@Override public void enforce(EntityId entity, Principal principal, Action action) throws Exception { if (!isSecurityAuthorizationEnabled()) { return; } doEnforce(entity, principal, Collections.singleton(action)); }
@Override public Set<? extends EntityId> isVisible(Set<? extends EntityId> entityIds, Principal principal) throws Exception { if (!isSecurityAuthorizationEnabled()) { return entityIds; if (isAccessingSystemNSAsMasterUser(entityId, principal) || isEnforcingOnSamePrincipalId(entityId, principal)) { visibleEntities.add(entityId);
private void verifyDisabled(CConfiguration cConf) throws Exception { try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(cConf, authorizerInstantiator); DatasetId ds = NS.dataset("ds"); // All enforcement operations should succeed, since authorization is disabled authorizerInstantiator.get().grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(Action.ADMIN)); authEnforcementService.enforce(NS, ALICE, Action.ADMIN); authEnforcementService.enforce(ds, BOB, Action.ADMIN); Assert.assertEquals(2, authEnforcementService.isVisible(ImmutableSet.<EntityId>of(NS, ds), BOB).size()); } }
@Test public void testPropagationDisabled() throws Exception { CConfiguration cConfCopy = CConfiguration.copy(CCONF); try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.ADMIN)); authorizationEnforcer.enforce(NS, ALICE, Action.ADMIN); try { authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN); Assert.fail("Alice should not have ADMIN privilege on the APP."); } catch (UnauthorizedException ignored) { // expected } } }
private void doEnforce(EntityId entity, Principal principal, Set<Action> actions) throws Exception { // bypass the check when the principal is the master user and the entity is in the system namespace if (isAccessingSystemNSAsMasterUser(entity, principal) || isEnforcingOnSamePrincipalId(entity, principal)) { return; } LOG.trace("Enforcing actions {} on {} for principal {}.", actions, entity, principal); // create new stopwatch instance every time enforce is called since the DefaultAuthorizationEnforcer is binded as // singleton we don't want the stopwatch instance to get re-used across multiple calls. StopWatch watch = new StopWatch(); watch.start(); try { authorizerInstantiator.get().enforce(entity, principal, actions); } finally { watch.stop(); long timeTaken = watch.getTime(); String logLine = "Enforced actions {} on {} for principal {}. Time spent in enforcement was {} ms."; if (timeTaken > logTimeTakenAsWarn) { LOG.warn(logLine, actions, entity, principal, watch.getTime()); } else { LOG.trace(logLine, actions, entity, principal, watch.getTime()); } } }
authorizer.grant(Authorizable.fromEntityId(ds22), BOB, Collections.singleton(Action.ADMIN)); DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator); Assert.assertEquals(namespaces.size(), authEnforcementService.isVisible(namespaces, ALICE).size()); Assert.assertEquals(namespaces.size(), authEnforcementService.isVisible(namespaces, BOB).size()); Set<DatasetId> expectedDatasetIds = ImmutableSet.of(ds11, ds21, ds23); Assert.assertEquals(expectedDatasetIds.size(), authEnforcementService.isVisible(expectedDatasetIds, ALICE).size()); expectedDatasetIds = ImmutableSet.of(ds12, ds22); Assert.assertEquals(Collections.EMPTY_SET, authEnforcementService.isVisible(expectedDatasetIds, ALICE)); expectedDatasetIds = ImmutableSet.of(ds11, ds12, ds22); Assert.assertEquals(expectedDatasetIds.size(), authEnforcementService.isVisible(expectedDatasetIds, BOB).size()); expectedDatasetIds = ImmutableSet.of(ds21, ds23); Assert.assertTrue(authEnforcementService.isVisible(expectedDatasetIds, BOB).isEmpty());
@Test public void testSystemUser() throws Exception { CConfiguration cConfCopy = CConfiguration.copy(CCONF); Principal systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER); try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = authorizerInstantiator.get(); DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator); NamespaceId ns1 = new NamespaceId("ns1"); authorizationEnforcer.enforce(NamespaceId.SYSTEM, systemUser, EnumSet.allOf(Action.class)); Assert.assertEquals(ImmutableSet.of(NamespaceId.SYSTEM), authorizationEnforcer.isVisible(ImmutableSet.of(ns1, NamespaceId.SYSTEM), systemUser)); } }
Authorizer authorizer = authorizerInstantiator.get(); DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator); authEnforcementService.enforce(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE)); assertAuthorizationFailure(authEnforcementService, NS, ALICE, EnumSet.allOf(Action.class)); authEnforcementService.enforce(ds, BOB, Action.ADMIN); authEnforcementService.enforce(NS, ALICE, Action.READ); Assert.fail(String.format("Expected %s to not have '%s' privilege on %s but it does.", ALICE, Action.READ, NS)); authEnforcementService.enforce(ds, BOB, Action.ADMIN);