Examples with UnauthorizedException io.cdap.cdap.security.spi.authorization.UnauthorizedException used on opensource projects

Search in sources :

Example 46 with UnauthorizedException

use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by cdapio.

the class DirectRuntimeRequestValidatorTest method testUnauthorized.

@Test(expected = UnauthorizedException.class)
public void testUnauthorized() throws BadRequestException {
    ProgramRunId programRunId = NamespaceId.DEFAULT.app("app").spark("spark").run(RunIds.generate());
    RuntimeRequestValidator validator = new DirectRuntimeRequestValidator(cConf, txRunner, new MockProgramRunRecordFetcher(), accessEnforcer, authenticationContext);
    Principal principal = new Principal("test", Principal.PrincipalType.USER);
    Mockito.when(authenticationContext.getPrincipal()).thenReturn(principal);
    Mockito.doThrow(new UnauthorizedException("Unauthorized")).when(accessEnforcer).enforce(programRunId, principal, StandardPermission.GET);
    validator.getProgramRunStatus(programRunId, new DefaultHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.GET, "/"));
}
Also used : DefaultHttpRequest(io.netty.handler.codec.http.DefaultHttpRequest) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) ProgramRunId(io.cdap.cdap.proto.id.ProgramRunId) Principal(io.cdap.cdap.proto.security.Principal) Test(org.junit.Test)

Example 47 with UnauthorizedException

use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by cdapio.

the class SystemArtifactsAuthorizationTest method testAuthorizationForSystemArtifacts.

@Test
public void testAuthorizationForSystemArtifacts() throws Exception {
    artifactRepository.addSystemArtifacts();
    // alice should not be able to refresh system artifacts because she does not have admin privileges on namespace
    // system
    SecurityRequestContext.setUserId(ALICE.getName());
    try {
        artifactRepository.addSystemArtifacts();
        Assert.fail("Adding system artifacts should have failed because alice does not have admin privileges on " + "the namespace system.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on the CDAP system namespace
    Authorizable authorizable = Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT);
    accessController.grant(authorizable, ALICE, Collections.singleton(StandardPermission.CREATE));
    Assert.assertEquals(Collections.singleton(new GrantedPermission(authorizable, StandardPermission.CREATE)), accessController.listGrants(ALICE));
    // refreshing system artifacts should succeed now
    artifactRepository.addSystemArtifacts();
    SecurityRequestContext.setUserId("bob");
    // deleting a system artifact should fail because bob does not have admin privileges on the artifact
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail("Deleting a system artifact should have failed because alice does not have admin privileges on " + "the artifact.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on test namespace
    SecurityRequestContext.setUserId(ALICE.getName());
    NamespaceId namespaceId = new NamespaceId("test");
    accessController.grant(Authorizable.fromEntityId(namespaceId), ALICE, EnumSet.allOf(StandardPermission.class));
    accessController.grant(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT), ALICE, EnumSet.of(StandardPermission.LIST));
    namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
    // test that system artifacts are available to everyone
    List<ArtifactSummary> artifacts = artifactRepository.getArtifactSummaries(namespaceId, true);
    Assert.assertEquals(1, artifacts.size());
    ArtifactSummary artifactSummary = artifacts.get(0);
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactSummary.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactSummary.getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactSummary.getScope().name().toLowerCase());
    // test the getArtifact API
    ArtifactDetail artifactDetail = artifactRepository.getArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    io.cdap.cdap.api.artifact.ArtifactId artifactId = artifactDetail.getDescriptor().getArtifactId();
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactId.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactId.getVersion().getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactId.getScope().name().toLowerCase());
    namespaceAdmin.delete(namespaceId);
    // enforce on the system artifact should fail in unit test, since we do not have auto-grant now
    try {
        accessController.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(StandardPermission.class));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    // deleting system artifact should succeed if alice has DELETE on the artifact
    accessController.grant(Authorizable.fromEntityId(SYSTEM_ARTIFACT), ALICE, EnumSet.of(StandardPermission.DELETE));
    artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    // clean up privilege
    accessController.revoke(Authorizable.fromEntityId(SYSTEM_ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId));
}
Also used : GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ArtifactSummary(io.cdap.cdap.api.artifact.ArtifactSummary) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) Authorizable(io.cdap.cdap.proto.security.Authorizable) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) Test(org.junit.Test)

Example 48 with UnauthorizedException

use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by cdapio.

the class DatasetServiceAuthorizationTest method testDatasetInstances.

@Test
public void testDatasetInstances() throws Exception {
    final DatasetId dsId = NamespaceId.DEFAULT.dataset("myds");
    final DatasetId dsId1 = NamespaceId.DEFAULT.dataset("myds1");
    DatasetId dsId2 = NamespaceId.DEFAULT.dataset("myds2");
    SecurityRequestContext.setUserId(ALICE.getName());
    assertAuthorizationFailure(() -> dsFramework.addInstance(Table.class.getName(), dsId, DatasetProperties.EMPTY), "Alice should not be able to add a dataset instance since she does not have ADMIN" + " privileges on the dataset");
    // grant alice full access to the dsId
    grantAndAssertSuccess(dsId, ALICE, EnumSet.allOf(StandardPermission.class));
    grantAndAssertSuccess(NamespaceId.DEFAULT, EntityType.DATASET, ALICE, EnumSet.of(StandardPermission.LIST));
    // now adding an instance should succeed
    dsFramework.addInstance(Table.class.getName(), dsId, DatasetProperties.EMPTY);
    // alice should be able to perform all operations on the dataset
    Assert.assertTrue(dsFramework.hasInstance(dsId));
    Assert.assertNotNull(dsFramework.getDataset(dsId, ImmutableMap.of(), null));
    dsFramework.updateInstance(dsId, DatasetProperties.builder().add("key", "value").build());
    // operations should fail for bob
    SecurityRequestContext.setUserId(BOB.getName());
    assertAuthorizationFailure(() -> dsFramework.getDataset(dsId, ImmutableMap.of(), null), String.format("Expected %s to not be have access to %s.", BOB, dsId));
    assertAuthorizationFailure(() -> dsFramework.updateInstance(dsId, DatasetProperties.builder().add("key", "val").build()), String.format("Expected %s to not be have %s privilege on %s.", BOB, StandardPermission.UPDATE, dsId));
    assertAuthorizationFailure(() -> dsFramework.truncateInstance(dsId), String.format("Expected %s to not be have %s privilege on %s.", BOB, StandardPermission.UPDATE, dsId));
    grantAndAssertSuccess(dsId, BOB, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE, StandardPermission.DELETE));
    grantAndAssertSuccess(NamespaceId.DEFAULT, EntityType.DATASET, BOB, EnumSet.of(StandardPermission.LIST));
    // now update should succeed
    dsFramework.updateInstance(dsId, DatasetProperties.builder().add("key", "val").build());
    // as should truncate
    dsFramework.truncateInstance(dsId);
    DatasetSpecification datasetSpec = dsFramework.getDatasetSpec(dsId);
    Assert.assertNotNull(datasetSpec);
    Assert.assertEquals("val", datasetSpec.getProperty("key"));
    // grant Bob corresponding privilege to create the dataset
    grantAndAssertSuccess(dsId1, BOB, ImmutableSet.of(StandardPermission.CREATE));
    grantAndAssertSuccess(dsId2, BOB, ImmutableSet.of(StandardPermission.CREATE, StandardPermission.DELETE));
    dsFramework.addInstance(Table.class.getName(), dsId1, DatasetProperties.EMPTY);
    dsFramework.addInstance(Table.class.getName(), dsId2, DatasetProperties.EMPTY);
    // since Bob now has some privileges on all datasets, the list API should return all datasets for him
    Assert.assertEquals(ImmutableSet.of(dsId, dsId1, dsId2), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
    // Grant privileges on other datasets to user Alice
    grantAndAssertSuccess(dsId1, ALICE, ImmutableSet.of(ApplicationPermission.EXECUTE));
    grantAndAssertSuccess(dsId2, ALICE, ImmutableSet.of(ApplicationPermission.EXECUTE));
    SecurityRequestContext.setUserId(ALICE.getName());
    // Alice should not be able to delete any datasets since she does not have DELETE on all datasets in the namespace
    try {
        dsFramework.deleteAllInstances(NamespaceId.DEFAULT);
        Assert.fail();
    } catch (UnauthorizedException e) {
    // Expected
    }
    // alice should still be able to see all dataset instances
    Assert.assertEquals(ImmutableSet.of(dsId1, dsId2, dsId), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
    // should get an authorization error if alice tries to delete datasets that she does not have permissions on
    assertAuthorizationFailure(() -> dsFramework.deleteInstance(dsId1), String.format("Alice should not be able to delete instance %s since she does not " + "have privileges", dsId1));
    grantAndAssertSuccess(dsId1, ALICE, ImmutableSet.of(StandardPermission.DELETE, StandardPermission.CREATE));
    Assert.assertEquals(ImmutableSet.of(dsId1, dsId2, dsId), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
    // since Alice now has DELETE for dsId1, she should be able to delete it
    dsFramework.deleteInstance(dsId1);
    // Now Alice only see dsId2 and dsId from list.
    Assert.assertEquals(ImmutableSet.of(dsId2, dsId), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
    // Bob should be able to see dsId and dsId2
    SecurityRequestContext.setUserId(BOB.getName());
    Assert.assertEquals(ImmutableSet.of(dsId2, dsId), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
    dsFramework.deleteInstance(dsId2);
    SecurityRequestContext.setUserId(ALICE.getName());
    dsFramework.deleteInstance(dsId);
    grantAndAssertSuccess(dsId2, ALICE, EnumSet.of(StandardPermission.CREATE, StandardPermission.DELETE));
    // add add the instance again
    dsFramework.addInstance(Table.class.getName(), dsId, DatasetProperties.EMPTY);
    dsFramework.addInstance(Table.class.getName(), dsId1, DatasetProperties.EMPTY);
    dsFramework.addInstance(Table.class.getName(), dsId2, DatasetProperties.EMPTY);
    Assert.assertEquals(ImmutableSet.of(dsId, dsId1, dsId2), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
    // should be successful since ALICE has DELETE on all datasets
    dsFramework.deleteAllInstances(NamespaceId.DEFAULT);
    Assert.assertTrue(dsFramework.getInstances(NamespaceId.DEFAULT).isEmpty());
}
Also used : Table(io.cdap.cdap.api.dataset.table.Table) DatasetSpecification(io.cdap.cdap.api.dataset.DatasetSpecification) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) DatasetId(io.cdap.cdap.proto.id.DatasetId) Test(org.junit.Test)

Example 49 with UnauthorizedException

use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by cdapio.

the class DatasetServiceAuthorizationTest method testNotFound.

@Test
public void testNotFound() throws Exception {
    final DatasetId nonExistingInstance = NamespaceId.DEFAULT.dataset("notfound");
    final DatasetModuleId nonExistingModule = NamespaceId.DEFAULT.datasetModule("notfound");
    final DatasetTypeId nonExistingType = NamespaceId.DEFAULT.datasetType("notfound");
    try {
        // user will not be able to get the info about the instance since he does not have any privilege on the instance
        dsFramework.getDatasetSpec(nonExistingInstance);
        Assert.fail();
    } catch (UnauthorizedException e) {
    // Expected
    }
    try {
        // user will not be able to check the existence on the instance since he does not have any privilege on the
        // instance
        dsFramework.hasInstance(nonExistingInstance);
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    SecurityRequestContext.setUserId(ALICE.getName());
    // user need to have access to the dataset to do any operations, even though the dataset does not exist
    grantAndAssertSuccess(nonExistingInstance, ALICE, EnumSet.allOf(StandardPermission.class));
    grantAndAssertSuccess(nonExistingModule, ALICE, EnumSet.allOf(StandardPermission.class));
    // after grant user should be able to check the dataset info
    Assert.assertNull(dsFramework.getDatasetSpec(nonExistingInstance));
    Assert.assertFalse(dsFramework.hasInstance(nonExistingInstance));
    assertNotFound(() -> dsFramework.updateInstance(nonExistingInstance, DatasetProperties.EMPTY), String.format("Expected %s to not exist", nonExistingInstance));
    assertNotFound(() -> dsFramework.deleteInstance(nonExistingInstance), String.format("Expected %s to not exist", nonExistingInstance));
    assertNotFound(() -> dsFramework.truncateInstance(nonExistingInstance), String.format("Expected %s to not exist", nonExistingInstance));
    assertAuthorizationFailure(() -> dsFramework.addInstance(nonExistingType.getType(), nonExistingInstance, DatasetProperties.EMPTY), "Alice needs to have READ/ADMIN on the dataset type to create the dataset");
    assertNotFound(() -> dsFramework.deleteModule(nonExistingModule), String.format("Expected %s to not exist", nonExistingModule));
    grantAndAssertSuccess(nonExistingType, ALICE, EnumSet.allOf(StandardPermission.class));
    Assert.assertNull(String.format("Expected %s to not exist", nonExistingType), dsFramework.getTypeInfo(nonExistingType));
}
Also used : DatasetModuleId(io.cdap.cdap.proto.id.DatasetModuleId) DatasetTypeId(io.cdap.cdap.proto.id.DatasetTypeId) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) DatasetId(io.cdap.cdap.proto.id.DatasetId) Test(org.junit.Test)

Example 50 with UnauthorizedException

use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class SystemArtifactsAuthorizationTest method testAuthorizationForSystemArtifacts.

@Test
public void testAuthorizationForSystemArtifacts() throws Exception {
    artifactRepository.addSystemArtifacts();
    // alice should not be able to refresh system artifacts because she does not have admin privileges on namespace
    // system
    SecurityRequestContext.setUserId(ALICE.getName());
    try {
        artifactRepository.addSystemArtifacts();
        Assert.fail("Adding system artifacts should have failed because alice does not have admin privileges on " + "the namespace system.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on the CDAP system namespace
    Authorizable authorizable = Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT);
    accessController.grant(authorizable, ALICE, Collections.singleton(StandardPermission.CREATE));
    Assert.assertEquals(Collections.singleton(new GrantedPermission(authorizable, StandardPermission.CREATE)), accessController.listGrants(ALICE));
    // refreshing system artifacts should succeed now
    artifactRepository.addSystemArtifacts();
    SecurityRequestContext.setUserId("bob");
    // deleting a system artifact should fail because bob does not have admin privileges on the artifact
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail("Deleting a system artifact should have failed because alice does not have admin privileges on " + "the artifact.");
    } catch (UnauthorizedException expected) {
    // expected
    }
    // grant alice admin privileges on test namespace
    SecurityRequestContext.setUserId(ALICE.getName());
    NamespaceId namespaceId = new NamespaceId("test");
    accessController.grant(Authorizable.fromEntityId(namespaceId), ALICE, EnumSet.allOf(StandardPermission.class));
    accessController.grant(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT), ALICE, EnumSet.of(StandardPermission.LIST));
    namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
    // test that system artifacts are available to everyone
    List<ArtifactSummary> artifacts = artifactRepository.getArtifactSummaries(namespaceId, true);
    Assert.assertEquals(1, artifacts.size());
    ArtifactSummary artifactSummary = artifacts.get(0);
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactSummary.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactSummary.getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactSummary.getScope().name().toLowerCase());
    // test the getArtifact API
    ArtifactDetail artifactDetail = artifactRepository.getArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    io.cdap.cdap.api.artifact.ArtifactId artifactId = artifactDetail.getDescriptor().getArtifactId();
    Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactId.getName());
    Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactId.getVersion().getVersion());
    Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactId.getScope().name().toLowerCase());
    namespaceAdmin.delete(namespaceId);
    // enforce on the system artifact should fail in unit test, since we do not have auto-grant now
    try {
        accessController.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(StandardPermission.class));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    try {
        artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
        Assert.fail();
    } catch (UnauthorizedException e) {
    // expected
    }
    // deleting system artifact should succeed if alice has DELETE on the artifact
    accessController.grant(Authorizable.fromEntityId(SYSTEM_ARTIFACT), ALICE, EnumSet.of(StandardPermission.DELETE));
    artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
    // clean up privilege
    accessController.revoke(Authorizable.fromEntityId(SYSTEM_ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(NamespaceId.SYSTEM, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId, EntityType.ARTIFACT));
    accessController.revoke(Authorizable.fromEntityId(namespaceId));
}
Also used : GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) ArtifactSummary(io.cdap.cdap.api.artifact.ArtifactSummary) NamespaceMeta(io.cdap.cdap.proto.NamespaceMeta) UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException) Authorizable(io.cdap.cdap.proto.security.Authorizable) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) Test(org.junit.Test)

Aggregations

UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)98 Test (org.junit.Test)44 IOException (java.io.IOException)38 HttpResponder (io.cdap.http.HttpResponder)28 ApplicationId (io.cdap.cdap.proto.id.ApplicationId)26 BadRequestException (io.cdap.cdap.common.BadRequestException)22 NotFoundException (io.cdap.cdap.common.NotFoundException)22 DefaultFullHttpRequest (io.netty.handler.codec.http.DefaultFullHttpRequest)20 JsonSyntaxException (com.google.gson.JsonSyntaxException)18 DatasetManagementException (io.cdap.cdap.api.dataset.DatasetManagementException)18 NamespaceNotFoundException (io.cdap.cdap.common.NamespaceNotFoundException)18 MonitorHandler (io.cdap.cdap.gateway.handlers.MonitorHandler)18 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)18 FullHttpRequest (io.netty.handler.codec.http.FullHttpRequest)18 ExecutionException (java.util.concurrent.ExecutionException)18 ConflictException (io.cdap.cdap.common.ConflictException)16 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)16 SystemServiceId (io.cdap.cdap.proto.id.SystemServiceId)14 HttpRequest (io.netty.handler.codec.http.HttpRequest)14 HashSet (java.util.HashSet)14
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial