Example 6 with UnauthorizedException
use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DatasetInstanceService method getTypeInfo.
/**
* Finds the {@link DatasetTypeMeta} for the specified dataset type name.
* Search order - first in the specified namespace, then in the 'system' namespace from defaultModules
*
* @param namespaceId {@link NamespaceId} for the specified namespace
* @param typeName the name of the dataset type to search
* @param byPassCheck a flag which determines whether to check privilege for the dataset type
* @return {@link DatasetTypeMeta} for the type if found in either the specified namespace or in the system namespace,
* null otherwise.
* TODO: This may need to move to a util class eventually
*/
@Nullable
private DatasetTypeMeta getTypeInfo(NamespaceId namespaceId, String typeName, boolean byPassCheck) throws Exception {
DatasetTypeId datasetTypeId = ConversionHelpers.toDatasetTypeId(namespaceId, typeName);
try {
LOG.trace("Retrieving metadata from mds for dataset type {} with authorization: {}", typeName, byPassCheck);
DatasetTypeMeta meta = byPassCheck ? noAuthDatasetTypeService.getType(datasetTypeId) : authorizationDatasetTypeService.getType(datasetTypeId);
LOG.trace("Retrieved metadata from mds for dataset type {}", typeName);
return meta;
} catch (DatasetTypeNotFoundException | UnauthorizedException e) {
try {
// Type not found in the instance's namespace. Now try finding it in the system namespace
LOG.trace("Retrieving metadata from mds for system dataset type {}", typeName);
DatasetTypeId systemDatasetTypeId = ConversionHelpers.toDatasetTypeId(NamespaceId.SYSTEM, typeName);
LOG.trace("Retrieved metadata from mds for system dataset type {}", typeName);
return noAuthDatasetTypeService.getType(systemDatasetTypeId);
} catch (DatasetTypeNotFoundException exnWithSystemNS) {
// if it's not found in system namespace, throw the original exception with the correct namespace
throw e;
}
}
}
Also used :
DatasetTypeId(io.cdap.cdap.proto.id.DatasetTypeId)
DatasetTypeMeta(io.cdap.cdap.proto.DatasetTypeMeta)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
DatasetTypeNotFoundException(io.cdap.cdap.common.DatasetTypeNotFoundException)
Nullable(javax.annotation.Nullable)
Example 7 with UnauthorizedException
use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DatasetServiceClient method addInstance.
public void addInstance(String datasetInstanceName, String datasetType, DatasetProperties props, @Nullable KerberosPrincipalId owner) throws DatasetManagementException, UnauthorizedException {
String ownerPrincipal = owner == null ? null : owner.getPrincipal();
DatasetInstanceConfiguration creationProperties = new DatasetInstanceConfiguration(datasetType, props.getProperties(), props.getDescription(), ownerPrincipal);
HttpResponse response = doPut("datasets/" + datasetInstanceName, GSON.toJson(creationProperties));
if (HttpResponseStatus.CONFLICT.code() == response.getResponseCode()) {
throw new InstanceConflictException(String.format("Failed to add instance %s due to conflict, details: %s", datasetInstanceName, response));
}
if (HttpResponseStatus.FORBIDDEN.code() == response.getResponseCode()) {
throw new DatasetManagementException(String.format("Failed to add instance %s, details: %s", datasetInstanceName, response), new UnauthorizedException(response.getResponseBodyAsString()));
}
if (HttpResponseStatus.OK.code() != response.getResponseCode()) {
throw new DatasetManagementException(String.format("Failed to add instance %s, details: %s", datasetInstanceName, response));
}
}
Also used :
DatasetManagementException(io.cdap.cdap.api.dataset.DatasetManagementException)
InstanceConflictException(io.cdap.cdap.api.dataset.InstanceConflictException)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
HttpResponse(io.cdap.common.http.HttpResponse)
DatasetInstanceConfiguration(io.cdap.cdap.proto.DatasetInstanceConfiguration)
Example 8 with UnauthorizedException
use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DefaultSecureStoreServiceTest method testSecureStoreAccess.
@Test
public void testSecureStoreAccess() throws Exception {
final SecureKeyId secureKeyId1 = NamespaceId.DEFAULT.secureKey(KEY1);
SecurityRequestContext.setUserId(ALICE.getName());
try {
secureStoreManager.put(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
Assert.fail("Alice should not be able to store a key since she does not have WRITE privileges on the namespace");
} catch (UnauthorizedException expected) {
// expected
}
// Grant ALICE admin access to the secure key
grantAndAssertSuccess(NamespaceId.DEFAULT, ALICE, EnumSet.of(StandardPermission.GET));
grantAndAssertSuccess(Authorizable.fromEntityId(NamespaceId.DEFAULT, EntityType.SECUREKEY), ALICE, EnumSet.of(StandardPermission.LIST));
grantAndAssertSuccess(secureKeyId1, ALICE, EnumSet.allOf(StandardPermission.class));
// Write should succeed
secureStoreManager.put(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.<String, String>emptyMap());
// Listing should return the value just written
List<SecureStoreMetadata> metadatas = secureStore.list(NamespaceId.DEFAULT.getNamespace());
Assert.assertEquals(1, metadatas.size());
Assert.assertEquals(KEY1, metadatas.get(0).getName());
Assert.assertEquals(DESCRIPTION1, metadatas.get(0).getDescription());
revokeAndAssertSuccess(secureKeyId1, ALICE, EnumSet.allOf(StandardPermission.class));
// Should not be able to list the keys since ALICE does not have privilege on the secure key
try {
secureStore.list(NamespaceId.DEFAULT.getNamespace());
} catch (UnauthorizedException e) {
// expected
}
// Give BOB read access and verify that he can read the stored data
SecurityRequestContext.setUserId(BOB.getName());
grantAndAssertSuccess(NamespaceId.DEFAULT, BOB, EnumSet.of(StandardPermission.GET));
grantAndAssertSuccess(secureKeyId1, BOB, EnumSet.of(StandardPermission.GET));
grantAndAssertSuccess(Authorizable.fromEntityId(NamespaceId.DEFAULT, EntityType.SECUREKEY), BOB, EnumSet.of(StandardPermission.LIST));
Assert.assertEquals(VALUE1, new String(secureStore.get(NamespaceId.DEFAULT.getNamespace(), KEY1).get(), Charsets.UTF_8));
metadatas = secureStore.list(NamespaceId.DEFAULT.getNamespace());
Assert.assertEquals(1, metadatas.size());
// BOB should not be able to delete the key
try {
secureStoreManager.delete(NamespaceId.DEFAULT.getNamespace(), KEY1);
Assert.fail("Bob should not be able to delete a key since he does not have ADMIN privileges on the key");
} catch (UnauthorizedException expected) {
// expected
}
// Grant Bob ADMIN access and he should be able to delete the key
grantAndAssertSuccess(secureKeyId1, BOB, ImmutableSet.of(StandardPermission.DELETE));
secureStoreManager.delete(NamespaceId.DEFAULT.getNamespace(), KEY1);
Assert.assertEquals(0, secureStore.list(NamespaceId.DEFAULT.getNamespace()).size());
Predicate<GrantedPermission> secureKeyIdFilter = new Predicate<GrantedPermission>() {
@Override
public boolean apply(GrantedPermission input) {
return input.getAuthorizable().equals(Authorizable.fromEntityId(secureKeyId1));
}
};
}
Also used :
SecureKeyId(io.cdap.cdap.proto.id.SecureKeyId)
SecureStoreMetadata(io.cdap.cdap.api.security.store.SecureStoreMetadata)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
StandardPermission(io.cdap.cdap.proto.security.StandardPermission)
Predicate(com.google.common.base.Predicate)
Test(org.junit.Test)
Example 9 with UnauthorizedException
use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class MonitorHandlerAuthorizationTest method testGetSystemServiceLiveInfoAuthorization.
@Test
public void testGetSystemServiceLiveInfoAuthorization() throws Exception {
SystemServiceId systemServiceId = new SystemServiceId(SERVICE_NAME);
MonitorHandler handler = createMonitorHandler(Authorizable.fromEntityId(systemServiceId), Arrays.asList(StandardPermission.GET));
HttpRequest request = mock(HttpRequest.class);
HttpResponder responder = mock(HttpResponder.class);
AuthenticationTestContext.actAsPrincipal(UNPRIVILEGED_PRINCIPAL);
try {
handler.getServiceLiveInfo(request, responder, SERVICE_NAME);
} catch (UnauthorizedException e) {
// expected
}
AuthenticationTestContext.actAsPrincipal(MASTER_PRINCIPAL);
handler.getServiceLiveInfo(request, responder, SERVICE_NAME);
}
Also used :
SystemServiceId(io.cdap.cdap.proto.id.SystemServiceId)
DefaultFullHttpRequest(io.netty.handler.codec.http.DefaultFullHttpRequest)
HttpRequest(io.netty.handler.codec.http.HttpRequest)
FullHttpRequest(io.netty.handler.codec.http.FullHttpRequest)
HttpResponder(io.cdap.http.HttpResponder)
MonitorHandler(io.cdap.cdap.gateway.handlers.MonitorHandler)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
Test(org.junit.Test)
Example 10 with UnauthorizedException
use of io.cdap.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class MonitorHandlerAuthorizationTest method testGetServiceSpecAuthorization.
@Test
public void testGetServiceSpecAuthorization() throws Exception {
InstanceId instanceId = InstanceId.SELF;
MonitorHandler handler = createMonitorHandler(Authorizable.fromEntityId(instanceId, EntityType.SYSTEM_SERVICE), Arrays.asList(StandardPermission.LIST));
HttpRequest request = mock(HttpRequest.class);
HttpResponder responder = mock(HttpResponder.class);
AuthenticationTestContext.actAsPrincipal(UNPRIVILEGED_PRINCIPAL);
try {
handler.getServiceSpec(request, responder);
} catch (UnauthorizedException e) {
// expected
}
AuthenticationTestContext.actAsPrincipal(MASTER_PRINCIPAL);
handler.getServiceSpec(request, responder);
}
Also used :
DefaultFullHttpRequest(io.netty.handler.codec.http.DefaultFullHttpRequest)
HttpRequest(io.netty.handler.codec.http.HttpRequest)
FullHttpRequest(io.netty.handler.codec.http.FullHttpRequest)
HttpResponder(io.cdap.http.HttpResponder)
InstanceId(io.cdap.cdap.proto.id.InstanceId)
MonitorHandler(io.cdap.cdap.gateway.handlers.MonitorHandler)
UnauthorizedException(io.cdap.cdap.security.spi.authorization.UnauthorizedException)
Test(org.junit.Test)
Aggregations
UnauthorizedException (io.cdap.cdap.security.spi.authorization.UnauthorizedException)98
Test (org.junit.Test)44
IOException (java.io.IOException)38
HttpResponder (io.cdap.http.HttpResponder)28
ApplicationId (io.cdap.cdap.proto.id.ApplicationId)26
BadRequestException (io.cdap.cdap.common.BadRequestException)22
NotFoundException (io.cdap.cdap.common.NotFoundException)22
DefaultFullHttpRequest (io.netty.handler.codec.http.DefaultFullHttpRequest)20
JsonSyntaxException (com.google.gson.JsonSyntaxException)18
DatasetManagementException (io.cdap.cdap.api.dataset.DatasetManagementException)18
NamespaceNotFoundException (io.cdap.cdap.common.NamespaceNotFoundException)18
MonitorHandler (io.cdap.cdap.gateway.handlers.MonitorHandler)18
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)18
FullHttpRequest (io.netty.handler.codec.http.FullHttpRequest)18
ExecutionException (java.util.concurrent.ExecutionException)18
ConflictException (io.cdap.cdap.common.ConflictException)16
StandardPermission (io.cdap.cdap.proto.security.StandardPermission)16
SystemServiceId (io.cdap.cdap.proto.id.SystemServiceId)14
HttpRequest (io.netty.handler.codec.http.HttpRequest)14
HashSet (java.util.HashSet)14
