Example 16 with Permission
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class GrantPermissionCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
Authorizable authorizable = Authorizable.fromString(arguments.get(ArgumentName.ENTITY.toString()));
String principalName = arguments.get("principal-name");
Principal.PrincipalType principalType = Principal.PrincipalType.valueOf(arguments.get("principal-type").toUpperCase());
Principal principal = new Principal(principalName, principalType);
Set<Permission> permissions = PERMISSION_STRING_TO_SET.apply(arguments.get("permissions"));
// permissions is not an optional argument so should never be null
Preconditions.checkNotNull(permissions, "Permissions can never be null in the grant command.");
client.grant(authorizable, principal, permissions);
output.printf("Successfully granted permission(s) '%s' on entity '%s' to %s '%s'\n", Joiner.on(",").join(permissions), authorizable.toString(), principal.getType(), principal.getName());
}
Also used :
Permission(io.cdap.cdap.proto.security.Permission)
Authorizable(io.cdap.cdap.proto.security.Authorizable)
Principal(io.cdap.cdap.proto.security.Principal)
Example 17 with Permission
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class InMemoryAccessController method getPrivileges.
private Set<GrantedPermission> getPrivileges(Principal principal) {
Set<GrantedPermission> result = new HashSet<>();
for (Map.Entry<Authorizable, ConcurrentMap<Principal, Set<Permission>>> entry : privileges.entrySet()) {
Authorizable authorizable = entry.getKey();
Set<? extends Permission> permissions = getPermissions(authorizable, principal);
for (Permission permission : permissions) {
result.add(new GrantedPermission(authorizable, permission));
}
}
return Collections.unmodifiableSet(result);
}
Also used :
ConcurrentMap(java.util.concurrent.ConcurrentMap)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
Permission(io.cdap.cdap.proto.security.Permission)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
Authorizable(io.cdap.cdap.proto.security.Authorizable)
ConcurrentMap(java.util.concurrent.ConcurrentMap)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashSet(java.util.HashSet)
Example 18 with Permission
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class AuthorizationTest method testApps.
@Test
@Category(SlowTests.class)
public void testApps() throws Exception {
try {
deployApplication(NamespaceId.DEFAULT, DummyApp.class);
Assert.fail("App deployment should fail because alice does not have ADMIN privilege on the application");
} catch (UnauthorizedException e) {
// Expected
}
createAuthNamespace();
AccessController accessController = getAccessController();
ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(dummyAppId, EnumSet.of(StandardPermission.CREATE, StandardPermission.GET, StandardPermission.DELETE)).put(AUTH_NAMESPACE.artifact(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(StandardPermission.CREATE)).put(AUTH_NAMESPACE.dataset("whom"), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.dataset("customDataset"), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(StandardPermission.UPDATE)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
// alice will not be able to deploy the app since she does not have privilege on the implicit dataset module
try {
deployApplication(AUTH_NAMESPACE, DummyApp.class);
Assert.fail();
} catch (UnauthorizedException e) {
// expected
}
// grant alice the required implicit type and module
grantAndAssertSuccess(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(StandardPermission.GET, StandardPermission.CREATE));
cleanUpEntities.add(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()));
grantAndAssertSuccess(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(StandardPermission.CREATE, StandardPermission.GET));
cleanUpEntities.add(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()));
// this time it should be successful
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DummyApp.class);
// Bob should not have any privileges on Alice's app
Assert.assertTrue("Bob should not have any privileges on alice's app", accessController.listGrants(BOB).isEmpty());
// update should succeed because alice has admin privileges on the app
appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
// Update should fail for Bob
SecurityRequestContext.setUserId(BOB.getName());
try {
appManager.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT")));
Assert.fail("App update should have failed because Bob does not have admin privileges on the app.");
} catch (UnauthorizedException expected) {
// expected
}
// grant READ and WRITE to Bob
grantAndAssertSuccess(AUTH_NAMESPACE, BOB, ImmutableSet.of(StandardPermission.GET));
grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE));
// delete should fail
try {
appManager.delete();
} catch (UnauthorizedException expected) {
// expected
}
// grant DELETE to Bob. Now delete should succeed
grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(StandardPermission.DELETE));
// deletion should succeed since BOB has privileges on the app
appManager.delete();
// Should still have the privilege for the app since we no longer revoke privileges after deletion of an entity
Assert.assertTrue(!getAccessController().isVisible(Collections.singleton(dummyAppId), BOB).isEmpty());
// bob should still have privileges granted to him
Assert.assertEquals(4, accessController.listGrants(BOB).size());
// switch back to Alice
SecurityRequestContext.setUserId(ALICE.getName());
// Deploy a couple of apps in the namespace
// Deploy dummy app should be successful since we already pre-grant the required privileges
deployApplication(AUTH_NAMESPACE, DummyApp.class);
final ApplicationId appId = AUTH_NAMESPACE.app(AllProgramsApp.NAME);
Map<EntityId, Set<? extends Permission>> anotherAppNeededPrivilege = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(appId, EnumSet.of(StandardPermission.GET, StandardPermission.CREATE, StandardPermission.DELETE)).put(AUTH_NAMESPACE.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME3), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.datasetType(ObjectMappedTable.class.getName()), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, anotherAppNeededPrivilege);
Map<EntityId, Set<? extends Permission>> bobDatasetPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME), EnumSet.of(StandardPermission.UPDATE)).put(AUTH_NAMESPACE.dataset(AllProgramsApp.DATASET_NAME2), EnumSet.of(StandardPermission.UPDATE)).build();
Map<EntityId, Set<? extends Permission>> bobProgramPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(appId, EnumSet.of(StandardPermission.GET)).put(appId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME), EnumSet.of(ApplicationPermission.EXECUTE)).put(appId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME), EnumSet.of(ApplicationPermission.EXECUTE)).build();
setUpPrivilegeAndRegisterForDeletion(BOB, bobDatasetPrivileges);
setUpPrivilegeAndRegisterForDeletion(BOB, bobProgramPrivileges);
deployApplication(AUTH_NAMESPACE, AllProgramsApp.class);
// Switch to BOB since he does not have any privilege
SecurityRequestContext.setUserId(BOB.getName());
// deleting all apps should fail because bob does not have admin privileges on the apps and the namespace
try {
deleteAllApplications(AUTH_NAMESPACE);
Assert.fail("Deleting all applications in the namespace should have failed because bob does not have ADMIN " + "privilege on the workflow app.");
} catch (UnauthorizedException expected) {
// expected
}
// Switch to ALICE, deletion should be successful since ALICE has ADMIN privileges
SecurityRequestContext.setUserId(ALICE.getName());
deleteAllApplications(AUTH_NAMESPACE);
}
Also used :
ApplicationManager(io.cdap.cdap.test.ApplicationManager)
PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
AppRequest(io.cdap.cdap.proto.artifact.AppRequest)
EntityId(io.cdap.cdap.proto.id.EntityId)
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
ArtifactSummary(io.cdap.cdap.api.artifact.ArtifactSummary)
KeyValueTable(io.cdap.cdap.api.dataset.lib.KeyValueTable)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
DummyApp(io.cdap.cdap.test.app.DummyApp)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission)
AccessPermission(io.cdap.cdap.proto.security.AccessPermission)
Permission(io.cdap.cdap.proto.security.Permission)
StandardPermission(io.cdap.cdap.proto.security.StandardPermission)
ApplicationId(io.cdap.cdap.proto.id.ApplicationId)
ObjectMappedTable(io.cdap.cdap.api.dataset.lib.ObjectMappedTable)
Category(org.junit.experimental.categories.Category)
Test(org.junit.Test)
Example 19 with Permission
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class AuthorizationTest method testCrossNSMapReduce.
@Test
public void testCrossNSMapReduce() throws Exception {
createAuthNamespace();
ApplicationId appId = AUTH_NAMESPACE.app(DatasetCrossNSAccessWithMAPApp.class.getSimpleName());
ArtifactId artifact = AUTH_NAMESPACE.artifact(DatasetCrossNSAccessWithMAPApp.class.getSimpleName(), "1.0-SNAPSHOT");
Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(appId, EnumSet.of(StandardPermission.CREATE, StandardPermission.GET)).put(artifact, EnumSet.of(StandardPermission.CREATE)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
ProgramId programId = appId.program(ProgramType.MAPREDUCE, DatasetCrossNSAccessWithMAPApp.MAPREDUCE_PROGRAM);
// bob will be executing the program
grantAndAssertSuccess(AUTH_NAMESPACE, BOB, ImmutableSet.of(StandardPermission.GET));
grantAndAssertSuccess(programId, BOB, ImmutableSet.of(ApplicationPermission.EXECUTE, StandardPermission.GET));
// new privilege required due to capability validations
grantAndAssertSuccess(artifact, BOB, EnumSet.of(StandardPermission.GET));
cleanUpEntities.add(programId);
ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DatasetCrossNSAccessWithMAPApp.class);
MapReduceManager mrManager = appManager.getMapReduceManager(DatasetCrossNSAccessWithMAPApp.MAPREDUCE_PROGRAM);
testCrossNSSystemDatasetAccessWithAuthMapReduce(mrManager);
testCrossNSDatasetAccessWithAuthMapReduce(mrManager);
}
Also used :
DatasetCrossNSAccessWithMAPApp(io.cdap.cdap.test.app.DatasetCrossNSAccessWithMAPApp)
EntityId(io.cdap.cdap.proto.id.EntityId)
ApplicationManager(io.cdap.cdap.test.ApplicationManager)
PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
ArtifactId(io.cdap.cdap.proto.id.ArtifactId)
MapReduceManager(io.cdap.cdap.test.MapReduceManager)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission)
AccessPermission(io.cdap.cdap.proto.security.AccessPermission)
Permission(io.cdap.cdap.proto.security.Permission)
StandardPermission(io.cdap.cdap.proto.security.StandardPermission)
ApplicationId(io.cdap.cdap.proto.id.ApplicationId)
ProgramId(io.cdap.cdap.proto.id.ProgramId)
Test(org.junit.Test)
Example 20 with Permission
use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.
the class AuthorizationTest method testPrograms.
@Test
public void testPrograms() throws Exception {
createAuthNamespace();
grantAndAssertSuccess(AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()), ALICE, EnumSet.of(StandardPermission.UPDATE));
ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
final ProgramId serviceId = dummyAppId.service(DummyApp.Greeting.SERVICE_NAME);
Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(dummyAppId, EnumSet.allOf(StandardPermission.class)).put(AUTH_NAMESPACE.artifact(DummyApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.allOf(StandardPermission.class)).put(AUTH_NAMESPACE.dataset("whom"), EnumSet.of(StandardPermission.CREATE, StandardPermission.GET)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(StandardPermission.UPDATE)).put(serviceId, ImmutableSet.of(ApplicationPermission.EXECUTE, StandardPermission.GET, StandardPermission.UPDATE)).put(AUTH_NAMESPACE.dataset("customDataset"), EnumSet.of(StandardPermission.CREATE, StandardPermission.GET)).put(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), EnumSet.of(StandardPermission.CREATE, StandardPermission.GET)).build();
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
final ApplicationManager dummyAppManager = deployApplication(AUTH_NAMESPACE, DummyApp.class);
// alice should be able to start and stop programs in the app she deployed since she has execute privilege
dummyAppManager.startProgram(Id.Service.fromEntityId(serviceId));
ServiceManager greetingService = dummyAppManager.getServiceManager(serviceId.getProgram());
greetingService.waitForRun(ProgramRunStatus.RUNNING, 10, TimeUnit.SECONDS);
// alice should be able to set instances for the program
greetingService.setInstances(2);
Assert.assertEquals(2, greetingService.getProvisionedInstances());
// alice should also be able to save runtime arguments for all future runs of the program
Map<String, String> args = ImmutableMap.of("key", "value");
greetingService.setRuntimeArgs(args);
// Alice should be able to get runtime arguments as she has ADMIN on it
Assert.assertEquals(args, greetingService.getRuntimeArgs());
dummyAppManager.stopProgram(Id.Service.fromEntityId(serviceId));
greetingService.waitForRun(ProgramRunStatus.KILLED, 10, TimeUnit.SECONDS);
// Bob should not be able to start programs in dummy app because he does not have privileges on it
SecurityRequestContext.setUserId(BOB.getName());
try {
dummyAppManager.startProgram(Id.Service.fromEntityId(serviceId));
Assert.fail("Bob should not be able to start the service because he does not have execute privileges on it.");
} catch (RuntimeException expected) {
// noinspection ThrowableResultOfMethodCallIgnored
Assert.assertTrue(Throwables.getRootCause(expected) instanceof UnauthorizedException);
}
try {
dummyAppManager.getInfo();
Assert.fail("Bob should not be able to read the app info with out privileges");
} catch (Exception expected) {
// expected
}
// setting instances should fail because Bob does not have admin privileges on the program
try {
greetingService.setInstances(3);
Assert.fail("Setting instances should have failed because bob does not have admin privileges on the service.");
} catch (RuntimeException expected) {
// noinspection ThrowableResultOfMethodCallIgnored
Assert.assertTrue(Throwables.getRootCause(expected) instanceof UnauthorizedException);
}
try {
greetingService.setRuntimeArgs(args);
Assert.fail("Setting runtime arguments should have failed because bob does not have admin privileges on the " + "service");
} catch (UnauthorizedException expected) {
// expected
}
try {
greetingService.getRuntimeArgs();
Assert.fail("Getting runtime arguments should have failed because bob does not have one of READ, WRITE, ADMIN " + "privileges on the service");
} catch (UnauthorizedException expected) {
// expected
}
SecurityRequestContext.setUserId(ALICE.getName());
dummyAppManager.delete();
}
Also used :
ApplicationManager(io.cdap.cdap.test.ApplicationManager)
PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet)
EnumSet(java.util.EnumSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
ProgramId(io.cdap.cdap.proto.id.ProgramId)
StandardPermission(io.cdap.cdap.proto.security.StandardPermission)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
TimeoutException(java.util.concurrent.TimeoutException)
EntityId(io.cdap.cdap.proto.id.EntityId)
KeyValueTable(io.cdap.cdap.api.dataset.lib.KeyValueTable)
ServiceManager(io.cdap.cdap.test.ServiceManager)
DummyApp(io.cdap.cdap.test.app.DummyApp)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission)
AccessPermission(io.cdap.cdap.proto.security.AccessPermission)
Permission(io.cdap.cdap.proto.security.Permission)
StandardPermission(io.cdap.cdap.proto.security.StandardPermission)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
ApplicationId(io.cdap.cdap.proto.id.ApplicationId)
Test(org.junit.Test)
Aggregations
Permission (io.cdap.cdap.proto.security.Permission)25
GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)20
StandardPermission (io.cdap.cdap.proto.security.StandardPermission)19
HashSet (java.util.HashSet)18
ImmutableSet (com.google.common.collect.ImmutableSet)16
ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)16
EntityId (io.cdap.cdap.proto.id.EntityId)14
AccessPermission (io.cdap.cdap.proto.security.AccessPermission)14
EnumSet (java.util.EnumSet)14
Set (java.util.Set)14
PartitionedFileSet (io.cdap.cdap.api.dataset.lib.PartitionedFileSet)13
ApplicationId (io.cdap.cdap.proto.id.ApplicationId)9
Test (org.junit.Test)8
DatasetId (io.cdap.cdap.proto.id.DatasetId)7
ApplicationManager (io.cdap.cdap.test.ApplicationManager)7
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)6
ProgramId (io.cdap.cdap.proto.id.ProgramId)6
KeyValueTable (io.cdap.cdap.api.dataset.lib.KeyValueTable)5
NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)5
ArtifactId (io.cdap.cdap.proto.id.ArtifactId)5
