private void assertDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature) throws IOException { try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = instantiator.get(); Assert.assertTrue( String.format("When %s is disabled, a %s must be returned, but got %s.", feature.name().toLowerCase(), NoOpAuthorizer.class.getSimpleName(), authorizer.getClass().getName()), authorizer instanceof NoOpAuthorizer ); } }
ensureValidAuthExtensionJar(authorizerExtensionJar); File absoluteTmpFile = new File(cConf.get(Constants.CFG_LOCAL_DATA_DIR), cConf.get(Constants.AppFabric.TEMP_DIR)).getAbsoluteFile(); tmpDir = DirUtils.createTempDir(absoluteTmpFile); authorizerClassLoader = createAuthorizerClassLoader(authorizerExtensionJar, authorizerExtraClasspath); authorizer = createAndInitializeAuthorizerInstance(authorizerExtensionJar); } catch (Exception e) { Throwables.propagate(e);
Class<? extends Authorizer> authorizerClass = loadAuthorizerClass(authorizerExtensionJar); "is a public class with a default constructor.", authorizerClass.getName()), e); AuthorizationContext context = authorizationContextFactory.create(createExtensionProperties()); try { authorizer.initialize(context);
@Inject DelegatingPrivilegeManager(AuthorizerInstantiator authorizerInstantiator) { this.delegateAuthorizer = authorizerInstantiator.get(); }
InstanceId instance = new InstanceId(cConf.get(Constants.INSTANCE_NAME)); Principal principal = new Principal(System.getProperty("user.name"), Principal.PrincipalType.USER); authorizerInstantiator.get().grant(Authorizable.fromEntityId(instance), principal, ImmutableSet.of(Action.ADMIN)); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), principal, ImmutableSet.of(Action.ADMIN)); authorizerInstantiator.close();
authorizerInstantiator.close(); levelDBTableService.close(); } catch (Throwable e) {
/** * Returns an {@link Authorizer} for performing authorization operations. */ @Beta protected static Authorizer getAuthorizer() throws IOException, InvalidAuthorizerException { return authorizerInstantiator.get(); }
InstanceId instance = new InstanceId(cConf.get(Constants.INSTANCE_NAME)); Principal principal = new Principal(System.getProperty("user.name"), Principal.PrincipalType.USER); authorizerInstantiator.get().grant(Authorizable.fromEntityId(instance), principal, ImmutableSet.of(Action.ADMIN)); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), principal, ImmutableSet.of(Action.ADMIN)); authorizerInstantiator.close();
authorizerInstantiator.close(); levelDBTableService.close(); } catch (Throwable e) {
@Test(expected = InvalidAuthorizerException.class) public void testNonExistingAuthorizerJarPath() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, "/path/to/external-test-authorizer.jar"); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar does not exist."); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
/** * Returns an {@link Authorizer} for performing authorization operations. */ @Beta protected static Authorizer getAuthorizer() throws IOException, InvalidAuthorizerException { return authorizerInstantiator.get(); }
@Test(expected = InvalidAuthorizerException.class) public void testMissingManifest() throws Throwable { Location externalAuthJar = createInvalidExternalAuthJar(null); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar does not have a manifest"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Inject AuthorizationHandler(PrivilegesManager privilegesManager, AuthorizerInstantiator authorizerInstantiator, CConfiguration cConf, AuthenticationContext authenticationContext) { this.privilegesManager = privilegesManager; this.authorizer = authorizerInstantiator.get(); this.authenticationContext = authenticationContext; this.authenticationEnabled = cConf.getBoolean(Constants.Security.ENABLED); this.authorizationEnabled = cConf.getBoolean(Constants.Security.Authorization.ENABLED); }
@Test(expected = InvalidAuthorizerException.class) public void testMissingAuthorizerClassName() throws Throwable { Manifest manifest = new Manifest(); manifest.getMainAttributes().put(Attributes.Name.MANIFEST_VERSION, "1.0"); Location externalAuthJar = createInvalidExternalAuthJar(manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar's manifest does not define" + " Authorizer class."); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Inject AuthorizationHandler(PrivilegesManager privilegesManager, AuthorizerInstantiator authorizerInstantiator, CConfiguration cConf, AuthenticationContext authenticationContext) { this.privilegesManager = privilegesManager; this.authorizer = authorizerInstantiator.get(); this.authenticationContext = authenticationContext; this.authenticationEnabled = cConf.getBoolean(Constants.Security.ENABLED); this.authorizationEnabled = cConf.getBoolean(Constants.Security.Authorization.ENABLED); }
@Test(expected = InvalidAuthorizerException.class) public void testDoesNotImplementAuthorizer() throws Throwable { Manifest manifest = new Manifest(); Attributes mainAttributes = manifest.getMainAttributes(); mainAttributes.put(Attributes.Name.MAIN_CLASS, DoesNotImplementAuthorizer.class.getName()); Location externalAuthJar = AppJarHelper.createDeploymentJar(locationFactory, DoesNotImplementAuthorizer.class, manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because the Authorizer class defined in the" + " extension jar's manifest does not implement " + Authorizer.class.getName()); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
Set<? extends EntityId> moreVisibleEntities; try { moreVisibleEntities = authorizerInstantiator.get().isVisible(difference, principal); } finally { watch.stop();
@Test(expected = InvalidAuthorizerException.class) public void testAuthorizerJarPathIsNotJar() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, TEMPORARY_FOLDER.newFile("abc.txt").getPath()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar is not a jar file"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
private void doEnforce(EntityId entity, Principal principal, Set<Action> actions) throws Exception { // bypass the check when the principal is the master user and the entity is in the system namespace if (isAccessingSystemNSAsMasterUser(entity, principal) || isEnforcingOnSamePrincipalId(entity, principal)) { return; } LOG.trace("Enforcing actions {} on {} for principal {}.", actions, entity, principal); // create new stopwatch instance every time enforce is called since the DefaultAuthorizationEnforcer is binded as // singleton we don't want the stopwatch instance to get re-used across multiple calls. StopWatch watch = new StopWatch(); watch.start(); try { authorizerInstantiator.get().enforce(entity, principal, actions); } finally { watch.stop(); long timeTaken = watch.getTime(); String logLine = "Enforced actions {} on {} for principal {}. Time spent in enforcement was {} ms."; if (timeTaken > logTimeTakenAsWarn) { LOG.warn(logLine, actions, entity, principal, watch.getTime()); } else { LOG.trace(logLine, actions, entity, principal, watch.getTime()); } } }
@Test(expected = InvalidAuthorizerException.class) public void testAuthorizerJarPathIsDirectory() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, TEMPORARY_FOLDER.newFolder().getPath()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar is a directory"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }