co.cask.cdap.security.spi.authorization.Authorizer java code examples

Add the Codota plugin to your IDE and get smart completions

private void myMethod () {
 SimpleDateFormat s =String pattern;new SimpleDateFormat(pattern)
String template;Locale locale;new SimpleDateFormat(template, locale)
new SimpleDateFormat()
Smart code suggestions by Tabnine
}

@Test
public void testWildcard() throws Exception {
 Authorizer authorizer = get();
 verifyAuthFailure(namespace, user, Action.READ);
 authorizer.grant(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class));
 authorizer.enforce(namespace, user, Action.READ);
 authorizer.enforce(namespace, user, Action.WRITE);
 authorizer.enforce(namespace, user, Action.ADMIN);
 authorizer.enforce(namespace, user, Action.EXECUTE);
 authorizer.revoke(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class));
 verifyAuthFailure(namespace, user, Action.READ);
}

private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
 Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
 authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions);
 ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder();
 for (Action action : actions) {
  expectedPrivilegesAfterGrant.add(new Privilege(entityId, action));
 }
 Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()),
           authorizer.listPrivileges(principal));
}

@Path("/{principal-type}/{principal-name}/roles/{role-name}")
@PUT
public void addRoleToPrincipal(HttpRequest httpRequest, HttpResponder httpResponder,
                @PathParam("principal-type") String principalType,
                @PathParam("principal-name") String principalName,
                @PathParam("role-name") String roleName) throws Exception {
 ensureSecurityEnabled();
 Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase()));
 authorizer.addRoleToPrincipal(new Role(roleName), principal);
 httpResponder.sendStatus(HttpResponseStatus.OK);
 createLogEntry(httpRequest, HttpResponseStatus.OK);
}

 private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception {
  Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal);
  authorizer.revoke(Authorizable.fromEntityId(entityId), principal, actions);
  Set<Privilege> revokedPrivileges = new HashSet<>();
  for (Action action : actions) {
   revokedPrivileges.add(new Privilege(entityId, action));
  }
  Assert.assertEquals(Sets.difference(existingPrivileges, revokedPrivileges), authorizer.listPrivileges(principal));
 }
}

authorizer.createRole(admins);
authorizer.createRole(engineers);
Set<Role> roles = authorizer.listAllRoles();
Set<Role> expectedRoles = new HashSet<>();
expectedRoles.add(admins);
 authorizer.createRole(admins);
 Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName()));
} catch (AlreadyExistsException expected) {
authorizer.dropRole(admins);
roles = authorizer.listAllRoles();
Assert.assertEquals(Collections.singleton(engineers), roles);
 authorizer.dropRole(admins);
 Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName()));
} catch (NotFoundException expected) {
authorizer.addRoleToPrincipal(engineers, spiderman);
 authorizer.addRoleToPrincipal(admins, spiderman);
 Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman));
} catch (NotFoundException expected) {
Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));

@Test
public void testSimple() throws Exception {
 Authorizer authorizer = get();
 verifyAuthFailure(namespace, user, Action.READ);
 authorizer.grant(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ));
 authorizer.enforce(namespace, user, Action.READ);
 Set<Privilege> expectedPrivileges = new HashSet<>();
 expectedPrivileges.add(new Privilege(namespace, Action.READ));
 Assert.assertEquals(expectedPrivileges, authorizer.listPrivileges(user));
 authorizer.revoke(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ));
 verifyAuthFailure(namespace, user, Action.READ);
}

@BeforeClass
public static void setup() throws Exception {
 cConf = createCConf();
 final Injector injector = AppFabricTestHelper.getInjector(cConf);
 metadataAdmin = injector.getInstance(MetadataAdmin.class);
 authorizer = injector.getInstance(AuthorizerInstantiator.class).get();
 appFabricServer = injector.getInstance(AppFabricServer.class);
 appFabricServer.startAndWait();
 // Wait for the default namespace creation
 String user = AuthorizationUtil.getEffectiveMasterUser(cConf);
 authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER),
          Collections.singleton(Action.ADMIN));
 // Starting the Appfabric server will create the default namespace
 Tasks.waitFor(true, () -> injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT),
        5, TimeUnit.SECONDS);
 authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER),
          Collections.singleton(Action.ADMIN));
}

@Override
public void grant(Authorizable authorizable, Principal principal, Set<Action> actions) throws Exception {
 delegateAuthorizer.grant(authorizable, principal, actions);
}

 @Override
 public Set<Privilege> listPrivileges(Principal principal) throws Exception {
  return delegateAuthorizer.listPrivileges(principal);
 }
}

@Override
public void revoke(Authorizable authorizable, Principal principal, Set<Action> actions) throws Exception {
 delegateAuthorizer.revoke(authorizable, principal, actions);
}

Assert.assertTrue("Bob should not have any privileges on alice's app", authorizer.listPrivileges(BOB).isEmpty());
Assert.assertTrue(!getAuthorizer().isVisible(Collections.singleton(dummyAppId), BOB).isEmpty());
Assert.assertEquals(3, authorizer.listPrivileges(BOB).size());

private void assertAllAccess(Principal principal, EntityId... entityIds) throws Exception {
 for (EntityId entityId : entityIds) {
  getAuthorizer().enforce(entityId, principal, EnumSet.allOf(Action.class));
 }
}

/********************************************************************************************************************
 * Role Management : For Role Based Access Control
 ********************************************************************************************************************/
@Path("/roles/{role-name}")
@PUT
public void createRole(HttpRequest httpRequest, HttpResponder httpResponder,
            @PathParam("role-name") String roleName) throws Exception {
 ensureSecurityEnabled();
 authorizer.createRole(new Role(roleName));
 httpResponder.sendStatus(HttpResponseStatus.OK);
 createLogEntry(httpRequest, HttpResponseStatus.OK);
}

@Path("/roles/{role-name}")
@DELETE
public void dropRole(HttpRequest httpRequest, HttpResponder httpResponder,
           @PathParam("role-name") String roleName) throws Exception {
 ensureSecurityEnabled();
 authorizer.dropRole(new Role(roleName));
 httpResponder.sendStatus(HttpResponseStatus.OK);
 createLogEntry(httpRequest, HttpResponseStatus.OK);
}

Set<? extends EntityId> moreVisibleEntities;
try {
 moreVisibleEntities = authorizerInstantiator.get().isVisible(difference, principal);
} finally {
 watch.stop();

authorizer.grant(Authorizable.fromEntityId(NamespaceId.SYSTEM), ALICE, Collections.singleton(Action.ADMIN));
Assert.assertEquals(
 Collections.singleton(new Privilege(NamespaceId.SYSTEM, Action.ADMIN)), authorizer.listPrivileges(ALICE));
authorizer.grant(Authorizable.fromEntityId(namespaceId), ALICE, Collections.singleton(Action.ADMIN));
namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
 authorizer.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(Action.class));
 Assert.fail();
} catch (UnauthorizedException e) {
authorizer.grant(Authorizable.fromEntityId(SYSTEM_ARTIFACT), ALICE, EnumSet.of(Action.ADMIN));
artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));
authorizer.revoke(Authorizable.fromEntityId(SYSTEM_ARTIFACT));
authorizer.revoke(Authorizable.fromEntityId(namespaceId));

@BeforeClass
public static void setup() throws Exception {
 cConf = createCConf();
 final Injector injector = AppFabricTestHelper.getInjector(cConf);
 authorizer = injector.getInstance(AuthorizerInstantiator.class).get();
 appFabricServer = injector.getInstance(AppFabricServer.class);
 appFabricServer.startAndWait();
 programLifecycleService = injector.getInstance(ProgramLifecycleService.class);
 // Wait for the default namespace creation
 String user = AuthorizationUtil.getEffectiveMasterUser(cConf);
 authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER),
          Collections.singleton(Action.ADMIN));
 // Starting the Appfabric server will create the default namespace
 Tasks.waitFor(true, new Callable<Boolean>() {
  @Override
  public Boolean call() throws Exception {
   return injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT);
  }
 }, 5, TimeUnit.SECONDS);
 authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER),
          Collections.singleton(Action.ADMIN));
}

 private void setUpPrivilegesAndExpectFailedDeploy(Map<EntityId, Set<Action>> neededPrivileges) throws Exception {
  int count = 0;
  for (Map.Entry<EntityId, Set<Action>> privilege : neededPrivileges.entrySet()) {
   authorizer.grant(Authorizable.fromEntityId(privilege.getKey()), ALICE, privilege.getValue());
   count++;
   if (count < neededPrivileges.size()) {
    try {
     AppFabricTestHelper.deployApplication(Id.Namespace.DEFAULT, AllProgramsApp.class, null, cConf);
     Assert.fail();
    } catch (Exception e) {
     // expected
    }
   }
  }
 }
}

@AfterClass
public static void cleanup() throws Exception {
 authorizer.revoke(Authorizable.fromEntityId(NamespaceId.SYSTEM));
 Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE));
 SecurityRequestContext.setUserId(OLD_USER_ID);
}

@Path("{principal-type}/{principal-name}/privileges")
@GET
public void listPrivileges(HttpRequest httpRequest, HttpResponder httpResponder,
              @PathParam("principal-type") String principalType,
              @PathParam("principal-name") String principalName) throws Exception {
 ensureSecurityEnabled();
 Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase()));
 httpResponder.sendJson(HttpResponseStatus.OK,
             GSON.toJson(authorizer.listPrivileges(principal), PRIVILEGE_SET_TYPE));
 createLogEntry(httpRequest, HttpResponseStatus.OK);
}

Javadoc

Interface for managing Principal authorization for Action on EntityId. Authorization extensions must implement this interface to delegate authorization to appropriate authorization back-ends. The contract with Authorization extensions is as below:

Authorization is enabled setting the parameter security.authorization.enabled to true in cdap-site.xml.
The path to the extension jar bundled with all its dependencies must be specified by security.authorization.extension.jar.path in cdap-site.xml
The extension jar must contain a class that implements Authorizer. This class must be specified as the Attributes.Name#MAIN_CLASS in the extension jar's manifest file.
The contract with the class that implements Authorizer is that it must have a default constructor.
Authorizer also provides lifecycle methods for extensions. #initialize(AuthorizationContext)can be used to perform initialization tasks. This method provides an AuthorizationContext which gives extensions access to CDAP entities for operations like creating and accessing datasets, accessing datasets in transactions, etc. It also provides access to Properties via the AuthorizationContext#getExtensionProperties() method. The Properties object returned form this method is populated with all configuration settings from cdap-site.xml that have keys with the prefix security.authorization.extension.config.
The #destroy() method can be used to perform cleanup tasks.

Most used methods

grant
listPrivileges
revoke
enforce
addRoleToPrincipal
Add a role to the specified Principal.
createRole
Create a role.
dropRole
Drop a role.
isVisible
listAllRoles
Returns all available Role. Only a super user can perform this operation.
listRoles
Returns a set of all Role for the specified Principal.
removeRoleFromPrincipal
Delete a role from the specified Principal.
destroy
Destroys an Authorizer. Authorization extensions can use this method to write any cleanup code.

Popular in Java

Running tasks concurrently on multiple threads
startActivity (Activity)
orElseThrow (Optional)
Return the contained value, if present, otherwise throw an exception to be created by the provided s
scheduleAtFixedRate (Timer)
Window (java.awt)
A Window object is a top-level window with no borders and no menubar. The default layout for a windo
Format (java.text)
The base class for all formats. This is an abstract base class which specifies the protocol for clas
Hashtable (java.util)
A plug-in replacement for JDK1.5 java.util.Hashtable. This version is based on org.cliffc.high_scale
SSLHandshakeException (javax.net.ssl)
The exception that is thrown when a handshake could not be completed successfully.
Logger (org.apache.log4j)
This is the central class in the log4j package. Most logging operations, except configuration, are d
Reflections (org.reflections)
Reflections one-stop-shop objectReflections scans your classpath, indexes the metadata, allows you t

How to useAuthorizer in co.cask.cdap.security.spi.authorization

Best Java code snippets using co.cask.cdap.security.spi.authorization.Authorizer (Showing top 20 results out of 315)

How to use
Authorizer
in
co.cask.cdap.security.spi.authorization