Example 1 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by caskdata.
the class AuthorizationHandlerTest method setUp.
@Before
public void setUp() throws Exception {
CConfiguration conf = CConfiguration.create();
conf.setBoolean(Constants.Security.Authorization.ENABLED, true);
conf.setBoolean(Constants.Security.ENABLED, true);
properties.setProperty("superusers", admin.getName());
final InMemoryAccessController auth = new InMemoryAccessController();
auth.initialize(FACTORY.create(properties));
service = new CommonNettyHttpServiceBuilder(conf, getClass().getSimpleName()).setHttpHandlers(new AuthorizationHandler(auth, new AccessControllerInstantiator(conf, FACTORY) {
@Override
public AccessController get() {
return auth;
}
}, conf, new MasterAuthenticationContext())).setChannelPipelineModifier(new ChannelPipelineModifier() {
@Override
public void modify(ChannelPipeline pipeline) {
pipeline.addBefore("dispatcher", "usernamesetter", new TestUserNameSetter());
}
}).build();
service.start();
client = new AuthorizationClient(ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(service.getBindAddress().getHostName()).setPort(service.getBindAddress().getPort()).setSSLEnabled(false).build()).build());
System.setProperty(USERNAME_PROPERTY, admin.getName());
}
Also used :
MasterAuthenticationContext(io.cdap.cdap.security.auth.context.MasterAuthenticationContext)
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
CommonNettyHttpServiceBuilder(io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessControllerInstantiator(io.cdap.cdap.security.authorization.AccessControllerInstantiator)
AuthorizationClient(io.cdap.cdap.client.AuthorizationClient)
CConfiguration(io.cdap.cdap.common.conf.CConfiguration)
ChannelPipelineModifier(io.cdap.http.ChannelPipelineModifier)
ChannelPipeline(io.netty.channel.ChannelPipeline)
Before(org.junit.Before)
Example 2 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by caskdata.
the class AccessControllerInstantiator method close.
@Override
public void close() throws IOException {
try {
synchronized (this) {
closed = true;
AccessController accessController = this.accessController;
if (accessController != null) {
accessController.destroy();
}
}
} catch (Throwable t) {
LOG.warn("Failed to destroy accessController.", t);
} finally {
Closeables.closeQuietly(accessControllerClassLoader);
}
}
Also used :
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
Example 3 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by caskdata.
the class AccessControllerInstantiator method createAccessController.
/**
* Creates a new instance of the configured {@link AccessController} extension, based on the provided extension jar
* file and initialize it.
*
* @return a new instance of the configured {@link AccessController} extension
*/
private AccessController createAccessController(AccessControllerClassLoader classLoader) throws InvalidAccessControllerException {
Class<?> accessControllerClass = loadAccessControllerClass(classLoader);
// Set the context class loader to the AccessControllerClassLoader before creating a new instance of the extension,
// so all classes required in this process are created from the AccessControllerClassLoader.
ClassLoader oldClassLoader = ClassLoaders.setContextClassLoader(classLoader);
LOG.trace("Setting context classloader to {}. Old classloader was {}.", classLoader, oldClassLoader);
try {
AccessController accessController;
try {
Object extensionClass = instantiatorFactory.get(TypeToken.of(accessControllerClass)).create();
if (extensionClass instanceof AccessController) {
accessController = (AccessController) extensionClass;
} else {
accessController = new AuthorizerWrapper((Authorizer) extensionClass);
}
} catch (Exception e) {
throw new InvalidAccessControllerException(String.format("Error while instantiating for access controller extension %s. " + "Please make sure that the extension " + "is a public class with a default constructor.", accessControllerClass.getName()), e);
}
AuthorizationContext context = authorizationContextFactory.create(createExtensionProperties());
try {
accessController.initialize(context);
} catch (Exception e) {
throw new InvalidAccessControllerException(String.format("Error while initializing access control extension %s.", accessControllerClass.getName()), e);
}
return accessController;
} finally {
// After the process of creation of a new instance has completed (success or failure), reset the context
// classloader back to the original class loader.
ClassLoaders.setContextClassLoader(oldClassLoader);
LOG.trace("Resetting context classloader to {} from {}.", oldClassLoader, classLoader);
}
}
Also used :
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
Authorizer(io.cdap.cdap.security.spi.authorization.Authorizer)
AuthorizationContext(io.cdap.cdap.security.spi.authorization.AuthorizationContext)
IOException(java.io.IOException)
Example 4 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by caskdata.
the class AccessControllerInstantiatorTest method testAccessControllerExtensionExtraClasspath.
@Test
public void testAccessControllerExtensionExtraClasspath() throws IOException, ClassNotFoundException {
Location externalAuthJar = createValidAuthExtensionJar();
CConfiguration cConfCopy = CConfiguration.copy(CCONF);
cConfCopy.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString());
cConfCopy.set(Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "config.path", "/path/config.ini");
cConfCopy.set(Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "service.address", "http://foo.bar.co:5555");
cConfCopy.set(Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "cache.ttl.secs", "500");
cConfCopy.set(Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "cache.max.entries", "50000");
cConfCopy.set("foo." + Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "dont.include", "not.prefix.should.not.be.included");
try (AccessControllerInstantiator instantiator = new AccessControllerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) {
// should be able to load the ExternalAccessController class via the AccessControllerInstantiatorService
AccessController externalAccessController1 = instantiator.get();
Assert.assertNotNull(externalAccessController1);
AccessController externalAccessController2 = instantiator.get();
Assert.assertNotNull(externalAccessController2);
// verify that get returns the same instance each time it is called.
Assert.assertEquals(externalAccessController1, externalAccessController2);
ClassLoader accessControllerClassLoader = externalAccessController1.getClass().getClassLoader();
ClassLoader parent = accessControllerClassLoader.getParent();
// should be able to load the AccessController interface via the parent
parent.loadClass(AccessController.class.getName());
// should not be able to load the ExternalAccessController class via the parent class loader
try {
parent.loadClass(ValidExternalAccessController.class.getName());
Assert.fail("Should not be able to load external accessController classes via the parent classloader of the " + "AccessController class loader.");
} catch (ClassNotFoundException expected) {
// expected
}
// should be able to load the ExternalAccessController class via the AccessControllerClassLoader
accessControllerClassLoader.loadClass(ValidExternalAccessController.class.getName());
// have to do this because the external accessController instance is created in a new classloader, so casting will
// not work.
Gson gson = new Gson();
ValidExternalAccessController validAccessController = gson.fromJson(gson.toJson(externalAccessController1), ValidExternalAccessController.class);
Properties expectedProps = new Properties();
expectedProps.put("config.path", "/path/config.ini");
expectedProps.put("service.address", "http://foo.bar.co:5555");
expectedProps.put("cache.ttl.secs", "500");
expectedProps.put("cache.max.entries", "50000");
Properties actualProps = validAccessController.getProperties();
Assert.assertEquals(expectedProps, actualProps);
}
}
Also used :
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
Gson(com.google.gson.Gson)
Properties(java.util.Properties)
CConfiguration(io.cdap.cdap.common.conf.CConfiguration)
Location(org.apache.twill.filesystem.Location)
Test(org.junit.Test)
Example 5 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by caskdata.
the class AuthorizationTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
AccessController accessController = getAccessController();
Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
accessController.grant(authorizable, principal, permissions);
ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Permission permission : permissions) {
expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used :
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
ImmutableSet(com.google.common.collect.ImmutableSet)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission)
AccessPermission(io.cdap.cdap.proto.security.AccessPermission)
Permission(io.cdap.cdap.proto.security.Permission)
StandardPermission(io.cdap.cdap.proto.security.StandardPermission)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
Aggregations
AccessController (io.cdap.cdap.security.spi.authorization.AccessController)25
NoOpAccessController (io.cdap.cdap.security.spi.authorization.NoOpAccessController)15
Test (org.junit.Test)12
InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)9
CConfiguration (io.cdap.cdap.common.conf.CConfiguration)6
Principal (io.cdap.cdap.proto.security.Principal)6
Credential (io.cdap.cdap.proto.security.Credential)5
GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)5
DatasetId (io.cdap.cdap.proto.id.DatasetId)4
StandardPermission (io.cdap.cdap.proto.security.StandardPermission)4
ImmutableSet (com.google.common.collect.ImmutableSet)3
SConfiguration (io.cdap.cdap.common.conf.SConfiguration)3
EntityId (io.cdap.cdap.proto.id.EntityId)3
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)3
TinkCipher (io.cdap.cdap.security.auth.TinkCipher)3
File (java.io.File)3
IOException (java.io.IOException)3
AuthorizationClient (io.cdap.cdap.client.AuthorizationClient)2
CommonNettyHttpServiceBuilder (io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)2
UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)2
