private void createAuthNamespace() throws Exception { Authorizer authorizer = getAuthorizer(); grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN)); getNamespaceAdmin().create(AUTH_NAMESPACE_META); Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE)); }
@After @Override public void afterTest() throws Exception { Authorizer authorizer = getAuthorizer(); SecurityRequestContext.setUserId(ALICE.getName()); grantAndAssertSuccess(AUTH_NAMESPACE, SecurityRequestContext.toPrincipal(), EnumSet.of(Action.ADMIN)); // clean up. remove the namespace if it exists if (getNamespaceAdmin().exists(AUTH_NAMESPACE)) { getNamespaceAdmin().delete(AUTH_NAMESPACE); Assert.assertFalse(getNamespaceAdmin().exists(AUTH_NAMESPACE)); } revokeAndAssertSuccess(AUTH_NAMESPACE); for (EntityId entityId : cleanUpEntities) { revokeAndAssertSuccess(entityId); } Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE)); }
private void testDeployAppWithOwner() throws Exception { NamespaceId namespaceId = new NamespaceId("appImpersonation"); NamespaceMeta nsMeta = new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build(); // grant ALICE admin on namespace and create namespace grantAndAssertSuccess(namespaceId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(namespaceId); getNamespaceAdmin().create(nsMeta); // deploy dummy app with app impersonation deployDummyAppWithImpersonation(nsMeta, BOB.getName()); }
private void testDeployAppWithoutOwner() throws Exception { NamespaceId namespaceId = new NamespaceId("namespaceImpersonation"); // We will create a namespace as owner bob, the keytab url is provided to pass the check for DefaultNamespaceAdmin // in unit test, it is useless, since impersonation will never happen NamespaceMeta ownerNSMeta = new NamespaceMeta.Builder().setName(namespaceId.getNamespace()) .setPrincipal(BOB.getName()).setKeytabURI("/tmp/").build(); KerberosPrincipalId bobPrincipalId = new KerberosPrincipalId(BOB.getName()); // grant alice admin to the namespace, but creation should still fail since alice needs to have privilege on // principal bob grantAndAssertSuccess(namespaceId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(namespaceId); try { getNamespaceAdmin().create(ownerNSMeta); Assert.fail("Namespace creation should fail since alice does not have privilege on principal bob"); } catch (UnauthorizedException e) { // expected } // grant alice admin on principal bob, now creation of namespace should work grantAndAssertSuccess(bobPrincipalId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(bobPrincipalId); getNamespaceAdmin().create(ownerNSMeta); // deploy dummy app with ns impersonation deployDummyAppWithImpersonation(ownerNSMeta, null); }
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(inputDatasetNS); getNamespaceAdmin().create(outputDatasetNS); addDatasetInstance(table1Id, "keyValueTable").create(); addDatasetInstance(table2Id, "keyValueTable").create(); getNamespaceAdmin().delete(inputDatasetNS.getNamespaceId()); getNamespaceAdmin().delete(outputDatasetNS.getNamespaceId());
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(inputDatasetNSMeta); getNamespaceAdmin().create(outputDatasetNSMeta); addDatasetInstance(inputTableId, "keyValueTable").create(); addDatasetInstance(outputTableId, "keyValueTable").create(); getNamespaceAdmin().delete(inputDatasetNSMeta.getNamespaceId()); getNamespaceAdmin().delete(outputDatasetNSMeta.getNamespaceId());
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges ); getNamespaceAdmin().create(outputDatasetNS); addDatasetInstance(datasetId, "keyValueTable"); getNamespaceAdmin().delete(outputDatasetNS.getNamespaceId());
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(otherNS); addDatasetInstance(datasetId, "keyValueTable").create(); addDummyData(NamespaceId.SYSTEM, "table1"); getNamespaceAdmin().delete(otherNS.getNamespaceId());
setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); getNamespaceAdmin().create(otherNS); addDatasetInstance(otherTableId, "keyValueTable").create(); addDummyData(NamespaceId.SYSTEM, "table1"); getNamespaceAdmin().delete(otherNS.getNamespaceId());
@Test public void testNamespaces() throws Exception { NamespaceAdmin namespaceAdmin = getNamespaceAdmin(); Authorizer authorizer = getAuthorizer(); try { namespaceAdmin.create(AUTH_NAMESPACE_META); Assert.fail("Namespace create should have failed because alice is not authorized on " + AUTH_NAMESPACE); } catch (UnauthorizedException expected) { // expected } createAuthNamespace(); Assert.assertTrue(namespaceAdmin.list().contains(AUTH_NAMESPACE_META)); namespaceAdmin.get(AUTH_NAMESPACE); // revoke privileges revokeAndAssertSuccess(AUTH_NAMESPACE); try { Assert.assertTrue(namespaceAdmin.list().isEmpty()); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.fail("Namespace existence check should fail since the privilege of alice has been revoked"); } catch (UnauthorizedException expected) { // expected } // grant privileges again grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN)); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE)); NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build(); namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated); Assert.assertEquals(updated, namespaceAdmin.get(AUTH_NAMESPACE)); }