private void assertDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature) throws IOException { try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = instantiator.get(); Assert.assertTrue( String.format("When %s is disabled, a %s must be returned, but got %s.", feature.name().toLowerCase(), NoOpAuthorizer.class.getSimpleName(), authorizer.getClass().getName()), authorizer instanceof NoOpAuthorizer ); } }
@Test(expected = InvalidAuthorizerException.class) public void testDoesNotImplementAuthorizer() throws Throwable { Manifest manifest = new Manifest(); Attributes mainAttributes = manifest.getMainAttributes(); mainAttributes.put(Attributes.Name.MAIN_CLASS, DoesNotImplementAuthorizer.class.getName()); Location externalAuthJar = AppJarHelper.createDeploymentJar(locationFactory, DoesNotImplementAuthorizer.class, manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because the Authorizer class defined in the" + " extension jar's manifest does not implement " + Authorizer.class.getName()); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testInitializationThrowsException() throws Throwable { Manifest manifest = new Manifest(); Attributes mainAttributes = manifest.getMainAttributes(); mainAttributes.put(Attributes.Name.MAIN_CLASS, ExceptionInInitialize.class.getName()); Location externalAuthJar = AppJarHelper.createDeploymentJar(locationFactory, ExceptionInInitialize.class, manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because the Authorizer class defined in " + "the extension jar's manifest does not implement " + Authorizer.class.getName()); } catch (Throwable e) { throw e.getCause(); } }
@Test(expected = InvalidAuthorizerException.class) public void testMissingAuthorizerClassName() throws Throwable { Manifest manifest = new Manifest(); manifest.getMainAttributes().put(Attributes.Name.MANIFEST_VERSION, "1.0"); Location externalAuthJar = createInvalidExternalAuthJar(manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar's manifest does not define" + " Authorizer class."); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testMissingManifest() throws Throwable { Location externalAuthJar = createInvalidExternalAuthJar(null); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar does not have a manifest"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testNonExistingAuthorizerJarPath() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, "/path/to/external-test-authorizer.jar"); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar does not exist."); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testAuthorizerJarPathIsDirectory() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, TEMPORARY_FOLDER.newFolder().getPath()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar is a directory"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testAuthorizerJarPathIsNotJar() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, TEMPORARY_FOLDER.newFile("abc.txt").getPath()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar is not a jar file"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test public void testAuthorizerExtension() throws IOException, ClassNotFoundException { Location externalAuthJar = createValidAuthExtensionJar(); CConfiguration cConfCopy = CConfiguration.copy(CCONF); cConfCopy.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); // Create a temporary file. final File tempFile = TEMP_FOLDER.newFile("conf-file.xml"); cConfCopy.set(Constants.Security.Authorization.EXTENSION_EXTRA_CLASSPATH, tempFile.getParent()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { // should be able to load the ExternalAuthorizer class via the AuthorizerInstantiatorService Authorizer externalAuthorizer1 = instantiator.get(); ClassLoader authorizerClassLoader = externalAuthorizer1.getClass().getClassLoader(); // should be able to load the ExternalAuthorizer class via the AuthorizerClassLoader authorizerClassLoader.loadClass(ValidExternalAuthorizer.class.getName()); Assert.assertNotNull(authorizerClassLoader.getResource("conf-file.xml")); } }
@Test public void testSystemUser() throws Exception { CConfiguration cConfCopy = CConfiguration.copy(CCONF); Principal systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER); try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = authorizerInstantiator.get(); DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator); NamespaceId ns1 = new NamespaceId("ns1"); authorizationEnforcer.enforce(NamespaceId.SYSTEM, systemUser, EnumSet.allOf(Action.class)); Assert.assertEquals(ImmutableSet.of(NamespaceId.SYSTEM), authorizationEnforcer.isVisible(ImmutableSet.of(ns1, NamespaceId.SYSTEM), systemUser)); } }
private void verifyDisabled(CConfiguration cConf) throws Exception { try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(cConf, authorizerInstantiator); DatasetId ds = NS.dataset("ds"); // All enforcement operations should succeed, since authorization is disabled authorizerInstantiator.get().grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(Action.ADMIN)); authEnforcementService.enforce(NS, ALICE, Action.ADMIN); authEnforcementService.enforce(ds, BOB, Action.ADMIN); Assert.assertEquals(2, authEnforcementService.isVisible(ImmutableSet.<EntityId>of(NS, ds), BOB).size()); } }
cConfCopy.set("foo." + Constants.Security.Authorization.EXTENSION_CONFIG_PREFIX + "dont.include", "not.prefix.should.not.be.included"); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) {
@Test public void testIsVisible() throws Exception { try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = authorizerInstantiator.get(); NamespaceId ns1 = new NamespaceId("ns1");
@Test public void testPropagationDisabled() throws Exception { CConfiguration cConfCopy = CConfiguration.copy(CCONF); try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.ADMIN)); authorizationEnforcer.enforce(NS, ALICE, Action.ADMIN); try { authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN); Assert.fail("Alice should not have ADMIN privilege on the APP."); } catch (UnauthorizedException ignored) { // expected } } }
@Test public void testAuthEnforce() throws Exception { try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = authorizerInstantiator.get(); DefaultAuthorizationEnforcer authEnforcementService =