@Test public void testWildcard() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); authorizer.enforce(namespace, user, Action.READ); authorizer.enforce(namespace, user, Action.WRITE); authorizer.enforce(namespace, user, Action.ADMIN); authorizer.enforce(namespace, user, Action.EXECUTE); authorizer.revoke(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); verifyAuthFailure(namespace, user, Action.READ); }
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception { Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal); authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions); ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder(); for (Action action : actions) { expectedPrivilegesAfterGrant.add(new Privilege(entityId, action)); } Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal)); }
@Path("/{principal-type}/{principal-name}/roles/{role-name}") @PUT public void addRoleToPrincipal(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String principalType, @PathParam("principal-name") String principalName, @PathParam("role-name") String roleName) throws Exception { ensureSecurityEnabled(); Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())); authorizer.addRoleToPrincipal(new Role(roleName), principal); httpResponder.sendStatus(HttpResponseStatus.OK); createLogEntry(httpRequest, HttpResponseStatus.OK); }
private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception { Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal); authorizer.revoke(Authorizable.fromEntityId(entityId), principal, actions); Set<Privilege> revokedPrivileges = new HashSet<>(); for (Action action : actions) { revokedPrivileges.add(new Privilege(entityId, action)); } Assert.assertEquals(Sets.difference(existingPrivileges, revokedPrivileges), authorizer.listPrivileges(principal)); } }
authorizer.createRole(admins); authorizer.createRole(engineers); Set<Role> roles = authorizer.listAllRoles(); Set<Role> expectedRoles = new HashSet<>(); expectedRoles.add(admins); authorizer.createRole(admins); Assert.fail(String.format("Created a role %s which already exists. Should have failed.", admins.getName())); } catch (AlreadyExistsException expected) { authorizer.dropRole(admins); roles = authorizer.listAllRoles(); Assert.assertEquals(Collections.singleton(engineers), roles); authorizer.dropRole(admins); Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", admins.getName())); } catch (NotFoundException expected) { authorizer.addRoleToPrincipal(engineers, spiderman); authorizer.addRoleToPrincipal(admins, spiderman); Assert.fail(String.format("Added role %s to principal %s. Should have failed.", admins, spiderman)); } catch (NotFoundException expected) { Assert.assertEquals(Collections.singleton(engineers), authorizer.listRoles(spiderman));
@Test public void testSimple() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); authorizer.enforce(namespace, user, Action.READ); Set<Privilege> expectedPrivileges = new HashSet<>(); expectedPrivileges.add(new Privilege(namespace, Action.READ)); Assert.assertEquals(expectedPrivileges, authorizer.listPrivileges(user)); authorizer.revoke(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); verifyAuthFailure(namespace, user, Action.READ); }
@BeforeClass public static void setup() throws Exception { cConf = createCConf(); final Injector injector = AppFabricTestHelper.getInjector(cConf); metadataAdmin = injector.getInstance(MetadataAdmin.class); authorizer = injector.getInstance(AuthorizerInstantiator.class).get(); appFabricServer = injector.getInstance(AppFabricServer.class); appFabricServer.startAndWait(); // Wait for the default namespace creation String user = AuthorizationUtil.getEffectiveMasterUser(cConf); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); // Starting the Appfabric server will create the default namespace Tasks.waitFor(true, () -> injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT), 5, TimeUnit.SECONDS); authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); }
@Override public void grant(Authorizable authorizable, Principal principal, Set<Action> actions) throws Exception { delegateAuthorizer.grant(authorizable, principal, actions); }
@Override public Set<Privilege> listPrivileges(Principal principal) throws Exception { return delegateAuthorizer.listPrivileges(principal); } }
@Override public void revoke(Authorizable authorizable, Principal principal, Set<Action> actions) throws Exception { delegateAuthorizer.revoke(authorizable, principal, actions); }
Assert.assertTrue("Bob should not have any privileges on alice's app", authorizer.listPrivileges(BOB).isEmpty()); Assert.assertTrue(!getAuthorizer().isVisible(Collections.singleton(dummyAppId), BOB).isEmpty()); Assert.assertEquals(3, authorizer.listPrivileges(BOB).size());
private void assertAllAccess(Principal principal, EntityId... entityIds) throws Exception { for (EntityId entityId : entityIds) { getAuthorizer().enforce(entityId, principal, EnumSet.allOf(Action.class)); } }
/******************************************************************************************************************** * Role Management : For Role Based Access Control ********************************************************************************************************************/ @Path("/roles/{role-name}") @PUT public void createRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String roleName) throws Exception { ensureSecurityEnabled(); authorizer.createRole(new Role(roleName)); httpResponder.sendStatus(HttpResponseStatus.OK); createLogEntry(httpRequest, HttpResponseStatus.OK); }
@Path("/roles/{role-name}") @DELETE public void dropRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String roleName) throws Exception { ensureSecurityEnabled(); authorizer.dropRole(new Role(roleName)); httpResponder.sendStatus(HttpResponseStatus.OK); createLogEntry(httpRequest, HttpResponseStatus.OK); }
Set<? extends EntityId> moreVisibleEntities; try { moreVisibleEntities = authorizerInstantiator.get().isVisible(difference, principal); } finally { watch.stop();
authorizer.grant(Authorizable.fromEntityId(NamespaceId.SYSTEM), ALICE, Collections.singleton(Action.ADMIN)); Assert.assertEquals( Collections.singleton(new Privilege(NamespaceId.SYSTEM, Action.ADMIN)), authorizer.listPrivileges(ALICE)); authorizer.grant(Authorizable.fromEntityId(namespaceId), ALICE, Collections.singleton(Action.ADMIN)); namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build()); authorizer.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(Action.class)); Assert.fail(); } catch (UnauthorizedException e) { authorizer.grant(Authorizable.fromEntityId(SYSTEM_ARTIFACT), ALICE, EnumSet.of(Action.ADMIN)); artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT)); authorizer.revoke(Authorizable.fromEntityId(SYSTEM_ARTIFACT)); authorizer.revoke(Authorizable.fromEntityId(namespaceId));
@BeforeClass public static void setup() throws Exception { cConf = createCConf(); final Injector injector = AppFabricTestHelper.getInjector(cConf); authorizer = injector.getInstance(AuthorizerInstantiator.class).get(); appFabricServer = injector.getInstance(AppFabricServer.class); appFabricServer.startAndWait(); programLifecycleService = injector.getInstance(ProgramLifecycleService.class); // Wait for the default namespace creation String user = AuthorizationUtil.getEffectiveMasterUser(cConf); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); // Starting the Appfabric server will create the default namespace Tasks.waitFor(true, new Callable<Boolean>() { @Override public Boolean call() throws Exception { return injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT); } }, 5, TimeUnit.SECONDS); authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); }
private void setUpPrivilegesAndExpectFailedDeploy(Map<EntityId, Set<Action>> neededPrivileges) throws Exception { int count = 0; for (Map.Entry<EntityId, Set<Action>> privilege : neededPrivileges.entrySet()) { authorizer.grant(Authorizable.fromEntityId(privilege.getKey()), ALICE, privilege.getValue()); count++; if (count < neededPrivileges.size()) { try { AppFabricTestHelper.deployApplication(Id.Namespace.DEFAULT, AllProgramsApp.class, null, cConf); Assert.fail(); } catch (Exception e) { // expected } } } } }
@AfterClass public static void cleanup() throws Exception { authorizer.revoke(Authorizable.fromEntityId(NamespaceId.SYSTEM)); Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE)); SecurityRequestContext.setUserId(OLD_USER_ID); }
@Path("{principal-type}/{principal-name}/privileges") @GET public void listPrivileges(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String principalType, @PathParam("principal-name") String principalName) throws Exception { ensureSecurityEnabled(); Principal principal = new Principal(principalName, Principal.PrincipalType.valueOf(principalType.toUpperCase())); httpResponder.sendJson(HttpResponseStatus.OK, GSON.toJson(authorizer.listPrivileges(principal), PRIVILEGE_SET_TYPE)); createLogEntry(httpRequest, HttpResponseStatus.OK); }