16 ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)16 EntityId (io.cdap.cdap.proto.id.EntityId)14 AccessPermission (io.cdap.cdap.proto.security.AccessPermission)14 EnumSet (java.util.EnumSet)14 Set (java.util.Set)14 PartitionedFileSet (io.cdap.cdap.api.dataset.lib.PartitionedFileSet)13 ApplicationId (io.cdap.cdap.proto.id.ApplicationId)9 Test (org.junit.Test)8 DatasetId (io.cdap.cdap.proto.id.DatasetId)7 ApplicationManager (io.cdap.cdap.test.ApplicationManager)7 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)6 ProgramId (io.cdap.cdap.proto.id.ProgramId)6 KeyValueTable (io.cdap.cdap.api.dataset.lib.KeyValueTable)5 NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)5 ArtifactId (io.cdap.cdap.proto.id.ArtifactId)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial