Search in sources :

Example 1 with InMemoryAccessController

use of io.cdap.cdap.security.authorization.InMemoryAccessController in project cdap by caskdata.

the class TetheringServerHandlerTest method setUp.

@Before
public void setUp() throws Exception {
    // Define all StructuredTable before starting any services that need StructuredTable
    StoreDefinition.createAllTables(injector.getInstance(StructuredTableAdmin.class));
    cConf.setBoolean(Constants.Tethering.TETHERING_SERVER_ENABLED, true);
    cConf.setInt(Constants.Tethering.CONNECTION_TIMEOUT_SECONDS, 1);
    List<Permission> tetheringPermissions = Arrays.asList(InstancePermission.TETHER);
    InMemoryAccessController inMemoryAccessController = new InMemoryAccessController();
    inMemoryAccessController.grant(Authorizable.fromEntityId(InstanceId.SELF), MASTER_PRINCIPAL, Collections.unmodifiableSet(new HashSet<>(tetheringPermissions)));
    ContextAccessEnforcer contextAccessEnforcer = new DefaultContextAccessEnforcer(new AuthenticationTestContext(), inMemoryAccessController);
    AuthenticationTestContext.actAsPrincipal(MASTER_PRINCIPAL);
    service = new CommonNettyHttpServiceBuilder(CConfiguration.create(), getClass().getSimpleName()).setHttpHandlers(new TetheringServerHandler(cConf, tetheringStore, messagingService, contextAccessEnforcer), new TetheringHandler(cConf, tetheringStore, messagingService)).build();
    service.start();
    config = ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build();
}
Also used : CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder) StructuredTableAdmin(io.cdap.cdap.spi.data.StructuredTableAdmin) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) InstancePermission(io.cdap.cdap.proto.security.InstancePermission) Permission(io.cdap.cdap.proto.security.Permission) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) AuthenticationTestContext(io.cdap.cdap.security.auth.context.AuthenticationTestContext) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) ContextAccessEnforcer(io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer) HashSet(java.util.HashSet) Before(org.junit.Before)

Example 2 with InMemoryAccessController

use of io.cdap.cdap.security.authorization.InMemoryAccessController in project cdap by caskdata.

the class MonitorHandlerAuthorizationTest method createMonitorHandler.

private static MonitorHandler createMonitorHandler(Authorizable authorizable, List<Permission> requiredPermissions) {
    Map<String, MasterServiceManager> masterServiceManagerMap = new HashMap<>();
    MasterServiceManager mockMasterServiceManager = mock(MasterServiceManager.class);
    when(mockMasterServiceManager.getInstances()).thenReturn(1);
    when(mockMasterServiceManager.isServiceEnabled()).thenReturn(true);
    when(mockMasterServiceManager.getMinInstances()).thenReturn(1);
    when(mockMasterServiceManager.getMaxInstances()).thenReturn(1);
    when(mockMasterServiceManager.setInstances(any(Integer.class))).thenReturn(true);
    masterServiceManagerMap.put(SERVICE_NAME, mockMasterServiceManager);
    ServiceStore mockServiceStore = mock(ServiceStore.class);
    InMemoryAccessController inMemoryAccessController = new InMemoryAccessController();
    inMemoryAccessController.grant(authorizable, MASTER_PRINCIPAL, Collections.unmodifiableSet(new HashSet<>(requiredPermissions)));
    AuthenticationContext authenticationContext = new AuthenticationTestContext();
    DefaultContextAccessEnforcer contextAccessEnforcer = new DefaultContextAccessEnforcer(authenticationContext, inMemoryAccessController);
    return new MonitorHandler(masterServiceManagerMap, mockServiceStore, contextAccessEnforcer);
}
Also used : AuthenticationContext(io.cdap.cdap.security.spi.authentication.AuthenticationContext) MasterServiceManager(io.cdap.cdap.common.twill.MasterServiceManager) ServiceStore(io.cdap.cdap.app.store.ServiceStore) HashMap(java.util.HashMap) MonitorHandler(io.cdap.cdap.gateway.handlers.MonitorHandler) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AuthenticationTestContext(io.cdap.cdap.security.auth.context.AuthenticationTestContext) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) HashSet(java.util.HashSet)

Example 3 with InMemoryAccessController

use of io.cdap.cdap.security.authorization.InMemoryAccessController in project cdap by caskdata.

the class AuthorizationHandlerTest method setUp.

@Before
public void setUp() throws Exception {
    CConfiguration conf = CConfiguration.create();
    conf.setBoolean(Constants.Security.Authorization.ENABLED, true);
    conf.setBoolean(Constants.Security.ENABLED, true);
    properties.setProperty("superusers", admin.getName());
    final InMemoryAccessController auth = new InMemoryAccessController();
    auth.initialize(FACTORY.create(properties));
    service = new CommonNettyHttpServiceBuilder(conf, getClass().getSimpleName()).setHttpHandlers(new AuthorizationHandler(auth, new AccessControllerInstantiator(conf, FACTORY) {

        @Override
        public AccessController get() {
            return auth;
        }
    }, conf, new MasterAuthenticationContext())).setChannelPipelineModifier(new ChannelPipelineModifier() {

        @Override
        public void modify(ChannelPipeline pipeline) {
            pipeline.addBefore("dispatcher", "usernamesetter", new TestUserNameSetter());
        }
    }).build();
    service.start();
    client = new AuthorizationClient(ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build());
    System.setProperty(USERNAME_PROPERTY, admin.getName());
}
Also used : MasterAuthenticationContext(io.cdap.cdap.security.auth.context.MasterAuthenticationContext) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessControllerInstantiator(io.cdap.cdap.security.authorization.AccessControllerInstantiator) AuthorizationClient(io.cdap.cdap.client.AuthorizationClient) CConfiguration(io.cdap.cdap.common.conf.CConfiguration) ChannelPipelineModifier(io.cdap.http.ChannelPipelineModifier) ChannelPipeline(io.netty.channel.ChannelPipeline) Before(org.junit.Before)

Example 4 with InMemoryAccessController

use of io.cdap.cdap.security.authorization.InMemoryAccessController in project cdap by caskdata.

the class AuthorizationHandlerTest method testDisabled.

private void testDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature, String configSetting) throws Exception {
    final InMemoryAccessController accessController = new InMemoryAccessController();
    NettyHttpService service = new CommonNettyHttpServiceBuilder(cConf, getClass().getSimpleName()).setHttpHandlers(new AuthorizationHandler(accessController, new AccessControllerInstantiator(cConf, FACTORY) {

        @Override
        public AccessController get() {
            return accessController;
        }
    }, cConf, new MasterAuthenticationContext())).build();
    service.start();
    try {
        final AuthorizationClient client = new AuthorizationClient(ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build());
        final NamespaceId ns1 = Ids.namespace("ns1");
        final Role admins = new Role("admins");
        // Test that the right exception is thrown when any Authorization REST API is called with authorization disabled
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.grant(Authorizable.fromEntityId(ns1), admin, ImmutableSet.of(StandardPermission.GET));
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.revoke(Authorizable.fromEntityId(ns1), admin, ImmutableSet.of(StandardPermission.GET));
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.revoke(Authorizable.fromEntityId(ns1));
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.listGrants(admin);
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.addRoleToPrincipal(admins, admin);
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.removeRoleFromPrincipal(admins, admin);
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.createRole(admins);
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.dropRole(admins);
            }
        }, feature, configSetting);
        verifyFeatureDisabled(new DisabledFeatureCaller() {

            @Override
            public void call() throws Exception {
                client.listAllRoles();
            }
        }, feature, configSetting);
    } finally {
        service.stop();
    }
}
Also used : MasterAuthenticationContext(io.cdap.cdap.security.auth.context.MasterAuthenticationContext) CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder) AccessControllerInstantiator(io.cdap.cdap.security.authorization.AccessControllerInstantiator) AccessException(io.cdap.cdap.api.security.AccessException) FeatureDisabledException(io.cdap.cdap.common.FeatureDisabledException) AlreadyExistsException(io.cdap.cdap.security.spi.authorization.AlreadyExistsException) Role(io.cdap.cdap.proto.security.Role) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) NettyHttpService(io.cdap.http.NettyHttpService) AuthorizationClient(io.cdap.cdap.client.AuthorizationClient) NamespaceId(io.cdap.cdap.proto.id.NamespaceId)

Example 5 with InMemoryAccessController

use of io.cdap.cdap.security.authorization.InMemoryAccessController in project cdap by caskdata.

the class TetheringClientHandlerTest method setUp.

@Before
public void setUp() throws Exception {
    // Define all StructuredTable before starting any services that need StructuredTable
    StoreDefinition.createAllTables(injector.getInstance(StructuredTableAdmin.class));
    CConfiguration conf = CConfiguration.create();
    serverHandler = new MockTetheringServerHandler();
    serverService = new CommonNettyHttpServiceBuilder(conf, getClass().getSimpleName() + "_server").setHttpHandlers(serverHandler).build();
    serverService.start();
    serverConfig = ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(serverService.getBindAddress().getHostName()).setPort(serverService.getBindAddress().getPort()).setSSLEnabled(false).build()).build();
    cConf.setInt(Constants.Tethering.CONNECTION_INTERVAL, 1);
    cConf.setInt(Constants.Tethering.CONNECTION_TIMEOUT_SECONDS, 5);
    cConf.set(Constants.INSTANCE_NAME, CLIENT_INSTANCE);
    List<Permission> tetheringPermissions = Arrays.asList(InstancePermission.TETHER);
    InMemoryAccessController inMemoryAccessController = new InMemoryAccessController();
    inMemoryAccessController.grant(Authorizable.fromEntityId(InstanceId.SELF), MASTER_PRINCIPAL, Collections.unmodifiableSet(new HashSet<>(tetheringPermissions)));
    ContextAccessEnforcer contextAccessEnforcer = new DefaultContextAccessEnforcer(new AuthenticationTestContext(), inMemoryAccessController);
    AuthenticationTestContext.actAsPrincipal(MASTER_PRINCIPAL);
    MessagingService messagingService = injector.getInstance(MessagingService.class);
    clientService = new CommonNettyHttpServiceBuilder(conf, getClass().getSimpleName() + "_client").setHttpHandlers(new TetheringClientHandler(tetheringStore, contextAccessEnforcer), new TetheringHandler(cConf, tetheringStore, messagingService)).build();
    clientService.start();
    clientConfig = ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(clientService.getBindAddress().getHostName()).setPort(clientService.getBindAddress().getPort()).setSSLEnabled(false).build()).build();
    tetheringAgentService = new TetheringAgentService(cConf, injector.getInstance(TransactionRunner.class), tetheringStore, injector.getInstance(MessagingService.class), injector.getInstance(RemoteAuthenticator.class));
    Assert.assertEquals(Service.State.RUNNING, tetheringAgentService.startAndWait());
}
Also used : CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder) StructuredTableAdmin(io.cdap.cdap.spi.data.StructuredTableAdmin) AuthenticationTestContext(io.cdap.cdap.security.auth.context.AuthenticationTestContext) CConfiguration(io.cdap.cdap.common.conf.CConfiguration) MessagingService(io.cdap.cdap.messaging.MessagingService) InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) InstancePermission(io.cdap.cdap.proto.security.InstancePermission) Permission(io.cdap.cdap.proto.security.Permission) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) DefaultContextAccessEnforcer(io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer) ContextAccessEnforcer(io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer) HashSet(java.util.HashSet) Before(org.junit.Before)

Aggregations

InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)5 CommonNettyHttpServiceBuilder (io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)4 AuthenticationTestContext (io.cdap.cdap.security.auth.context.AuthenticationTestContext)3 DefaultContextAccessEnforcer (io.cdap.cdap.security.authorization.DefaultContextAccessEnforcer)3 HashSet (java.util.HashSet)3 Before (org.junit.Before)3 AuthorizationClient (io.cdap.cdap.client.AuthorizationClient)2 CConfiguration (io.cdap.cdap.common.conf.CConfiguration)2 InstancePermission (io.cdap.cdap.proto.security.InstancePermission)2 Permission (io.cdap.cdap.proto.security.Permission)2 MasterAuthenticationContext (io.cdap.cdap.security.auth.context.MasterAuthenticationContext)2 AccessControllerInstantiator (io.cdap.cdap.security.authorization.AccessControllerInstantiator)2 AccessController (io.cdap.cdap.security.spi.authorization.AccessController)2 ContextAccessEnforcer (io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer)2 StructuredTableAdmin (io.cdap.cdap.spi.data.StructuredTableAdmin)2 AccessException (io.cdap.cdap.api.security.AccessException)1 ServiceStore (io.cdap.cdap.app.store.ServiceStore)1 FeatureDisabledException (io.cdap.cdap.common.FeatureDisabledException)1 MasterServiceManager (io.cdap.cdap.common.twill.MasterServiceManager)1 MonitorHandler (io.cdap.cdap.gateway.handlers.MonitorHandler)1