.put(dummyModuleId, EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); addAppArtifact(artifactId, DummyApp.class); AppRequest<? extends Config> appRequest = new AppRequest<>(new ArtifactSummary(artifactId.getArtifact(), artifactId.getVersion()), null, appOwner); deployApplication(dummyAppId, appRequest); Assert.fail(); } catch (Exception e) { revokeAndAssertSuccess(datasetId); revokeAndAssertSuccess(datasetTypeId); revokeAndAssertSuccess(dummyDatasetId); revokeAndAssertSuccess(dummyTypeId); revokeAndAssertSuccess(dummyModuleId); grantAndAssertSuccess(datasetId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(datasetTypeId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(dummyDatasetId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(dummyTypeId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(dummyModuleId, principal, EnumSet.of(Action.ADMIN)); deployApplication(dummyAppId, appRequest); revokeAndAssertSuccess(principalId);
private void revokeAndAssertSuccess(final EntityId entityId) throws Exception { Authorizer authorizer = getAuthorizer(); authorizer.revoke(Authorizable.fromEntityId(entityId)); assertNoAccess(entityId); }
@Test public void testCrossNSMapReduce() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(DatasetCrossNSAccessWithMAPApp.class.getSimpleName()); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(appId, EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.artifact(DatasetCrossNSAccessWithMAPApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ProgramId programId = appId.program(ProgramType.MAPREDUCE, DatasetCrossNSAccessWithMAPApp.MAPREDUCE_PROGRAM); // bob will be executing the program grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); cleanUpEntities.add(programId); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DatasetCrossNSAccessWithMAPApp.class); MapReduceManager mrManager = appManager.getMapReduceManager(DatasetCrossNSAccessWithMAPApp.MAPREDUCE_PROGRAM); testCrossNSSystemDatasetAccessWithAuthMapReduce(mrManager); testCrossNSDatasetAccessWithAuthMapReduce(mrManager); }
@Test public void testCrossNSService() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(CrossNsDatasetAccessApp.APP_NAME); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(appId, EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.artifact(CrossNsDatasetAccessApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ProgramId programId = appId.service(CrossNsDatasetAccessApp.SERVICE_NAME); cleanUpEntities.add(programId); // grant bob execute on program and READ/WRITE on stream grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, CrossNsDatasetAccessApp.class); // switch to to ALICE SecurityRequestContext.setUserId(ALICE.getName()); ServiceManager serviceManager = appManager.getServiceManager(CrossNsDatasetAccessApp.SERVICE_NAME); testSystemDatasetAccessFromService(serviceManager); testCrossNSDatasetAccessFromService(serviceManager); }
.put(outputDatasetNSMetaId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(inputDatasetNSMeta); getNamespaceAdmin().create(outputDatasetNSMeta); addDatasetInstance(inputTableId, "keyValueTable").create(); addDatasetInstance(outputTableId, "keyValueTable").create(); addDummyData(inputDatasetNSMeta.getNamespaceId(), "input"); assertProgramFailure(args, sparkManager); assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output"); grantAndAssertSuccess(inputDatasetNSMeta.getNamespaceId().dataset("input"), BOB, EnumSet.of(Action.READ)); assertProgramFailure(args, sparkManager); assertDatasetIsEmpty(outputDatasetNSMeta.getNamespaceId(), "output"); grantAndAssertSuccess(outputDatasetNSMeta.getNamespaceId().dataset("output"), BOB, EnumSet.of(Action.WRITE)); waitForStoppedPrograms(sparkManager); verifyDummyData(outputDatasetNSMeta.getNamespaceId(), "output"); getNamespaceAdmin().delete(inputDatasetNSMeta.getNamespaceId()); getNamespaceAdmin().delete(outputDatasetNSMeta.getNamespaceId());
private void testCrossNSSystemDatasetAccessWithAuthMapReduce(MapReduceManager mrManager) throws Exception { addDatasetInstance(NamespaceId.SYSTEM.dataset("table1"), "keyValueTable").create(); addDatasetInstance(NamespaceId.SYSTEM.dataset("table2"), "keyValueTable").create(); NamespaceMeta otherNS = new NamespaceMeta.Builder().setName("otherNS").build(); NamespaceId otherNsId = otherNS.getNamespaceId(); .put(otherNsId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(otherNS); addDatasetInstance(datasetId, "keyValueTable").create(); addDummyData(NamespaceId.SYSTEM, "table1"); grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE)); grantAndAssertSuccess(otherNS.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS); assertProgramFailure(argsForMR, mrManager); assertDatasetIsEmpty(otherNS.getNamespaceId(), "otherTable"); addDummyData(otherNS.getNamespaceId(), "otherTable"); assertProgramFailure(argsForMR, mrManager); assertDatasetIsEmpty(NamespaceId.SYSTEM, "table2"); deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table1")); deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table2")); getNamespaceAdmin().delete(otherNS.getNamespaceId());
@Test public void testScheduleAuth() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(AppWithSchedule.class.getSimpleName()); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(AUTH_NAMESPACE.datasetType(ObjectStore.class.getName()), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, AppWithSchedule.class); String workflowName = AppWithSchedule.SampleWorkflow.class.getSimpleName(); ProgramId workflowID = new ProgramId(AUTH_NAMESPACE.getNamespace(), AppWithSchedule.class.getSimpleName(), grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.EXECUTE)); addSchedule(scheduleId, scheduleDetail); Assert.fail("Adding schedule should fail since BOB does not have AMDIN on the app"); } catch (UnauthorizedException e) { grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN)); addSchedule(scheduleId, scheduleDetail); Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(), workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_OK)); updateSchedule(scheduleId, scheduleDetail); Assert.assertEquals(ProgramScheduleStatus.SUSPENDED.name(),
public void testApps() throws Exception { try { deployApplication(NamespaceId.DEFAULT, DummyApp.class); Assert.fail("App deployment should fail because alice does not have ADMIN privilege on the application"); } catch (UnauthorizedException e) { createAuthNamespace(); Authorizer authorizer = getAuthorizer(); ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); deployApplication(AUTH_NAMESPACE, DummyApp.class); Assert.fail(); } catch (UnauthorizedException e) { grantAndAssertSuccess(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(AUTH_NAMESPACE.datasetType(DummyApp.CustomDummyDataset.class.getName())); grantAndAssertSuccess(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName())); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DummyApp.class); grantAndAssertSuccess(dummyAppId, BOB, ImmutableSet.of(Action.READ, Action.WRITE));
@Test public void testCrossNSSpark() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(TestSparkCrossNSDatasetApp.APP_NAME); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(appId, EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.artifact(TestSparkCrossNSDatasetApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.dataset(TestSparkCrossNSDatasetApp.DEFAULT_OUTPUT_DATASET), EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ProgramId programId = appId.spark(TestSparkCrossNSDatasetApp.SPARK_PROGRAM_NAME); // bob will be executing the program grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); cleanUpEntities.add(programId); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, TestSparkCrossNSDatasetApp.class); SparkManager sparkManager = appManager.getSparkManager(TestSparkCrossNSDatasetApp.SparkCrossNSDatasetProgram .class.getSimpleName()); testCrossNSSystemDatasetAccessWithAuthSpark(sparkManager); testCrossNSDatasetAccessWithAuthSpark(sparkManager); }
.put(outputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges ); getNamespaceAdmin().create(outputDatasetNS); addDatasetInstance(datasetId, "keyValueTable"); SecurityRequestContext.setUserId(ALICE.getName()); assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "store"); grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.WRITE)); DataSetManager<KeyValueTable> dataSetManager = getDataset(outputDatasetNS.getNamespaceId().dataset("store")); KeyValueTable results = dataSetManager.get(); getNamespaceAdmin().delete(outputDatasetNS.getNamespaceId());
@Test public void testPrograms() throws Exception { createAuthNamespace(); grantAndAssertSuccess(AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()), ALICE, EnumSet.of(Action.ADMIN)); ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()); final ProgramId serviceId = dummyAppId.service(DummyApp.Greeting.SERVICE_NAME); .put(AUTH_NAMESPACE.datasetModule(DummyApp.CustomDummyDataset.class.getName()), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); final ApplicationManager dummyAppManager = deployApplication(AUTH_NAMESPACE, DummyApp.class);
@Test public void testNamespaces() throws Exception { NamespaceAdmin namespaceAdmin = getNamespaceAdmin(); Authorizer authorizer = getAuthorizer(); try { namespaceAdmin.create(AUTH_NAMESPACE_META); Assert.fail("Namespace create should have failed because alice is not authorized on " + AUTH_NAMESPACE); } catch (UnauthorizedException expected) { // expected } createAuthNamespace(); Assert.assertTrue(namespaceAdmin.list().contains(AUTH_NAMESPACE_META)); namespaceAdmin.get(AUTH_NAMESPACE); // revoke privileges revokeAndAssertSuccess(AUTH_NAMESPACE); try { Assert.assertTrue(namespaceAdmin.list().isEmpty()); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.fail("Namespace existence check should fail since the privilege of alice has been revoked"); } catch (UnauthorizedException expected) { // expected } // grant privileges again grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN)); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE)); NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build(); namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated); Assert.assertEquals(updated, namespaceAdmin.get(AUTH_NAMESPACE)); }
try { ArtifactId defaultNsArtifact = NamespaceId.DEFAULT.artifact(appArtifactName, appArtifactVersion); addAppArtifact(defaultNsArtifact, ConfigTestApp.class); Assert.fail("Should not be able to add an app artifact to the default namespace because alice does not have " + "admin privileges on the artifact."); try { ArtifactId defaultNsArtifact = NamespaceId.DEFAULT.artifact(pluginArtifactName, pluginArtifactVersion); addAppArtifact(defaultNsArtifact, ToStringPlugin.class); Assert.fail("Should not be able to add a plugin artifact to the default namespace because alice does not have " + "admin privileges on the artifact."); createAuthNamespace(); ArtifactId appArtifactId = AUTH_NAMESPACE.artifact(appArtifactName, appArtifactVersion); grantAndAssertSuccess(appArtifactId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(appArtifactId); ArtifactManager appArtifactManager = addAppArtifact(appArtifactId, ConfigTestApp.class); ArtifactId pluginArtifactId = AUTH_NAMESPACE.artifact(pluginArtifactName, pluginArtifactVersion); grantAndAssertSuccess(pluginArtifactId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(pluginArtifactId); ArtifactManager pluginArtifactManager = addPluginArtifact(pluginArtifactId, appArtifactId, ToStringPlugin.class);
private void testSystemDatasetAccessFromService(ServiceManager serviceManager) throws Exception { addDatasetInstance(NamespaceId.SYSTEM.dataset("store"), "keyValueTable"); // give bob write permission on the dataset grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("store"), BOB, EnumSet.of(Action.WRITE)); // switch to BOB SecurityRequestContext.setUserId(BOB.getName()); Map<String, String> args = ImmutableMap.of( CrossNsDatasetAccessApp.OUTPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), CrossNsDatasetAccessApp.OUTPUT_DATASET_NAME, "store" ); // Start the Service as BOB serviceManager.start(args); // Try to write data, it should fail as BOB don't have the permission to get system dataset URL url = new URL(serviceManager.getServiceURL(5, TimeUnit.SECONDS), "write/data"); HttpResponse response = HttpRequests.execute(HttpRequest.put(url).build()); Assert.assertEquals(500, response.getResponseCode()); Assert.assertTrue(response.getResponseBodyAsString().contains("Cannot access dataset store in system namespace")); serviceManager.stop(); serviceManager.waitForStopped(10, TimeUnit.SECONDS); // switch to back to ALICE SecurityRequestContext.setUserId(ALICE.getName()); // cleanup deleteDatasetInstance(NamespaceId.SYSTEM.dataset("store")); }
private void assertNoAccess(final EntityId entityId) throws Exception { assertNoAccess(ALICE, entityId); assertNoAccess(BOB, entityId); }
.put(outputDatasetNSId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(inputDatasetNS); getNamespaceAdmin().create(outputDatasetNS); addDatasetInstance(table1Id, "keyValueTable").create(); addDatasetInstance(table2Id, "keyValueTable").create(); addDummyData(inputDatasetNSId, "table1"); assertProgramFailure(argsForMR, mrManager); assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2"); grantAndAssertSuccess(inputDatasetNS.getNamespaceId().dataset("table1"), BOB, EnumSet.of(Action.READ)); assertProgramFailure(argsForMR, mrManager); assertDatasetIsEmpty(outputDatasetNS.getNamespaceId(), "table2"); grantAndAssertSuccess(outputDatasetNS.getNamespaceId().dataset("table2"), BOB, EnumSet.of(Action.WRITE)); verifyDummyData(outputDatasetNS.getNamespaceId(), "table2"); getNamespaceAdmin().delete(inputDatasetNS.getNamespaceId()); getNamespaceAdmin().delete(outputDatasetNS.getNamespaceId());
private void testCrossNSSystemDatasetAccessWithAuthSpark(SparkManager sparkManager) throws Exception { addDatasetInstance(NamespaceId.SYSTEM.dataset("table1"), "keyValueTable").create(); addDatasetInstance(NamespaceId.SYSTEM.dataset("table2"), "keyValueTable").create(); NamespaceMeta otherNS = new NamespaceMeta.Builder().setName("otherNS").build(); NamespaceId otherNSId = otherNS.getNamespaceId(); .put(otherNSId.datasetType("keyValueTable"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(otherNS); addDatasetInstance(otherTableId, "keyValueTable").create(); addDummyData(NamespaceId.SYSTEM, "table1"); grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE)); grantAndAssertSuccess(otherNS.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS); assertProgramFailure(args, sparkManager); assertDatasetIsEmpty(otherNS.getNamespaceId(), "otherTable"); addDummyData(otherNS.getNamespaceId(), "otherTable"); assertProgramFailure(args, sparkManager); assertDatasetIsEmpty(NamespaceId.SYSTEM, "table2"); deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table1")); deleteDatasetInstance(NamespaceId.SYSTEM.dataset("table2")); getNamespaceAdmin().delete(otherNS.getNamespaceId());
@Test public void testAddDropPartitions() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(PartitionTestApp.class.getSimpleName()); DatasetId datasetId = AUTH_NAMESPACE.dataset(PartitionTestApp.PFS_NAME); .put(AUTH_NAMESPACE.datasetType(PartitionedFileSet.class.getName()), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); cleanUpEntities.add(programId); grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.READ)); cleanUpEntities.add(datasetId); ApplicationManager appMgr = deployApplication(AUTH_NAMESPACE, PartitionTestApp.class); SecurityRequestContext.setUserId(BOB.getName()); String partition = "p1"; grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.WRITE, Action.READ)); pfsService.start(); pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);