Example 11 with Role
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandlerTest method testRBAC.
@Test
public void testRBAC() throws Exception {
Role admins = new Role("admins");
Role engineers = new Role("engineers");
// create a role
client.createRole(admins);
// add another role
client.createRole(engineers);
// listing role should show the added role
Set<Role> roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(admins, engineers), roles);
// creating a role which already exists should throw an exception
try {
client.createRole(admins);
Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (AlreadyExistsException expected) {
// expected
}
// drop an existing role
client.dropRole(admins);
// the list should not have the dropped role
roles = client.listAllRoles();
Assert.assertEquals(Sets.newHashSet(engineers), roles);
// dropping a non-existing role should throw exception
try {
client.dropRole(admins);
Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (io.cdap.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
// add an user to an existing role
Principal spiderman = new Principal("spiderman", Principal.PrincipalType.USER);
client.addRoleToPrincipal(engineers, spiderman);
// add an user to an non-existing role should throw an exception
try {
client.addRoleToPrincipal(admins, spiderman);
Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (io.cdap.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
// check listing roles for spiderman have engineers role
Assert.assertEquals(Sets.newHashSet(engineers), client.listRoles(spiderman));
// check that spiderman who has engineers roles cannot read from ns1
verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
// give a permission to engineers role
client.grant(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(StandardPermission.GET));
// check that a spiderman who has engineers role has access
verifyAuthSuccess(ns1, spiderman, StandardPermission.GET);
// list grantedPermissions for spiderman should have read permission on ns1
Assert.assertEquals(Sets.newHashSet(new GrantedPermission(ns1, StandardPermission.GET)), client.listGrants(spiderman));
// revoke permission from the role
client.revoke(Authorizable.fromEntityId(ns1), engineers, ImmutableSet.of(StandardPermission.GET));
// now the grantedPermissions for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listGrants(spiderman));
// check that the user of this role is not authorized to do the revoked operation
verifyAuthFailure(ns1, spiderman, StandardPermission.GET);
// remove an user from a existing role
client.removeRoleFromPrincipal(engineers, spiderman);
// check listing roles for spiderman should be empty
Assert.assertEquals(new HashSet<>(), client.listRoles(spiderman));
// remove an user from a non-existing role should throw exception
try {
client.removeRoleFromPrincipal(admins, spiderman);
Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", admins, spiderman));
} catch (io.cdap.cdap.security.spi.authorization.NotFoundException expected) {
// expected
}
}
Also used :
Role(io.cdap.cdap.proto.security.Role)
AlreadyExistsException(io.cdap.cdap.security.spi.authorization.AlreadyExistsException)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 12 with Role
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandlerTest method testDisabled.
private void testDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature, String configSetting) throws Exception {
final InMemoryAccessController accessController = new InMemoryAccessController();
NettyHttpService service = new CommonNettyHttpServiceBuilder(cConf, getClass().getSimpleName()).setHttpHandlers(new AuthorizationHandler(accessController, new AccessControllerInstantiator(cConf, FACTORY) {
@Override
public AccessController get() {
return accessController;
}
}, cConf, new MasterAuthenticationContext())).build();
service.start();
try {
final AuthorizationClient client = new AuthorizationClient(ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build());
final NamespaceId ns1 = Ids.namespace("ns1");
final Role admins = new Role("admins");
// Test that the right exception is thrown when any Authorization REST API is called with authorization disabled
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.grant(Authorizable.fromEntityId(ns1), admin, ImmutableSet.of(StandardPermission.GET));
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.revoke(Authorizable.fromEntityId(ns1), admin, ImmutableSet.of(StandardPermission.GET));
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.revoke(Authorizable.fromEntityId(ns1));
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.listGrants(admin);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.addRoleToPrincipal(admins, admin);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.removeRoleFromPrincipal(admins, admin);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.createRole(admins);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.dropRole(admins);
}
}, feature, configSetting);
verifyFeatureDisabled(new DisabledFeatureCaller() {
@Override
public void call() throws Exception {
client.listAllRoles();
}
}, feature, configSetting);
} finally {
service.stop();
}
}
Also used :
MasterAuthenticationContext(io.cdap.cdap.security.auth.context.MasterAuthenticationContext)
CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)
AccessControllerInstantiator(io.cdap.cdap.security.authorization.AccessControllerInstantiator)
AccessException(io.cdap.cdap.api.security.AccessException)
FeatureDisabledException(io.cdap.cdap.common.FeatureDisabledException)
AlreadyExistsException(io.cdap.cdap.security.spi.authorization.AlreadyExistsException)
Role(io.cdap.cdap.proto.security.Role)
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
NettyHttpService(io.cdap.http.NettyHttpService)
AuthorizationClient(io.cdap.cdap.client.AuthorizationClient)
NamespaceId(io.cdap.cdap.proto.id.NamespaceId)
Example 13 with Role
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class AddRoleToPrincipalCommand method perform.
@Override
public void perform(Arguments arguments, PrintStream output) throws Exception {
String roleName = arguments.get("role-name");
String principalType = arguments.get("principal-type");
String principalName = arguments.get("principal-name");
client.addRoleToPrincipal(new Role(roleName), new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())));
output.printf("Successfully added role '%s' to '%s' '%s'\n", roleName, principalType, principalName);
}Example 14 with Role
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandler method createRole.
/**
******************************************************************************************************************
* Role Management : For Role Based Access Control
*******************************************************************************************************************
*/
@Path("/roles/{role-name}")
@PUT
public void createRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String roleName) throws Exception {
ensureSecurityEnabled();
accessController.createRole(new Role(roleName));
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, HttpResponseStatus.OK);
}Example 15 with Role
use of io.cdap.cdap.proto.security.Role in project cdap by caskdata.
the class AuthorizationHandler method removeRoleFromPrincipal.
@Path("/{principal-type}/{principal-name}/roles/{role-name}")
@DELETE
public void removeRoleFromPrincipal(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String principalType, @PathParam("principal-name") String principalName, @PathParam("role-name") String roleName) throws Exception {
ensureSecurityEnabled();
Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase()));
accessController.removeRoleFromPrincipal(new Role(roleName), principal);
httpResponder.sendStatus(HttpResponseStatus.OK);
createLogEntry(httpRequest, HttpResponseStatus.OK);
}Aggregations
Role (io.cdap.cdap.proto.security.Role)15
Principal (io.cdap.cdap.proto.security.Principal)8
GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)4
Path (javax.ws.rs.Path)4
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)3
HashSet (java.util.HashSet)3
Test (org.junit.Test)3
AlreadyExistsException (io.cdap.cdap.security.spi.authorization.AlreadyExistsException)2
DELETE (javax.ws.rs.DELETE)2
PUT (javax.ws.rs.PUT)2
AccessException (io.cdap.cdap.api.security.AccessException)1
RowMaker (io.cdap.cdap.cli.util.RowMaker)1
Table (io.cdap.cdap.cli.util.table.Table)1
AuthorizationClient (io.cdap.cdap.client.AuthorizationClient)1
FeatureDisabledException (io.cdap.cdap.common.FeatureDisabledException)1
CommonNettyHttpServiceBuilder (io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)1
Permission (io.cdap.cdap.proto.security.Permission)1
MasterAuthenticationContext (io.cdap.cdap.security.auth.context.MasterAuthenticationContext)1
AccessControllerInstantiator (io.cdap.cdap.security.authorization.AccessControllerInstantiator)1
InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)1
