use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandler method dropRole.
@Path("/roles/{role-name}")
@DELETE
public void dropRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String roleName) throws Exception {
ensureSecurityEnabled();
accessController.dropRole(new Role(roleName));
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, HttpResponseStatus.OK);
}
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class InMemoryAccessController method enforce.
private void enforce(EntityId entity, @Nullable EntityType childType, Principal principal, Set<? extends Permission> permissions) throws UnauthorizedException {
// super users do not have any enforcement
if (superUsers.contains(principal) || superUsers.contains(allSuperUsers)) {
return;
}
// permissions allowed for this principal
Set<? extends Permission> allowed = getPermissions(entity, childType, principal);
if (allowed.containsAll(permissions)) {
return;
}
Set<Permission> allowedForRoles = new HashSet<>();
// permissions allowed for any of the roles to which this principal belongs if its not a role
if (principal.getType() != Principal.PrincipalType.ROLE) {
for (Role role : getRoles(principal)) {
allowedForRoles.addAll(getPermissions(entity, role));
}
}
if (!allowedForRoles.containsAll(permissions)) {
throw new UnauthorizedException(principal, Sets.difference(permissions, allowed), entity, childType);
}
}
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class InMemoryAccessController method listGrants.
@Override
public Set<GrantedPermission> listGrants(Principal principal) {
Set<GrantedPermission> privileges = new HashSet<>();
// privileges for this principal
privileges.addAll(getPrivileges(principal));
// privileges for the role to which this principal belongs to if its not a role
if (principal.getType() != Principal.PrincipalType.ROLE) {
for (Role role : roleToPrincipals.keySet()) {
privileges.addAll(getPrivileges(role));
}
}
return Collections.unmodifiableSet(privileges);
}
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class AccessControllerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
AccessController authorizer = get();
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
authorizer.createRole(admins);
// add another role
authorizer.createRole(engineers);
// listing role should show the added role
Set<Role> roles = authorizer.listAllRoles();
Set<Role> expectedRoles = new HashSet<>();
expectedRoles.add(admins);
expectedRoles.add(engineers);
Assert.assertEquals(expectedRoles, roles);
// creating a role which already exists should throw an exception
try {
authorizer.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (AlreadyExistsException expected) {
// expected
}
// drop an existing role
authorizer.dropRole(admins);
// the list should not have the dropped role
roles = authorizer.listAllRoles();
Assert.assertEquals(Collections.singleton(engineers), roles);
// dropping a non-existing role should throw exception
try {
authorizer.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (NotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
authorizer.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
authorizer.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (NotFoundException expected) {
// expectedRoles
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
// authorization checks with roles
NamespaceId ns1 = new NamespaceId("ns1");
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
// give a permission to engineers role
authorizer.grant(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
// check that a spiderman who has engineers role has access
authorizer.enforce(ns1, spiderman, StandardPermission.GET);
// list privileges for spiderman should have read permission on ns1
Assert.assertEquals(Collections.singleton(new GrantedPermission(ns1, StandardPermission.GET)), authorizer.listGrants(spiderman));
// revoke permission from the role
authorizer.revoke(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
// now the privileges for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listGrants(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
// remove an user from a existing role
authorizer.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
authorizer.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (NotFoundException expected) {
// expectedRoles
}
}
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class RemoveRoleFromPrincipalCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
String roleName = arguments.get("role-name");
String principalType = arguments.get("principal-type");
String principalName = arguments.get("principal-name");
client.removeRoleFromPrincipal(new Role(roleName), new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())));
output.printf("Successfully removed role '%s' from %s '%s'\n", roleName, principalType, principalName);
}
Aggregations