Examples with Role io.cdap.cdap.proto.security.Role used on opensource projects

Search in sources :

Example 6 with Role

use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.

the class AuthorizationHandler method dropRole.

@Path("/roles/{role-name}")
@DELETE
public void dropRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String roleName) throws Exception {
    ensureSecurityEnabled();
    accessController.dropRole(new Role(roleName));
    httpResponder.sendStatus(HttpResponseStatus.OK);
    createLogEntry(httpRequest, HttpResponseStatus.OK);
}
Also used : Role(io.cdap.cdap.proto.security.Role) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE)

Example 7 with Role

use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.

the class InMemoryAccessController method enforce.

private void enforce(EntityId entity, @Nullable EntityType childType, Principal principal, Set<? extends Permission> permissions) throws UnauthorizedException {
    // super users do not have any enforcement
    if (superUsers.contains(principal) || superUsers.contains(allSuperUsers)) {
        return;
    }
    // permissions allowed for this principal
    Set<? extends Permission> allowed = getPermissions(entity, childType, principal);
    if (allowed.containsAll(permissions)) {
        return;
    }
    Set<Permission> allowedForRoles = new HashSet<>();
    // permissions allowed for any of the roles to which this principal belongs if its not a role
    if (principal.getType() != Principal.PrincipalType.ROLE) {
        for (Role role : getRoles(principal)) {
            allowedForRoles.addAll(getPermissions(entity, role));
        }
    }
    if (!allowedForRoles.containsAll(permissions)) {
        throw new UnauthorizedException(principal, Sets.difference(permissions, allowed), entity, childType);
    }
}
Also used : Role(io.cdap.cdap.proto.security.Role) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Permission(io.cdap.cdap.proto.security.Permission) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) HashSet(java.util.HashSet)

Example 8 with Role

use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.

the class InMemoryAccessController method listGrants.

@Override
public Set<GrantedPermission> listGrants(Principal principal) {
    Set<GrantedPermission> privileges = new HashSet<>();
    // privileges for this principal
    privileges.addAll(getPrivileges(principal));
    // privileges for the role to which this principal belongs to if its not a role
    if (principal.getType() != Principal.PrincipalType.ROLE) {
        for (Role role : roleToPrincipals.keySet()) {
            privileges.addAll(getPrivileges(role));
        }
    }
    return Collections.unmodifiableSet(privileges);
}
Also used : Role(io.cdap.cdap.proto.security.Role) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) HashSet(java.util.HashSet)

Example 9 with Role

use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.

the class AccessControllerTest method testRBAC.

@Test
public void testRBAC() throws Exception {
    AccessController authorizer = get();
    Role admins = new Role("admins");
    Role engineers = new Role("engineers");
    // create a role
    authorizer.createRole(admins);
    // add another role
    authorizer.createRole(engineers);
    // listing role should show the added role
    Set<Role> roles = authorizer.listAllRoles();
    Set<Role> expectedRoles = new HashSet<>();
    expectedRoles.add(admins);
    expectedRoles.add(engineers);
    Assert.assertEquals(expectedRoles, roles);
    // creating a role which already exists should throw an exception
    try {
        authorizer.createRole(admins);
        Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
    } catch (AlreadyExistsException expected) {
    // expected
    }
    // drop an existing role
    authorizer.dropRole(admins);
    // the list should not have the dropped role
    roles = authorizer.listAllRoles();
    Assert.assertEquals(Collections.singleton(engineers), roles);
    // dropping a non-existing role should throw exception
    try {
        authorizer.dropRole(admins);
        Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
    } catch (NotFoundException expected) {
    // expected
    }
    // add an user to an existing role
    Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
    authorizer.addRoleToPrincipal(engineers, spiderman);
    // add an user to an non-existing role should throw an exception
    try {
        authorizer.addRoleToPrincipal(admins, spiderman);
        Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
    // check listing roles for spiderman have engineers role
    Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
    // authorization checks with roles
    NamespaceId ns1 = new NamespaceId("ns1");
    // check that spiderman who has engineers roles cannot read from ns1
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // give a permission to engineers role
    authorizer.grant(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
    // check that a spiderman who has engineers role has access
    authorizer.enforce(ns1, spiderman, StandardPermission.GET);
    // list privileges for spiderman should have read permission on ns1
    Assert.assertEquals(Collections.singleton(new GrantedPermission(ns1, StandardPermission.GET)), authorizer.listGrants(spiderman));
    // revoke permission from the role
    authorizer.revoke(Authorizable.fromEntityId(ns1), engineers, Collections.singleton(StandardPermission.GET));
    // now the privileges for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listGrants(spiderman));
    // check that the user of this role is not authorized to do the revoked operation
    verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
    // remove an user from a existing role
    authorizer.removeRoleFromPrincipal(engineers, spiderman);
    // check listing roles for spiderman should be empty
    Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(spiderman));
    // remove an user from a non-existing role should throw exception
    try {
        authorizer.removeRoleFromPrincipal(admins, spiderman);
        Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
    } catch (NotFoundException expected) {
    // expectedRoles
    }
}
Also used : Role(io.cdap.cdap.proto.security.Role) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) Principal(io.cdap.cdap.proto.security.Principal) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 10 with Role

use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.

the class RemoveRoleFromPrincipalCommand method perform.

@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
    String roleName = arguments.get("role-name");
    String principalType = arguments.get("principal-type");
    String principalName = arguments.get("principal-name");
    client.removeRoleFromPrincipal(new Role(roleName), new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())));
    output.printf("Successfully removed role '%s' from %s '%s'\n", roleName, principalType, principalName);
}
Also used : Role(io.cdap.cdap.proto.security.Role) Principal(io.cdap.cdap.proto.security.Principal)

Aggregations

Role (io.cdap.cdap.proto.security.Role)15 Principal (io.cdap.cdap.proto.security.Principal)8 GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)4 Path (javax.ws.rs.Path)4 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)3 HashSet (java.util.HashSet)3 Test (org.junit.Test)3 AlreadyExistsException (io.cdap.cdap.security.spi.authorization.AlreadyExistsException)2 DELETE (javax.ws.rs.DELETE)2 PUT (javax.ws.rs.PUT)2 AccessException (io.cdap.cdap.api.security.AccessException)1 RowMaker (io.cdap.cdap.cli.util.RowMaker)1 Table (io.cdap.cdap.cli.util.table.Table)1 AuthorizationClient (io.cdap.cdap.client.AuthorizationClient)1 FeatureDisabledException (io.cdap.cdap.common.FeatureDisabledException)1 CommonNettyHttpServiceBuilder (io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)1 Permission (io.cdap.cdap.proto.security.Permission)1 MasterAuthenticationContext (io.cdap.cdap.security.auth.context.MasterAuthenticationContext)1 AccessControllerInstantiator (io.cdap.cdap.security.authorization.AccessControllerInstantiator)1 InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial