Examples with AccessEnforcer io.cdap.cdap.security.spi.authorization.AccessEnforcer used on opensource projects

Example 1 with AccessEnforcer

use of io.cdap.cdap.security.spi.authorization.AccessEnforcer in project cdap by caskdata.

the class DatasetServiceTestBase method initializeAndStartService.

protected static void initializeAndStartService(CConfiguration cConf) throws Exception {
    // TODO: this whole method is a mess. Streamline it!
    injector = Guice.createInjector(new ConfigModule(cConf), RemoteAuthenticatorModules.getNoOpModule(), new InMemoryDiscoveryModule(), new NonCustomLocationUnitTestModule(), new NamespaceAdminTestModule(), new SystemDatasetRuntimeModule().getInMemoryModules(), new TransactionInMemoryModule(), new AuthorizationTestModule(), new StorageModule(), new AuthorizationEnforcementModule().getInMemoryModules(), new AuthenticationContextModules().getMasterModule(), new AbstractModule() {

        @Override
        protected void configure() {
            bind(MetricsCollectionService.class).to(NoOpMetricsCollectionService.class).in(Singleton.class);
            bind(DatasetDefinitionRegistryFactory.class).to(DefaultDatasetDefinitionRegistryFactory.class).in(Scopes.SINGLETON);
            // through the injector, we only need RemoteDatasetFramework in these tests
            bind(RemoteDatasetFramework.class);
            bind(OwnerStore.class).to(InMemoryOwnerStore.class);
            bind(OwnerAdmin.class).to(DefaultOwnerAdmin.class);
        }
    });
    AccessEnforcer authEnforcer = injector.getInstance(AccessEnforcer.class);
    AuthenticationContext authenticationContext = injector.getInstance(AuthenticationContext.class);
    transactionRunner = injector.getInstance(TransactionRunner.class);
    DiscoveryService discoveryService = injector.getInstance(DiscoveryService.class);
    discoveryServiceClient = injector.getInstance(DiscoveryServiceClient.class);
    dsFramework = injector.getInstance(RemoteDatasetFramework.class);
    // Tx Manager to support working with datasets
    txManager = injector.getInstance(TransactionManager.class);
    txManager.startAndWait();
    StructuredTableAdmin structuredTableAdmin = injector.getInstance(StructuredTableAdmin.class);
    StoreDefinition.createAllTables(structuredTableAdmin);
    TransactionSystemClient txSystemClient = injector.getInstance(TransactionSystemClient.class);
    TransactionSystemClientService txSystemClientService = new DelegatingTransactionSystemClientService(txSystemClient);
    NamespacePathLocator namespacePathLocator = injector.getInstance(NamespacePathLocator.class);
    SystemDatasetInstantiatorFactory datasetInstantiatorFactory = new SystemDatasetInstantiatorFactory(locationFactory, dsFramework, cConf);
    // ok to pass null, since the impersonator won't actually be called, if kerberos security is not enabled
    Impersonator impersonator = new DefaultImpersonator(cConf, null);
    DatasetAdminService datasetAdminService = new DatasetAdminService(dsFramework, cConf, locationFactory, datasetInstantiatorFactory, impersonator);
    ImmutableSet<HttpHandler> handlers = ImmutableSet.<HttpHandler>of(new DatasetAdminOpHTTPHandler(datasetAdminService));
    MetricsCollectionService metricsCollectionService = injector.getInstance(MetricsCollectionService.class);
    opExecutorService = new DatasetOpExecutorService(cConf, SConfiguration.create(), discoveryService, metricsCollectionService, handlers);
    opExecutorService.startAndWait();
    Map<String, DatasetModule> defaultModules = injector.getInstance(Key.get(new TypeLiteral<Map<String, DatasetModule>>() {
    }, Constants.Dataset.Manager.DefaultDatasetModules.class));
    ImmutableMap<String, DatasetModule> modules = ImmutableMap.<String, DatasetModule>builder().putAll(defaultModules).build();
    registryFactory = injector.getInstance(DatasetDefinitionRegistryFactory.class);
    inMemoryDatasetFramework = new InMemoryDatasetFramework(registryFactory, modules);
    DiscoveryExploreClient exploreClient = new DiscoveryExploreClient(discoveryServiceClient, authenticationContext);
    ExploreFacade exploreFacade = new ExploreFacade(exploreClient, cConf);
    namespaceAdmin = injector.getInstance(NamespaceAdmin.class);
    namespaceAdmin.create(NamespaceMeta.DEFAULT);
    ownerAdmin = injector.getInstance(OwnerAdmin.class);
    NamespaceQueryAdmin namespaceQueryAdmin = injector.getInstance(NamespaceQueryAdmin.class);
    DatasetTypeManager typeManager = new DatasetTypeManager(cConf, locationFactory, impersonator, transactionRunner);
    DatasetOpExecutor opExecutor = new InMemoryDatasetOpExecutor(dsFramework);
    DatasetInstanceManager instanceManager = new DatasetInstanceManager(transactionRunner);
    DatasetTypeService noAuthTypeService = new DefaultDatasetTypeService(typeManager, namespaceAdmin, namespacePathLocator, cConf, impersonator, txSystemClientService, transactionRunner, defaultModules);
    DatasetTypeService typeService = new AuthorizationDatasetTypeService(noAuthTypeService, authEnforcer, authenticationContext);
    instanceService = new DatasetInstanceService(typeService, noAuthTypeService, instanceManager, opExecutor, exploreFacade, namespaceQueryAdmin, ownerAdmin, authEnforcer, authenticationContext, new NoOpMetadataServiceClient());
    service = new DatasetService(cConf, SConfiguration.create(), discoveryService, discoveryServiceClient, metricsCollectionService, new HashSet<>(), typeService, instanceService);
    // Start dataset service, wait for it to be discoverable
    service.startAndWait();
    waitForService(Constants.Service.DATASET_EXECUTOR);
    waitForService(Constants.Service.DATASET_MANAGER);
    // this usually happens while creating a namespace, however not doing that in data fabric tests
    Locations.mkdirsIfNotExists(namespacePathLocator.get(NamespaceId.DEFAULT));
}

Example 2 with AccessEnforcer

use of io.cdap.cdap.security.spi.authorization.AccessEnforcer in project cdap by caskdata.

the class PreviewRunnerModule method configure.

@Override
protected void configure() {
    Boolean artifactLocalizerEnabled = cConf.getBoolean(Constants.Preview.ARTIFACT_LOCALIZER_ENABLED, false);
    if (artifactLocalizerEnabled) {
        // Use remote implementation to fetch artifact metadata from AppFab.
        // Remote implementation internally uses artifact localizer to fetch and cache artifacts locally.
        bind(ArtifactRepositoryReader.class).to(RemoteArtifactRepositoryReaderWithLocalization.class);
        bind(ArtifactRepository.class).to(RemoteArtifactRepositoryWithLocalization.class);
        expose(ArtifactRepository.class);
        bind(ArtifactRepository.class).annotatedWith(Names.named(AppFabricServiceRuntimeModule.NOAUTH_ARTIFACT_REPO)).to(RemoteArtifactRepositoryWithLocalization.class).in(Scopes.SINGLETON);
        expose(ArtifactRepository.class).annotatedWith(Names.named(AppFabricServiceRuntimeModule.NOAUTH_ARTIFACT_REPO));
        // Use remote implementation to fetch plugin metadata from AppFab.
        // Remote implementation internally uses artifact localizer to fetch and cache artifacts locally.
        bind(PluginFinder.class).to(RemoteWorkerPluginFinder.class);
        expose(PluginFinder.class);
        // Use remote implementation to fetch preferences from AppFab.
        bind(PreferencesFetcher.class).to(RemotePreferencesFetcherInternal.class);
        expose(PreferencesFetcher.class);
    } else {
        bind(ArtifactRepositoryReader.class).toProvider(artifactRepositoryReaderProvider);
        bind(ArtifactRepository.class).to(DefaultArtifactRepository.class);
        expose(ArtifactRepository.class);
        bind(ArtifactRepository.class).annotatedWith(Names.named(AppFabricServiceRuntimeModule.NOAUTH_ARTIFACT_REPO)).to(DefaultArtifactRepository.class).in(Scopes.SINGLETON);
        expose(ArtifactRepository.class).annotatedWith(Names.named(AppFabricServiceRuntimeModule.NOAUTH_ARTIFACT_REPO));
        bind(PluginFinder.class).toProvider(pluginFinderProvider);
        expose(PluginFinder.class);
        bind(PreferencesFetcher.class).toProvider(preferencesFetcherProvider);
        expose(PreferencesFetcher.class);
    }
    bind(ArtifactStore.class).toInstance(artifactStore);
    expose(ArtifactStore.class);
    bind(MessagingService.class).annotatedWith(Names.named(PreviewConfigModule.GLOBAL_TMS)).toInstance(messagingService);
    expose(MessagingService.class).annotatedWith(Names.named(PreviewConfigModule.GLOBAL_TMS));
    bind(AccessEnforcer.class).toInstance(accessEnforcer);
    expose(AccessEnforcer.class);
    bind(ContextAccessEnforcer.class).toInstance(contextAccessEnforcer);
    expose(ContextAccessEnforcer.class);
    bind(AccessControllerInstantiator.class).toInstance(accessControllerInstantiator);
    expose(AccessControllerInstantiator.class);
    bind(PermissionManager.class).toInstance(permissionManager);
    expose(PermissionManager.class);
    bind(PreferencesService.class).toInstance(preferencesService);
    // bind explore client to mock.
    bind(ExploreClient.class).to(MockExploreClient.class);
    expose(ExploreClient.class);
    bind(ProgramRuntimeProviderLoader.class).toInstance(programRuntimeProviderLoader);
    expose(ProgramRuntimeProviderLoader.class);
    bind(StorageProviderNamespaceAdmin.class).to(LocalStorageProviderNamespaceAdmin.class);
    bind(PipelineFactory.class).to(SynchronousPipelineFactory.class);
    install(new FactoryModuleBuilder().implement(Configurator.class, InMemoryConfigurator.class).build(ConfiguratorFactory.class));
    // expose this binding so program runner modules can use
    expose(ConfiguratorFactory.class);
    install(new FactoryModuleBuilder().implement(new TypeLiteral<Manager<AppDeploymentInfo, ApplicationWithPrograms>>() {
    }, new TypeLiteral<PreviewApplicationManager<AppDeploymentInfo, ApplicationWithPrograms>>() {
    }).build(new TypeLiteral<ManagerFactory<AppDeploymentInfo, ApplicationWithPrograms>>() {
    }));
    bind(Store.class).to(DefaultStore.class);
    bind(SecretStore.class).to(DefaultSecretStore.class).in(Scopes.SINGLETON);
    bind(UGIProvider.class).to(DefaultUGIProvider.class);
    expose(UGIProvider.class);
    bind(WorkflowStateWriter.class).to(BasicWorkflowStateWriter.class);
    expose(WorkflowStateWriter.class);
    // we don't delete namespaces in preview as we just delete preview directory when its done
    bind(NamespaceResourceDeleter.class).to(NoopNamespaceResourceDeleter.class).in(Scopes.SINGLETON);
    bind(NamespaceAdmin.class).to(DefaultNamespaceAdmin.class).in(Scopes.SINGLETON);
    bind(NamespaceQueryAdmin.class).to(DefaultNamespaceAdmin.class).in(Scopes.SINGLETON);
    expose(NamespaceAdmin.class);
    expose(NamespaceQueryAdmin.class);
    bind(MetadataAdmin.class).to(DefaultMetadataAdmin.class);
    expose(MetadataAdmin.class);
    bindPreviewRunner(binder());
    expose(PreviewRunner.class);
    bind(Scheduler.class).to(NoOpScheduler.class);
    bind(DataTracerFactory.class).to(DefaultDataTracerFactory.class);
    expose(DataTracerFactory.class);
    bind(PreviewDataPublisher.class).to(MessagingPreviewDataPublisher.class);
    bind(OwnerStore.class).to(DefaultOwnerStore.class);
    expose(OwnerStore.class);
    bind(OwnerAdmin.class).to(DefaultOwnerAdmin.class);
    expose(OwnerAdmin.class);
    bind(CapabilityReader.class).to(CapabilityStatusStore.class);
}

Example 3 with AccessEnforcer

use of io.cdap.cdap.security.spi.authorization.AccessEnforcer in project cdap by caskdata.

the class LineageWriterDatasetFramework method getDataset.

@Nullable
@Override
public <T extends Dataset> T getDataset(final DatasetId datasetInstanceId, final Map<String, String> arguments, @Nullable final ClassLoader classLoader, final DatasetClassLoaderProvider classLoaderProvider, @Nullable final Iterable<? extends EntityId> owners, final AccessType accessType) throws DatasetManagementException, IOException {
    Principal principal = authenticationContext.getPrincipal();
    try {
        // For system, skip authorization and lineage (user program shouldn't allow to access system dataset CDAP-6649)
        // For non-system dataset, always perform authorization and lineage.
        AccessEnforcer enforcer;
        DefaultDatasetRuntimeContext.DatasetAccessRecorder accessRecorder;
        if (!DatasetsUtil.isUserDataset(datasetInstanceId)) {
            enforcer = SYSTEM_NAMESPACE_ENFORCER;
            accessRecorder = SYSTEM_NAMESPACE_ACCESS_RECORDER;
        } else {
            enforcer = accessEnforcer;
            accessRecorder = new BasicDatasetAccessRecorder(datasetInstanceId, accessType, owners);
        }
        return DefaultDatasetRuntimeContext.execute(enforcer, accessRecorder, principal, datasetInstanceId, getConstructorDefaultAnnotation(accessType), () -> LineageWriterDatasetFramework.super.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType));
    } catch (IOException | DatasetManagementException | ServiceUnavailableException e) {
        throw e;
    } catch (Exception e) {
        throw new DatasetManagementException("Failed to create dataset instance: " + datasetInstanceId, e);
    }
}

Example 4 with AccessEnforcer

use of io.cdap.cdap.security.spi.authorization.AccessEnforcer in project cdap by caskdata.

the class PreviewDatasetFramework method getDataset.

@Nullable
@Override
public <T extends Dataset> T getDataset(final DatasetId datasetInstanceId, final Map<String, String> arguments, @Nullable final ClassLoader classLoader, final DatasetClassLoaderProvider classLoaderProvider, @Nullable final Iterable<? extends EntityId> owners, final AccessType accessType) throws DatasetManagementException, IOException {
    Principal principal = authenticationContext.getPrincipal();
    try {
        AccessEnforcer enforcer;
        final boolean isUserDataset = DatasetsUtil.isUserDataset(datasetInstanceId);
        // only for the datasets from the real space enforce the authorization.
        if (isUserDataset && actualDatasetFramework.hasInstance(datasetInstanceId)) {
            enforcer = accessEnforcer;
        } else {
            enforcer = NOOP_ENFORCER;
        }
        return DefaultDatasetRuntimeContext.execute(enforcer, NOOP_DATASET_ACCESS_RECORDER, principal, datasetInstanceId, null, () -> {
            if (isUserDataset && actualDatasetFramework.hasInstance(datasetInstanceId)) {
                return actualDatasetFramework.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType);
            }
            return delegate.getDataset(datasetInstanceId, arguments, classLoader, classLoaderProvider, owners, accessType);
        });
    } catch (IOException | DatasetManagementException e) {
        throw e;
    } catch (Exception e) {
        throw new DatasetManagementException("Failed to create dataset instance: " + datasetInstanceId, e);
    }
}

Example 5 with AccessEnforcer

use of io.cdap.cdap.security.spi.authorization.AccessEnforcer in project cdap by caskdata.

the class RemoteDatasetFrameworkTest method before.

@Before
public void before() throws Exception {
    cConf.set(Constants.Service.MASTER_SERVICES_BIND_ADDRESS, "localhost");
    cConf.setBoolean(Constants.Dangerous.UNRECOVERABLE_RESET, true);
    Configuration txConf = HBaseConfiguration.create();
    CConfigurationUtil.copyTxProperties(cConf, txConf);
    // ok to pass null, since the impersonator won't actually be called, if kerberos security is not enabled
    Impersonator impersonator = new DefaultImpersonator(cConf, null);
    // TODO: Refactor to use injector for everything
    Injector injector = Guice.createInjector(new ConfigModule(cConf, txConf), RemoteAuthenticatorModules.getNoOpModule(), new InMemoryDiscoveryModule(), new AuthorizationTestModule(), new StorageModule(), new SystemDatasetRuntimeModule().getInMemoryModules(), new AuthorizationEnforcementModule().getInMemoryModules(), new AuthenticationContextModules().getMasterModule(), new TransactionInMemoryModule(), new AbstractModule() {

        @Override
        protected void configure() {
            bind(MetricsCollectionService.class).to(NoOpMetricsCollectionService.class).in(Singleton.class);
            bind(DatasetDefinitionRegistryFactory.class).to(DefaultDatasetDefinitionRegistryFactory.class).in(Scopes.SINGLETON);
            // through the injector, we only need RemoteDatasetFramework in these tests
            bind(RemoteDatasetFramework.class);
        }
    });
    // Tx Manager to support working with datasets
    txManager = injector.getInstance(TransactionManager.class);
    txManager.startAndWait();
    TransactionRunner transactionRunner = injector.getInstance(TransactionRunner.class);
    StructuredTableAdmin structuredTableAdmin = injector.getInstance(StructuredTableAdmin.class);
    StoreDefinition.createAllTables(structuredTableAdmin);
    InMemoryTxSystemClient txSystemClient = new InMemoryTxSystemClient(txManager);
    TransactionSystemClientService txSystemClientService = new DelegatingTransactionSystemClientService(txSystemClient);
    DiscoveryService discoveryService = injector.getInstance(DiscoveryService.class);
    DiscoveryServiceClient discoveryServiceClient = injector.getInstance(DiscoveryServiceClient.class);
    MetricsCollectionService metricsCollectionService = injector.getInstance(MetricsCollectionService.class);
    AuthenticationContext authenticationContext = injector.getInstance(AuthenticationContext.class);
    RemoteClientFactory remoteClientFactory = injector.getInstance(RemoteClientFactory.class);
    framework = createFramework(authenticationContext, remoteClientFactory);
    SystemDatasetInstantiatorFactory datasetInstantiatorFactory = new SystemDatasetInstantiatorFactory(locationFactory, framework, cConf);
    DatasetAdminService datasetAdminService = new DatasetAdminService(framework, cConf, locationFactory, datasetInstantiatorFactory, impersonator);
    ImmutableSet<HttpHandler> handlers = ImmutableSet.of(new DatasetAdminOpHTTPHandler(datasetAdminService));
    opExecutorService = new DatasetOpExecutorService(cConf, SConfiguration.create(), discoveryService, metricsCollectionService, handlers);
    opExecutorService.startAndWait();
    DiscoveryExploreClient exploreClient = new DiscoveryExploreClient(discoveryServiceClient, authenticationContext);
    ExploreFacade exploreFacade = new ExploreFacade(exploreClient, cConf);
    AccessEnforcer accessEnforcer = injector.getInstance(AccessEnforcer.class);
    DatasetTypeManager typeManager = new DatasetTypeManager(cConf, locationFactory, impersonator, transactionRunner);
    DatasetInstanceManager instanceManager = new DatasetInstanceManager(transactionRunner);
    DatasetTypeService noAuthTypeService = new DefaultDatasetTypeService(typeManager, namespaceQueryAdmin, namespacePathLocator, cConf, impersonator, txSystemClientService, transactionRunner, DEFAULT_MODULES);
    DatasetTypeService typeService = new AuthorizationDatasetTypeService(noAuthTypeService, accessEnforcer, authenticationContext);
    DatasetOpExecutor opExecutor = new RemoteDatasetOpExecutor(authenticationContext, remoteClientFactory);
    DatasetInstanceService instanceService = new DatasetInstanceService(typeService, noAuthTypeService, instanceManager, opExecutor, exploreFacade, namespaceQueryAdmin, ownerAdmin, accessEnforcer, authenticationContext, new NoOpMetadataServiceClient());
    instanceService.setAuditPublisher(inMemoryAuditPublisher);
    service = new DatasetService(cConf, SConfiguration.create(), discoveryService, discoveryServiceClient, metricsCollectionService, new HashSet<>(), typeService, instanceService);
    // Start dataset service, wait for it to be discoverable
    service.startAndWait();
    EndpointStrategy endpointStrategy = new RandomEndpointStrategy(() -> discoveryServiceClient.discover(Constants.Service.DATASET_MANAGER));
    Preconditions.checkNotNull(endpointStrategy.pick(5, TimeUnit.SECONDS), "%s service is not up after 5 seconds", service);
}