Examples with Principal io.cdap.cdap.proto.security.Principal used on opensource projects

Example 11 with Principal

use of io.cdap.cdap.proto.security.Principal in project cdap by caskdata.

the class DatasetInstanceService method executeAdmin.

/**
 * Executes an admin operation on a dataset.
 *
 * @param datasetId the datasetId to execute the admin operation on
 * @param method the type of admin operation to execute
 * @return the {@link DatasetAdminOpResponse} from the HTTP handler
 * @throws NamespaceNotFoundException if the requested namespace was not found
 * @throws IOException if there was a problem in checking if the namespace exists over HTTP
 * @throws UnauthorizedException if perimeter security and authorization are enabled, and the current user does not
 *  have -
 *  <ol>
 *    <li>{@link StandardPermission#DELETE} privileges on the dataset for "truncate" </li>
 *    <li>{@link StandardPermission#UPDATE} privileges on the dataset for "upgrade" </li>
 *    <li>read privileges on the dataset for "exists"</li>
 *  <ol>
 */
DatasetAdminOpResponse executeAdmin(DatasetId datasetId, String method) throws Exception {
    ensureNamespaceExists(datasetId.getParent());
    Object result = null;
    // NOTE: one cannot directly call create and drop, instead this should be called thru
    // POST/DELETE @ /data/datasets/{datasetId-id}. Because we must create/drop metadata for these at same time
    Principal principal = authenticationContext.getPrincipal();
    switch(method) {
        case "exists":
            // ensure the user has some privilege on the dataset datasetId if it is not system dataset
            if (!DatasetsUtil.isSystemDatasetInUserNamespace(datasetId)) {
                accessEnforcer.enforce(datasetId, principal, StandardPermission.GET);
            }
            result = opExecutorClient.exists(datasetId);
            break;
        case "truncate":
            if (!DatasetsUtil.isSystemDatasetInUserNamespace(datasetId)) {
                accessEnforcer.enforce(datasetId, principal, StandardPermission.DELETE);
            }
            if (instanceManager.get(datasetId) == null) {
                throw new DatasetNotFoundException(datasetId);
            }
            opExecutorClient.truncate(datasetId);
            publishAudit(datasetId, AuditType.TRUNCATE);
            break;
        case "upgrade":
            if (!DatasetsUtil.isSystemDatasetInUserNamespace(datasetId)) {
                accessEnforcer.enforce(datasetId, principal, StandardPermission.UPDATE);
            }
            if (instanceManager.get(datasetId) == null) {
                throw new DatasetNotFoundException(datasetId);
            }
            opExecutorClient.upgrade(datasetId);
            publishAudit(datasetId, AuditType.UPDATE);
            break;
        default:
            throw new HandlerException(HttpResponseStatus.NOT_FOUND, "Invalid admin operation: " + method);
    }
    return new DatasetAdminOpResponse(result, null);
}

Example 12 with Principal

use of io.cdap.cdap.proto.security.Principal in project cdap by caskdata.

the class DatasetInstanceService method drop.

/**
 * Drops the specified dataset.
 *
 * @param datasetId the {@link DatasetId} to drop
 * @throws NamespaceNotFoundException if the namespace was not found
 * @throws DatasetNotFoundException if the dataset datasetId was not found
 * @throws IOException if there was a problem in checking if the namespace exists over HTTP
 * @throws UnauthorizedException if perimeter security and authorization are enabled, and the current user does not
 *  have {@link StandardPermission#DELETE} privileges on the dataset
 */
void drop(DatasetId datasetId) throws Exception {
    Principal requestingUser = authenticationContext.getPrincipal();
    if (!DatasetsUtil.isSystemDatasetInUserNamespace(datasetId)) {
        accessEnforcer.enforce(datasetId, requestingUser, StandardPermission.DELETE);
    }
    ensureNamespaceExists(datasetId.getParent());
    DatasetSpecification spec = instanceManager.get(datasetId);
    if (spec == null) {
        throw new DatasetNotFoundException(datasetId);
    }
    dropDataset(datasetId, spec);
}

Example 13 with Principal

use of io.cdap.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultPreviewRequestQueueTest method testPreviewRequestQueue.

@Test
public void testPreviewRequestQueue() {
    PreviewConfig previewConfig = new PreviewConfig("WordCount", ProgramType.WORKFLOW, null, null);
    AppRequest<?> testRequest = new AppRequest<>(new ArtifactSummary("test", "1.0"), null, previewConfig);
    byte[] pollerInfo = Bytes.toBytes("runner-1");
    Optional<PreviewRequest> requestOptional = previewRequestQueue.poll(pollerInfo);
    Assert.assertFalse(requestOptional.isPresent());
    ApplicationId app1 = new ApplicationId("default", RunIds.generate().getId());
    PreviewRequest request = new PreviewRequest(app1, testRequest, null);
    previewRequestQueue.add(request);
    requestOptional = previewRequestQueue.poll(pollerInfo);
    Assert.assertTrue(requestOptional.isPresent());
    request = requestOptional.get();
    ProgramId programId1 = new ProgramId(app1, ProgramType.WORKFLOW, "WordCount");
    Assert.assertEquals(programId1, request.getProgram());
    Principal principal = new Principal("userFoo", Principal.PrincipalType.USER, new Credential("userFooCredential", Credential.CredentialType.EXTERNAL));
    PreviewRequest requestWithPrinciple = new PreviewRequest(app1, testRequest, principal);
    previewRequestQueue.add(requestWithPrinciple);
    requestOptional = previewRequestQueue.poll(pollerInfo);
    Assert.assertTrue(requestOptional.isPresent());
    request = requestOptional.get();
    Assert.assertTrue(request.getPrincipal().equals(principal));
    requestOptional = previewRequestQueue.poll(pollerInfo);
    Assert.assertFalse(requestOptional.isPresent());
    ApplicationId app2 = new ApplicationId("default", RunIds.generate().getId());
    request = new PreviewRequest(app2, testRequest, null);
    previewRequestQueue.add(request);
    Assert.assertEquals(0, previewRequestQueue.positionOf(app2));
    ApplicationId app3 = new ApplicationId("default", RunIds.generate().getId());
    request = new PreviewRequest(app3, testRequest, null);
    previewRequestQueue.add(request);
    Assert.assertEquals(1, previewRequestQueue.positionOf(app3));
    ApplicationId app4 = new ApplicationId("default", RunIds.generate().getId());
    request = new PreviewRequest(app4, testRequest, null);
    boolean exceptionThrown = false;
    try {
        previewRequestQueue.add(request);
    } catch (IllegalStateException e) {
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    requestOptional = previewRequestQueue.poll(pollerInfo);
    Assert.assertTrue(requestOptional.isPresent());
    request = requestOptional.get();
    ProgramId programId2 = new ProgramId(app2, ProgramType.WORKFLOW, "WordCount");
    Assert.assertEquals(programId2, request.getProgram());
    requestOptional = previewRequestQueue.poll(pollerInfo);
    Assert.assertTrue(requestOptional.isPresent());
    request = requestOptional.get();
    ProgramId programId3 = new ProgramId(app3, ProgramType.WORKFLOW, "WordCount");
    Assert.assertEquals(programId3, request.getProgram());
    requestOptional = previewRequestQueue.poll(pollerInfo);
    Assert.assertFalse(requestOptional.isPresent());
}

Example 14 with Principal

use of io.cdap.cdap.proto.security.Principal in project cdap by caskdata.

the class ListRolesCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    String principalType = arguments.getOptional(ArgumentName.PRINCIPAL_TYPE.toString());
    String principalName = arguments.getOptional(ArgumentName.PRINCIPAL_NAME.toString());
    Set<Role> roles;
    if (!(Strings.isNullOrEmpty(principalType) && Strings.isNullOrEmpty(principalName))) {
        roles = client.listRoles(new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())));
    } else {
        roles = client.listAllRoles();
    }
    Table table = Table.builder().setHeader("Role").setRows(Lists.newArrayList(roles), new RowMaker<Role>() {

        @Override
        public List<?> makeRow(Role role) {
            return Lists.newArrayList(role.getName());
        }
    }).build();
    cliConfig.getTableRenderer().render(cliConfig, output, table);
}

Example 15 with Principal

use of io.cdap.cdap.proto.security.Principal in project cdap by caskdata.

the class DefaultInternalAuthenticatorTest method testProperHeadersSet.

@Test
public void testProperHeadersSet() {
    Map<String, String> stringMap = new HashMap<>();
    // Set authentication context principal.
    String expectedName = "somebody";
    String expectedCredValue = "credential";
    Credential.CredentialType expectedCredType = Credential.CredentialType.EXTERNAL;
    Credential credential = new Credential(expectedCredValue, expectedCredType);
    Principal expectedPrincipal = new Principal(expectedName, Principal.PrincipalType.USER, credential);
    DefaultInternalAuthenticator defaultInternalAuthenticator = new DefaultInternalAuthenticator(new TestAuthenticationContext(expectedPrincipal));
    defaultInternalAuthenticator.applyInternalAuthenticationHeaders(stringMap::put);
    // Verify return values
    Assert.assertEquals(expectedName, stringMap.get(Constants.Security.Headers.USER_ID));
    Assert.assertEquals(String.format("%s %s", expectedCredType.getQualifiedName(), expectedCredValue), stringMap.get(Constants.Security.Headers.RUNTIME_TOKEN));
}