@Inject DelegatingPrivilegeManager(AuthorizerInstantiator authorizerInstantiator) { this.delegateAuthorizer = authorizerInstantiator.get(); }
/** * Returns an {@link Authorizer} for performing authorization operations. */ @Beta protected static Authorizer getAuthorizer() throws IOException, InvalidAuthorizerException { return authorizerInstantiator.get(); }
/** * Returns an {@link Authorizer} for performing authorization operations. */ @Beta protected static Authorizer getAuthorizer() throws IOException, InvalidAuthorizerException { return authorizerInstantiator.get(); }
@Inject AuthorizationHandler(PrivilegesManager privilegesManager, AuthorizerInstantiator authorizerInstantiator, CConfiguration cConf, AuthenticationContext authenticationContext) { this.privilegesManager = privilegesManager; this.authorizer = authorizerInstantiator.get(); this.authenticationContext = authenticationContext; this.authenticationEnabled = cConf.getBoolean(Constants.Security.ENABLED); this.authorizationEnabled = cConf.getBoolean(Constants.Security.Authorization.ENABLED); }
@Inject AuthorizationHandler(PrivilegesManager privilegesManager, AuthorizerInstantiator authorizerInstantiator, CConfiguration cConf, AuthenticationContext authenticationContext) { this.privilegesManager = privilegesManager; this.authorizer = authorizerInstantiator.get(); this.authenticationContext = authenticationContext; this.authenticationEnabled = cConf.getBoolean(Constants.Security.ENABLED); this.authorizationEnabled = cConf.getBoolean(Constants.Security.Authorization.ENABLED); }
private void assertDisabled(CConfiguration cConf, FeatureDisabledException.Feature feature) throws IOException { try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = instantiator.get(); Assert.assertTrue( String.format("When %s is disabled, a %s must be returned, but got %s.", feature.name().toLowerCase(), NoOpAuthorizer.class.getSimpleName(), authorizer.getClass().getName()), authorizer instanceof NoOpAuthorizer ); } }
@Test(expected = InvalidAuthorizerException.class) public void testDoesNotImplementAuthorizer() throws Throwable { Manifest manifest = new Manifest(); Attributes mainAttributes = manifest.getMainAttributes(); mainAttributes.put(Attributes.Name.MAIN_CLASS, DoesNotImplementAuthorizer.class.getName()); Location externalAuthJar = AppJarHelper.createDeploymentJar(locationFactory, DoesNotImplementAuthorizer.class, manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because the Authorizer class defined in the" + " extension jar's manifest does not implement " + Authorizer.class.getName()); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testInitializationThrowsException() throws Throwable { Manifest manifest = new Manifest(); Attributes mainAttributes = manifest.getMainAttributes(); mainAttributes.put(Attributes.Name.MAIN_CLASS, ExceptionInInitialize.class.getName()); Location externalAuthJar = AppJarHelper.createDeploymentJar(locationFactory, ExceptionInInitialize.class, manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because the Authorizer class defined in " + "the extension jar's manifest does not implement " + Authorizer.class.getName()); } catch (Throwable e) { throw e.getCause(); } }
@Test(expected = InvalidAuthorizerException.class) public void testMissingAuthorizerClassName() throws Throwable { Manifest manifest = new Manifest(); manifest.getMainAttributes().put(Attributes.Name.MANIFEST_VERSION, "1.0"); Location externalAuthJar = createInvalidExternalAuthJar(manifest); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar's manifest does not define" + " Authorizer class."); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testMissingManifest() throws Throwable { Location externalAuthJar = createInvalidExternalAuthJar(null); CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar does not have a manifest"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testNonExistingAuthorizerJarPath() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, "/path/to/external-test-authorizer.jar"); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar does not exist."); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testAuthorizerJarPathIsNotJar() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, TEMPORARY_FOLDER.newFile("abc.txt").getPath()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar is not a jar file"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test(expected = InvalidAuthorizerException.class) public void testAuthorizerJarPathIsDirectory() throws Throwable { CCONF.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, TEMPORARY_FOLDER.newFolder().getPath()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) { instantiator.get(); Assert.fail("Instantiation of Authorizer should have failed because extension jar is a directory"); } catch (Throwable e) { throw Throwables.getRootCause(e); } }
@Test public void testAuthorizerExtension() throws IOException, ClassNotFoundException { Location externalAuthJar = createValidAuthExtensionJar(); CConfiguration cConfCopy = CConfiguration.copy(CCONF); cConfCopy.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, externalAuthJar.toString()); // Create a temporary file. final File tempFile = TEMP_FOLDER.newFile("conf-file.xml"); cConfCopy.set(Constants.Security.Authorization.EXTENSION_EXTRA_CLASSPATH, tempFile.getParent()); try (AuthorizerInstantiator instantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { // should be able to load the ExternalAuthorizer class via the AuthorizerInstantiatorService Authorizer externalAuthorizer1 = instantiator.get(); ClassLoader authorizerClassLoader = externalAuthorizer1.getClass().getClassLoader(); // should be able to load the ExternalAuthorizer class via the AuthorizerClassLoader authorizerClassLoader.loadClass(ValidExternalAuthorizer.class.getName()); Assert.assertNotNull(authorizerClassLoader.getResource("conf-file.xml")); } }
@BeforeClass public static void setup() throws Exception { locationFactory = new LocalLocationFactory(TMP_FOLDER.newFolder()); initializeAndStartService(createCConf()); authorizer = injector.getInstance(AuthorizerInstantiator.class).get(); }
@Test public void testSystemUser() throws Exception { CConfiguration cConfCopy = CConfiguration.copy(CCONF); Principal systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER); try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { Authorizer authorizer = authorizerInstantiator.get(); DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator); NamespaceId ns1 = new NamespaceId("ns1"); authorizationEnforcer.enforce(NamespaceId.SYSTEM, systemUser, EnumSet.allOf(Action.class)); Assert.assertEquals(ImmutableSet.of(NamespaceId.SYSTEM), authorizationEnforcer.isVisible(ImmutableSet.of(ns1, NamespaceId.SYSTEM), systemUser)); } }
private void verifyDisabled(CConfiguration cConf) throws Exception { try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(cConf, authorizerInstantiator); DatasetId ds = NS.dataset("ds"); // All enforcement operations should succeed, since authorization is disabled authorizerInstantiator.get().grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(Action.ADMIN)); authEnforcementService.enforce(NS, ALICE, Action.ADMIN); authEnforcementService.enforce(ds, BOB, Action.ADMIN); Assert.assertEquals(2, authEnforcementService.isVisible(ImmutableSet.<EntityId>of(NS, ds), BOB).size()); } }
@BeforeClass public static void setup() throws Exception { cConf = createCConf(); final Injector injector = AppFabricTestHelper.getInjector(cConf); metadataAdmin = injector.getInstance(MetadataAdmin.class); authorizer = injector.getInstance(AuthorizerInstantiator.class).get(); appFabricServer = injector.getInstance(AppFabricServer.class); appFabricServer.startAndWait(); // Wait for the default namespace creation String user = AuthorizationUtil.getEffectiveMasterUser(cConf); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); // Starting the Appfabric server will create the default namespace Tasks.waitFor(true, () -> injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT), 5, TimeUnit.SECONDS); authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); }
@BeforeClass public static void setup() throws Exception { CConfiguration cConf = CConfiguration.create(); cConf.set(Constants.CFG_LOCAL_DATA_DIR, TMP_FOLDER.newFolder().getAbsolutePath()); cConf.setBoolean(Constants.Security.ENABLED, true); cConf.setBoolean(Constants.Security.KERBEROS_ENABLED, false); cConf.setBoolean(Constants.Security.Authorization.ENABLED, true); cConf.setInt(Constants.Security.Authorization.CACHE_MAX_ENTRIES, 0); Location deploymentJar = AppJarHelper.createDeploymentJar(new LocalLocationFactory(TMP_FOLDER.newFolder()), InMemoryAuthorizer.class); cConf.set(Constants.Security.Authorization.EXTENSION_JAR_PATH, deploymentJar.toURI().getPath()); // Add a system artifact File systemArtifactsDir = TMP_FOLDER.newFolder(); cConf.set(Constants.AppFabric.SYSTEM_ARTIFACTS_DIR, systemArtifactsDir.getAbsolutePath()); createSystemArtifact(systemArtifactsDir); Injector injector = AppFabricTestHelper.getInjector(cConf); artifactRepository = injector.getInstance(ArtifactRepository.class); AuthorizerInstantiator instantiatorService = injector.getInstance(AuthorizerInstantiator.class); authorizer = instantiatorService.get(); namespaceAdmin = injector.getInstance(NamespaceAdmin.class); }
@Test public void testPropagationDisabled() throws Exception { CConfiguration cConfCopy = CConfiguration.copy(CCONF); try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.ADMIN)); authorizationEnforcer.enforce(NS, ALICE, Action.ADMIN); try { authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN); Assert.fail("Alice should not have ADMIN privilege on the APP."); } catch (UnauthorizedException ignored) { // expected } } }