Examples with Permission io.cdap.cdap.proto.security.Permission used on opensource projects

Search in sources :

Example 21 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class AuthorizationTest method testCrossNSDatasetAccessWithAuthSpark.

private void testCrossNSDatasetAccessWithAuthSpark(SparkManager sparkManager) throws Exception {
    NamespaceMeta inputDatasetNSMeta = new NamespaceMeta.Builder().setName("inputDatasetNS").build();
    NamespaceMeta outputDatasetNSMeta = new NamespaceMeta.Builder().setName("outputDatasetNS").build();
    NamespaceId inputDatasetNSMetaId = inputDatasetNSMeta.getNamespaceId();
    DatasetId inputTableId = inputDatasetNSMetaId.dataset("input");
    NamespaceId outputDatasetNSMetaId = outputDatasetNSMeta.getNamespaceId();
    DatasetId outputTableId = outputDatasetNSMetaId.dataset("output");
    Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(inputDatasetNSMetaId, EnumSet.allOf(StandardPermission.class)).put(outputDatasetNSMetaId, EnumSet.allOf(StandardPermission.class)).put(inputTableId, EnumSet.allOf(StandardPermission.class)).put(inputDatasetNSMetaId.datasetType("keyValueTable"), EnumSet.of(StandardPermission.UPDATE)).put(outputTableId, EnumSet.of(StandardPermission.CREATE, StandardPermission.GET, StandardPermission.DELETE)).put(outputDatasetNSMetaId.datasetType("keyValueTable"), EnumSet.of(StandardPermission.UPDATE)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    getNamespaceAdmin().create(inputDatasetNSMeta);
    getNamespaceAdmin().create(outputDatasetNSMeta);
    addDatasetInstance(inputTableId, "keyValueTable").create();
    addDatasetInstance(outputTableId, "keyValueTable").create();
    // write sample stuff in input dataset
    addDummyData(inputDatasetNSMeta.getNamespaceId(), "input");
    // Switch to Bob and run the spark program. this will fail because bob does not have access to either input or
    // output dataset
    SecurityRequestContext.setUserId(BOB.getName());
    Map<String, String> args = ImmutableMap.of(TestSparkCrossNSDatasetApp.INPUT_DATASET_NAMESPACE, inputDatasetNSMeta.getNamespaceId().getNamespace(), TestSparkCrossNSDatasetApp.INPUT_DATASET_NAME, "input", TestSparkCrossNSDatasetApp.OUTPUT_DATASET_NAMESPACE, outputDatasetNSMeta.getNamespaceId().getNamespace(), TestSparkCrossNSDatasetApp.OUTPUT_DATASET_NAME, "output");
    assertProgramFailure(args, sparkManager);
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output");
    // give privilege to BOB on the input dataset
    grantAndAssertSuccess(inputDatasetNSMeta.getNamespaceId().dataset("input"), BOB, EnumSet.of(StandardPermission.GET));
    // switch back to bob and try running again. this will still fail since bob does not have access on the output
    // dataset
    SecurityRequestContext.setUserId(BOB.getName());
    assertProgramFailure(args, sparkManager);
    // Switch back to Alice
    SecurityRequestContext.setUserId(ALICE.getName());
    // Verify nothing write to the output dataset
    assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output");
    // give privilege to BOB on the output dataset
    grantAndAssertSuccess(outputDatasetNSMeta.getNamespaceId().dataset("output"), BOB, EnumSet.of(StandardPermission.GET, StandardPermission.UPDATE));
    // switch back to BOB and run spark again. this should work
    SecurityRequestContext.setUserId(BOB.getName());
    sparkManager.start(args);
    sparkManager.waitForRun(ProgramRunStatus.COMPLETED, 120, TimeUnit.SECONDS);
    waitForStoppedPrograms(sparkManager);
    // Verify the results as alice
    SecurityRequestContext.setUserId(ALICE.getName());
    verifyDummyData(outputDatasetNSMeta.getNamespaceId(), "output");
    getNamespaceAdmin().delete(inputDatasetNSMeta.getNamespaceId());
    getNamespaceAdmin().delete(outputDatasetNSMeta.getNamespaceId());
}
Also used : EntityId(io.cdap.cdap.proto.id.EntityId) PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) DatasetId(io.cdap.cdap.proto.id.DatasetId)

Example 22 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class AuthorizationTest method testCrossNSSpark.

@Test
public void testCrossNSSpark() throws Exception {
    createAuthNamespace();
    ApplicationId appId = AUTH_NAMESPACE.app(TestSparkCrossNSDatasetApp.APP_NAME);
    ArtifactId artifact = AUTH_NAMESPACE.artifact(TestSparkCrossNSDatasetApp.class.getSimpleName(), "1.0-SNAPSHOT");
    Map<EntityId, Set<? extends Permission>> neededPrivileges = ImmutableMap.<EntityId, Set<? extends Permission>>builder().put(appId, EnumSet.of(StandardPermission.CREATE, StandardPermission.GET)).put(artifact, EnumSet.of(StandardPermission.CREATE)).put(AUTH_NAMESPACE.dataset(TestSparkCrossNSDatasetApp.DEFAULT_OUTPUT_DATASET), EnumSet.of(StandardPermission.GET, StandardPermission.CREATE)).put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(StandardPermission.UPDATE)).build();
    setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges);
    ProgramId programId = appId.spark(TestSparkCrossNSDatasetApp.SPARK_PROGRAM_NAME);
    grantAndAssertSuccess(AUTH_NAMESPACE, BOB, EnumSet.of(StandardPermission.GET));
    // bob will be executing the program
    grantAndAssertSuccess(programId, BOB, ImmutableSet.of(ApplicationPermission.EXECUTE, StandardPermission.GET));
    // new privilege required due to capability validations
    grantAndAssertSuccess(artifact, BOB, EnumSet.of(StandardPermission.GET));
    cleanUpEntities.add(programId);
    ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, TestSparkCrossNSDatasetApp.class);
    SparkManager sparkManager = appManager.getSparkManager(TestSparkCrossNSDatasetApp.SparkCrossNSDatasetProgram.class.getSimpleName());
    testCrossNSSystemDatasetAccessWithAuthSpark(sparkManager);
    testCrossNSDatasetAccessWithAuthSpark(sparkManager);
}
Also used : EntityId(io.cdap.cdap.proto.id.EntityId) ApplicationManager(io.cdap.cdap.test.ApplicationManager) PartitionedFileSet(io.cdap.cdap.api.dataset.lib.PartitionedFileSet) EnumSet(java.util.EnumSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) SparkManager(io.cdap.cdap.test.SparkManager) ArtifactId(io.cdap.cdap.proto.id.ArtifactId) KeyValueTable(io.cdap.cdap.api.dataset.lib.KeyValueTable) TestSparkCrossNSDatasetApp(io.cdap.cdap.spark.stream.TestSparkCrossNSDatasetApp) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ApplicationId(io.cdap.cdap.proto.id.ApplicationId) ProgramId(io.cdap.cdap.proto.id.ProgramId) Test(org.junit.Test)

Example 23 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class RemotePrivilegesHandler method enforce.

@POST
@Path("/enforce")
public void enforce(FullHttpRequest request, HttpResponder responder) throws Exception {
    AuthorizationPrivilege authorizationPrivilege = GSON.fromJson(request.content().toString(StandardCharsets.UTF_8), AuthorizationPrivilege.class);
    LOG.debug("Enforcing for {}", authorizationPrivilege);
    Set<Permission> permissions = authorizationPrivilege.getPermissions();
    if (authorizationPrivilege.getChildEntityType() != null) {
        // It's expected that we'll always have one, but let's handle generic case
        for (Permission permission : permissions) {
            accessEnforcer.enforceOnParent(authorizationPrivilege.getChildEntityType(), authorizationPrivilege.getEntity(), authorizationPrivilege.getPrincipal(), permission);
        }
    } else {
        accessEnforcer.enforce(authorizationPrivilege.getEntity(), authorizationPrivilege.getPrincipal(), permissions);
    }
    responder.sendStatus(HttpResponseStatus.OK);
}
Also used : AuthorizationPrivilege(io.cdap.cdap.proto.security.AuthorizationPrivilege) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Permission(io.cdap.cdap.proto.security.Permission) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 24 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class TetheringClientHandlerTest method setUp.

@Before
public void setUp() throws Exception {
    // Define all StructuredTable before starting any services that need StructuredTable
    StoreDefinition.createAllTables(injector.getInstance(StructuredTableAdmin.class));
    CConfiguration conf = CConfiguration.create();
    serverHandler = new MockTetheringServerHandler();
    serverService = new CommonNettyHttpServiceBuilder(conf, getClass().getSimpleName() + "_server").setHttpHandlers(serverHandler).build();
    serverService.start();
    serverConfig = ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(serverService.getBindAddress().getHostName()).setPort(serverService.getBindAddress().getPort()).setSSLEnabled(false).build()).build();
    cConf.setInt(Constants.Tethering.CONNECTION_INTERVAL, 1);
    cConf.setInt(Constants.Tethering.CONNECTION_TIMEOUT_SECONDS, 5);
    cConf.set(Constants.INSTANCE_NAME, CLIENT_INSTANCE);
    List<Permission> tetheringPermissions = Arrays.asList(InstancePermission.TETHER);
    InMemoryAccessController inMemoryAccessController = new InMemoryAccessController();
    inMemoryAccessController.grant(Authorizable.fromEntityId(InstanceId.SELF), MASTER_PRINCIPAL, Collections.unmodifiableSet(new HashSet<>(tetheringPermissions)));
    ContextAccessEnforcer contextAccessEnforcer = new DefaultContextAccessEnforcer(new AuthenticationTestContext(), inMemoryAccessController);
    AuthenticationTestContext.actAsPrincipal(MASTER_PRINCIPAL);
    MessagingService messagingService = injector.getInstance(MessagingService.class);
    clientService = new CommonNettyHttpServiceBuilder(conf, getClass().getSimpleName() + "_client").setHttpHandlers(new TetheringClientHandler(tetheringStore, contextAccessEnforcer), new TetheringHandler(cConf, tetheringStore, messagingService)).build();
    clientService.start();
    clientConfig = ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(clientService.getBindAddress().getHostName()).setPort(clientService.getBindAddress().getPort()).setSSLEnabled(false).build()).build();
    tetheringAgentService = new TetheringAgentService(cConf, injector.getInstance(TransactionRunner.class), tetheringStore, injector.getInstance(MessagingService.class), injector.getInstance(RemoteAuthenticator.class));
    Assert.assertEquals(Service.State.RUNNING, tetheringAgentService.startAndWait());
}
Also used : CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder) StructuredTableAdmin(io.cdap.cdap.spi.data.StructuredTableAdmin) AuthenticationTestContext(io.cdap.cdap.security.auth.context.AuthenticationTestContext) CConfiguration(io.cdap.cdap.common.conf.CConfiguration) MessagingService(io.cdap.cdap.messaging.MessagingService) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) InstancePermission(io.cdap.cdap.proto.security.InstancePermission) Permission(io.cdap.cdap.proto.security.Permission) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) ContextAccessEnforcer(io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer) HashSet(java.util.HashSet) Before(org.junit.Before)

Example 25 with Permission

use of io.cdap.cdap.proto.security.Permission in project cdap by caskdata.

the class DatasetServiceAuthorizationTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(EntityId entityId, EntityType childType, Principal principal, Set<? extends Permission> permissions) throws AccessException {
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    Authorizable authorizable = Authorizable.fromEntityId(entityId, childType);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used : ImmutableSet(com.google.common.collect.ImmutableSet) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Permission(io.cdap.cdap.proto.security.Permission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Authorizable(io.cdap.cdap.proto.security.Authorizable)

Aggregations

Permission (io.cdap.cdap.proto.security.Permission)25 GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)20 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)19 HashSet (java.util.HashSet)18 ImmutableSet (com.google.common.collect.ImmutableSet)16 ApplicationPermission (io.cdap.cdap.proto.security.ApplicationPermission)16 EntityId (io.cdap.cdap.proto.id.EntityId)14 AccessPermission (io.cdap.cdap.proto.security.AccessPermission)14 EnumSet (java.util.EnumSet)14 Set (java.util.Set)14 PartitionedFileSet (io.cdap.cdap.api.dataset.lib.PartitionedFileSet)13 ApplicationId (io.cdap.cdap.proto.id.ApplicationId)9 Test (org.junit.Test)8 DatasetId (io.cdap.cdap.proto.id.DatasetId)7 ApplicationManager (io.cdap.cdap.test.ApplicationManager)7 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)6 ProgramId (io.cdap.cdap.proto.id.ProgramId)6 KeyValueTable (io.cdap.cdap.api.dataset.lib.KeyValueTable)5 NamespaceMeta (io.cdap.cdap.proto.NamespaceMeta)5 ArtifactId (io.cdap.cdap.proto.id.ArtifactId)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial