Examples with AccessController io.cdap.cdap.security.spi.authorization.AccessController used on opensource projects

Search in sources :

Example 46 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class AccessControllerInstantiatorTest method assertDisabled.

private void assertDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature) throws IOException {
    try (AccessControllerInstantiator instantiator = new AccessControllerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) {
        AccessController accessController = instantiator.get();
        Assert.assertTrue(String.format("When %s is disabled, a %s must be returned, but got %s.", feature.name().toLowerCase(), NoOpAccessController.class.getSimpleName(), accessController.getClass().getName()), accessController instanceof NoOpAccessController);
    }
}
Also used : AccessController(io.cdap.cdap.security.spi.authorization.AccessController) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)

Example 47 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class DefaultAccessEnforcerTest method verifyDisabled.

private void verifyDisabled(CConfiguration cConf) throws IOException, AccessException {
    ControllerWrapper controllerWrapper = createControllerWrapper(cConf, SCONF, null);
    AccessController accessController = controllerWrapper.accessController;
    DefaultAccessEnforcer authEnforcementService = controllerWrapper.defaultAccessEnforcer;
    DatasetId ds = NS.dataset("ds");
    // All enforcement operations should succeed, since authorization is disabled
    accessController.grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(StandardPermission.UPDATE));
    authEnforcementService.enforce(NS, ALICE, StandardPermission.UPDATE);
    authEnforcementService.enforce(ds, BOB, StandardPermission.UPDATE);
    authEnforcementService.enforce(NS, BOB, StandardPermission.GET);
    authEnforcementService.enforce(ds, BOB, StandardPermission.GET);
    Assert.assertEquals(2, authEnforcementService.isVisible(ImmutableSet.<EntityId>of(NS, ds), BOB).size());
    // Verify the metrics context was not called
    verify(controllerWrapper.mockMetricsContext, times(0)).increment(any(String.class), any(Long.class));
    verify(controllerWrapper.mockMetricsContext, times(0)).gauge(any(String.class), any(Long.class));
}
Also used : NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) DatasetId(io.cdap.cdap.proto.id.DatasetId)

Example 48 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class DefaultAccessEnforcerTest method testAuthEnforce.

@Test
public void testAuthEnforce() throws IOException, AccessException {
    ControllerWrapper controllerWrapper = createControllerWrapper(CCONF, SCONF, null);
    AccessController accessController = controllerWrapper.accessController;
    DefaultAccessEnforcer authEnforcementService = controllerWrapper.defaultAccessEnforcer;
    // update privileges for alice. Currently alice has not been granted any privileges.
    assertAuthorizationFailure(authEnforcementService, NS, ALICE, StandardPermission.UPDATE);
    // grant some test privileges
    DatasetId ds = NS.dataset("ds");
    accessController.grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE));
    accessController.grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(StandardPermission.UPDATE));
    accessController.grant(Authorizable.fromEntityId(NS, EntityType.DATASET), ALICE, ImmutableSet.of(StandardPermission.LIST));
    // auth enforcement for alice should succeed on ns for actions read, write and list datasets
    authEnforcementService.enforce(NS, ALICE, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE));
    authEnforcementService.enforceOnParent(EntityType.DATASET, NS, ALICE, StandardPermission.LIST);
    assertAuthorizationFailure(authEnforcementService, NS, ALICE, EnumSet.allOf(StandardPermission.class));
    // alice do not have CREATE, READ or WRITE on the dataset, so authorization should fail
    assertAuthorizationFailure(authEnforcementService, ds, ALICE, StandardPermission.GET);
    assertAuthorizationFailure(authEnforcementService, ds, ALICE, StandardPermission.UPDATE);
    assertAuthorizationFailure(authEnforcementService, EntityType.DATASET, NS, ALICE, StandardPermission.CREATE);
    // Alice doesn't have Delete right on NS, hence should fail.
    assertAuthorizationFailure(authEnforcementService, NS, ALICE, StandardPermission.DELETE);
    // bob enforcement should succeed since we grant him admin privilege
    authEnforcementService.enforce(ds, BOB, StandardPermission.UPDATE);
    // revoke all of alice's privileges
    accessController.revoke(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(StandardPermission.GET));
    assertAuthorizationFailure(authEnforcementService, NS, ALICE, StandardPermission.GET);
    accessController.revoke(Authorizable.fromEntityId(NS));
    assertAuthorizationFailure(authEnforcementService, NS, ALICE, StandardPermission.GET);
    assertAuthorizationFailure(authEnforcementService, NS, ALICE, StandardPermission.UPDATE);
    authEnforcementService.enforce(ds, BOB, StandardPermission.UPDATE);
    // Verify the metrics context was called with correct metrics
    verify(controllerWrapper.mockMetricsContext, times(4)).increment(Constants.Metrics.Authorization.EXTENSION_CHECK_SUCCESS_COUNT, 1);
    verify(controllerWrapper.mockMetricsContext, times(9)).increment(Constants.Metrics.Authorization.EXTENSION_CHECK_FAILURE_COUNT, 1);
    verify(controllerWrapper.mockMetricsContext, times(13)).gauge(eq(Constants.Metrics.Authorization.EXTENSION_CHECK_MILLIS), any(Long.class));
}
Also used : NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) DatasetId(io.cdap.cdap.proto.id.DatasetId) Test(org.junit.Test)

Example 49 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class DefaultAccessEnforcerTest method testInternalAuthEnforce.

@Test
public void testInternalAuthEnforce() throws IOException, AccessException {
    Principal userWithInternalCred = new Principal("system", Principal.PrincipalType.USER, null, new Credential("credential", Credential.CredentialType.INTERNAL));
    CConfiguration cConfCopy = CConfiguration.copy(CCONF);
    cConfCopy.setBoolean(Constants.Security.INTERNAL_AUTH_ENABLED, true);
    ControllerWrapper controllerWrapper = createControllerWrapper(cConfCopy, SCONF, new NoOpAccessController());
    AccessController accessController = controllerWrapper.accessController;
    DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
    // Make sure that the actual access controller does not have access.
    assertAuthorizationFailure(accessController, NS, userWithInternalCred, StandardPermission.GET);
    assertAuthorizationFailure(accessController, NS, userWithInternalCred, StandardPermission.UPDATE);
    // The no-op access enforcer allows all requests through, so this should succeed if it is using the right
    // access controller.
    accessEnforcer.enforce(NS, userWithInternalCred, StandardPermission.GET);
    accessEnforcer.enforce(NS, userWithInternalCred, StandardPermission.UPDATE);
    // Verify the metrics context was called with correct metrics
    verify(controllerWrapper.mockMetricsContext, times(2)).increment(Constants.Metrics.Authorization.INTERNAL_CHECK_SUCCESS_COUNT, 1);
}
Also used : Credential(io.cdap.cdap.proto.security.Credential) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) CConfiguration(io.cdap.cdap.common.conf.CConfiguration) Principal(io.cdap.cdap.proto.security.Principal) Test(org.junit.Test)

Example 50 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class DefaultAccessEnforcerTest method testAuthEnforceWithBadEncryptedCredential.

@Test
public void testAuthEnforceWithBadEncryptedCredential() throws IOException, AccessException, CipherException, GeneralSecurityException {
    thrown.expect(Exception.class);
    thrown.expectMessage("Failed to decrypt credential in principle:");
    SConfiguration sConfCopy = enableCredentialEncryption();
    TinkCipher cipher = new TinkCipher(sConfCopy);
    String badCipherCred = Base64.getEncoder().encodeToString("invalid encrypted credential".getBytes());
    Principal userWithCredEncrypted = new Principal("userFoo", Principal.PrincipalType.USER, null, new Credential(badCipherCred, Credential.CredentialType.EXTERNAL_ENCRYPTED));
    ControllerWrapper controllerWrapper = createControllerWrapper(CCONF, sConfCopy, null);
    AccessController accessController = controllerWrapper.accessController;
    DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
    accessController.grant(Authorizable.fromEntityId(NS), userWithCredEncrypted, ImmutableSet.of(StandardPermission.GET, StandardPermission.GET));
    accessEnforcer.enforce(NS, userWithCredEncrypted, StandardPermission.GET);
    // Verify the metrics context was not called
    verify(controllerWrapper.mockMetricsContext, times(0)).increment(any(String.class), any(Long.class));
    verify(controllerWrapper.mockMetricsContext, times(0)).gauge(any(String.class), any(Long.class));
}
Also used : Credential(io.cdap.cdap.proto.security.Credential) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) SConfiguration(io.cdap.cdap.common.conf.SConfiguration) TinkCipher(io.cdap.cdap.security.auth.TinkCipher) Principal(io.cdap.cdap.proto.security.Principal) Test(org.junit.Test)

Aggregations

AccessController (io.cdap.cdap.security.spi.authorization.AccessController)50 NoOpAccessController (io.cdap.cdap.security.spi.authorization.NoOpAccessController)30 Test (org.junit.Test)24 InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)18 CConfiguration (io.cdap.cdap.common.conf.CConfiguration)12 Principal (io.cdap.cdap.proto.security.Principal)12 Credential (io.cdap.cdap.proto.security.Credential)10 GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)10 DatasetId (io.cdap.cdap.proto.id.DatasetId)8 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)8 ImmutableSet (com.google.common.collect.ImmutableSet)6 SConfiguration (io.cdap.cdap.common.conf.SConfiguration)6 EntityId (io.cdap.cdap.proto.id.EntityId)6 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)6 TinkCipher (io.cdap.cdap.security.auth.TinkCipher)6 File (java.io.File)6 IOException (java.io.IOException)6 AuthorizationClient (io.cdap.cdap.client.AuthorizationClient)4 CommonNettyHttpServiceBuilder (io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)4 MasterAuthenticationContext (io.cdap.cdap.security.auth.context.MasterAuthenticationContext)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial