private void setUpPrivilegeAndRegisterForDeletion(Principal principal, Map<EntityId, Set<Action>> neededPrivileges) throws Exception { for (Map.Entry<EntityId, Set<Action>> privilege : neededPrivileges.entrySet()) { grantAndAssertSuccess(privilege.getKey(), principal, privilege.getValue()); cleanUpEntities.add(privilege.getKey()); } }
@Test public void testCrossNSMapReduce() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(DatasetCrossNSAccessWithMAPApp.class.getSimpleName()); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(appId, EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.artifact(DatasetCrossNSAccessWithMAPApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ProgramId programId = appId.program(ProgramType.MAPREDUCE, DatasetCrossNSAccessWithMAPApp.MAPREDUCE_PROGRAM); // bob will be executing the program grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); cleanUpEntities.add(programId); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, DatasetCrossNSAccessWithMAPApp.class); MapReduceManager mrManager = appManager.getMapReduceManager(DatasetCrossNSAccessWithMAPApp.MAPREDUCE_PROGRAM); testCrossNSSystemDatasetAccessWithAuthMapReduce(mrManager); testCrossNSDatasetAccessWithAuthMapReduce(mrManager); }
@Test public void testCrossNSSpark() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(TestSparkCrossNSDatasetApp.APP_NAME); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(appId, EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.artifact(TestSparkCrossNSDatasetApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.dataset(TestSparkCrossNSDatasetApp.DEFAULT_OUTPUT_DATASET), EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.datasetType(KeyValueTable.class.getName()), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ProgramId programId = appId.spark(TestSparkCrossNSDatasetApp.SPARK_PROGRAM_NAME); // bob will be executing the program grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); cleanUpEntities.add(programId); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, TestSparkCrossNSDatasetApp.class); SparkManager sparkManager = appManager.getSparkManager(TestSparkCrossNSDatasetApp.SparkCrossNSDatasetProgram .class.getSimpleName()); testCrossNSSystemDatasetAccessWithAuthSpark(sparkManager); testCrossNSDatasetAccessWithAuthSpark(sparkManager); }
private void createAuthNamespace() throws Exception { Authorizer authorizer = getAuthorizer(); grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN)); getNamespaceAdmin().create(AUTH_NAMESPACE_META); Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE)); }
@Test public void testCrossNSService() throws Exception { createAuthNamespace(); ApplicationId appId = AUTH_NAMESPACE.app(CrossNsDatasetAccessApp.APP_NAME); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() .put(appId, EnumSet.of(Action.ADMIN)) .put(AUTH_NAMESPACE.artifact(CrossNsDatasetAccessApp.class.getSimpleName(), "1.0-SNAPSHOT"), EnumSet.of(Action.ADMIN)) .build(); setUpPrivilegeAndRegisterForDeletion(ALICE, neededPrivileges); ProgramId programId = appId.service(CrossNsDatasetAccessApp.SERVICE_NAME); cleanUpEntities.add(programId); // grant bob execute on program and READ/WRITE on stream grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); ApplicationManager appManager = deployApplication(AUTH_NAMESPACE, CrossNsDatasetAccessApp.class); // switch to to ALICE SecurityRequestContext.setUserId(ALICE.getName()); ServiceManager serviceManager = appManager.getServiceManager(CrossNsDatasetAccessApp.SERVICE_NAME); testSystemDatasetAccessFromService(serviceManager); testCrossNSDatasetAccessFromService(serviceManager); }
grantAndAssertSuccess(datasetId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(datasetTypeId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(dummyDatasetId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(dummyTypeId, principal, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(dummyModuleId, principal, EnumSet.of(Action.ADMIN));
private void testDeployAppWithOwner() throws Exception { NamespaceId namespaceId = new NamespaceId("appImpersonation"); NamespaceMeta nsMeta = new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build(); // grant ALICE admin on namespace and create namespace grantAndAssertSuccess(namespaceId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(namespaceId); getNamespaceAdmin().create(nsMeta); // deploy dummy app with app impersonation deployDummyAppWithImpersonation(nsMeta, BOB.getName()); }
private void testDeployAppWithoutOwner() throws Exception { NamespaceId namespaceId = new NamespaceId("namespaceImpersonation"); // We will create a namespace as owner bob, the keytab url is provided to pass the check for DefaultNamespaceAdmin // in unit test, it is useless, since impersonation will never happen NamespaceMeta ownerNSMeta = new NamespaceMeta.Builder().setName(namespaceId.getNamespace()) .setPrincipal(BOB.getName()).setKeytabURI("/tmp/").build(); KerberosPrincipalId bobPrincipalId = new KerberosPrincipalId(BOB.getName()); // grant alice admin to the namespace, but creation should still fail since alice needs to have privilege on // principal bob grantAndAssertSuccess(namespaceId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(namespaceId); try { getNamespaceAdmin().create(ownerNSMeta); Assert.fail("Namespace creation should fail since alice does not have privilege on principal bob"); } catch (UnauthorizedException e) { // expected } // grant alice admin on principal bob, now creation of namespace should work grantAndAssertSuccess(bobPrincipalId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(bobPrincipalId); getNamespaceAdmin().create(ownerNSMeta); // deploy dummy app with ns impersonation deployDummyAppWithImpersonation(ownerNSMeta, null); }
@Test public void testPrograms() throws Exception { createAuthNamespace(); grantAndAssertSuccess(AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()), ALICE, EnumSet.of(Action.ADMIN)); ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()); final ProgramId serviceId = dummyAppId.service(DummyApp.Greeting.SERVICE_NAME);
grantAndAssertSuccess(programId, BOB, EnumSet.of(Action.EXECUTE)); cleanUpEntities.add(programId); grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.READ)); cleanUpEntities.add(datasetId); grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.WRITE, Action.READ)); pfsService.start(); pfsService.waitForRun(ProgramRunStatus.RUNNING, 1, TimeUnit.MINUTES);
grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE)); grantAndAssertSuccess(otherNS.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS);
@After @Override public void afterTest() throws Exception { Authorizer authorizer = getAuthorizer(); SecurityRequestContext.setUserId(ALICE.getName()); grantAndAssertSuccess(AUTH_NAMESPACE, SecurityRequestContext.toPrincipal(), EnumSet.of(Action.ADMIN)); // clean up. remove the namespace if it exists if (getNamespaceAdmin().exists(AUTH_NAMESPACE)) { getNamespaceAdmin().delete(AUTH_NAMESPACE); Assert.assertFalse(getNamespaceAdmin().exists(AUTH_NAMESPACE)); } revokeAndAssertSuccess(AUTH_NAMESPACE); for (EntityId entityId : cleanUpEntities) { revokeAndAssertSuccess(entityId); } Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE)); }
grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE)); grantAndAssertSuccess(otherNS.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS);
private void testSystemDatasetAccessFromService(ServiceManager serviceManager) throws Exception { addDatasetInstance(NamespaceId.SYSTEM.dataset("store"), "keyValueTable"); // give bob write permission on the dataset grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("store"), BOB, EnumSet.of(Action.WRITE)); // switch to BOB SecurityRequestContext.setUserId(BOB.getName()); Map<String, String> args = ImmutableMap.of( CrossNsDatasetAccessApp.OUTPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), CrossNsDatasetAccessApp.OUTPUT_DATASET_NAME, "store" ); // Start the Service as BOB serviceManager.start(args); // Try to write data, it should fail as BOB don't have the permission to get system dataset URL url = new URL(serviceManager.getServiceURL(5, TimeUnit.SECONDS), "write/data"); HttpResponse response = HttpRequests.execute(HttpRequest.put(url).build()); Assert.assertEquals(500, response.getResponseCode()); Assert.assertTrue(response.getResponseBodyAsString().contains("Cannot access dataset store in system namespace")); serviceManager.stop(); serviceManager.waitForStopped(10, TimeUnit.SECONDS); // switch to back to ALICE SecurityRequestContext.setUserId(ALICE.getName()); // cleanup deleteDatasetInstance(NamespaceId.SYSTEM.dataset("store")); }
grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(workflowID, BOB, EnumSet.of(Action.EXECUTE)); grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN)); grantAndAssertSuccess(appId, BOB, EnumSet.of(Action.ADMIN)); deleteSchedule(scheduleId); workflowManager.getSchedule(scheduleId.getSchedule()).status(HttpURLConnection.HTTP_NOT_FOUND);
grantAndAssertSuccess(inputDatasetNS.getNamespaceId().dataset("table1"), BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(outputDatasetNS.getNamespaceId().dataset("table2"), BOB, EnumSet.of(Action.WRITE));
grantAndAssertSuccess(inputDatasetNSMeta.getNamespaceId().dataset("input"), BOB, EnumSet.of(Action.READ)); grantAndAssertSuccess(outputDatasetNSMeta.getNamespaceId().dataset("output"), BOB, EnumSet.of(Action.WRITE));
grantAndAssertSuccess(appArtifactId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(appArtifactId); ArtifactManager appArtifactManager = addAppArtifact(appArtifactId, ConfigTestApp.class); ArtifactId pluginArtifactId = AUTH_NAMESPACE.artifact(pluginArtifactName, pluginArtifactVersion); grantAndAssertSuccess(pluginArtifactId, ALICE, EnumSet.of(Action.ADMIN)); cleanUpEntities.add(pluginArtifactId); ArtifactManager pluginArtifactManager = addPluginArtifact(pluginArtifactId, appArtifactId, ToStringPlugin.class);
grantAndAssertSuccess(datasetId, BOB, EnumSet.of(Action.WRITE));
@Test public void testNamespaces() throws Exception { NamespaceAdmin namespaceAdmin = getNamespaceAdmin(); Authorizer authorizer = getAuthorizer(); try { namespaceAdmin.create(AUTH_NAMESPACE_META); Assert.fail("Namespace create should have failed because alice is not authorized on " + AUTH_NAMESPACE); } catch (UnauthorizedException expected) { // expected } createAuthNamespace(); Assert.assertTrue(namespaceAdmin.list().contains(AUTH_NAMESPACE_META)); namespaceAdmin.get(AUTH_NAMESPACE); // revoke privileges revokeAndAssertSuccess(AUTH_NAMESPACE); try { Assert.assertTrue(namespaceAdmin.list().isEmpty()); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.fail("Namespace existence check should fail since the privilege of alice has been revoked"); } catch (UnauthorizedException expected) { // expected } // grant privileges again grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN)); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE)); NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build(); namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated); Assert.assertEquals(updated, namespaceAdmin.get(AUTH_NAMESPACE)); }