private void assertAllAccess(Principal principal, EntityId... entityIds) throws Exception { for (EntityId entityId : entityIds) { getAuthorizer().enforce(entityId, principal, EnumSet.allOf(Action.class)); } }
private void verifyAuthFailure(EntityId entity, Principal principal, Action action) throws Exception { try { get().enforce(entity, principal, action); Assert.fail(String.format("Expected authorization failure, but it succeeded for entity %s, principal %s," + " action %s", entity, principal, action)); } catch (UnauthorizedException expected) { // expected } } }
@Test public void testWildcard() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); authorizer.enforce(namespace, user, Action.READ); authorizer.enforce(namespace, user, Action.WRITE); authorizer.enforce(namespace, user, Action.ADMIN); authorizer.enforce(namespace, user, Action.EXECUTE); authorizer.revoke(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); verifyAuthFailure(namespace, user, Action.READ); }
private void doEnforce(EntityId entity, Principal principal, Set<Action> actions) throws Exception { // bypass the check when the principal is the master user and the entity is in the system namespace if (isAccessingSystemNSAsMasterUser(entity, principal) || isEnforcingOnSamePrincipalId(entity, principal)) { return; } LOG.trace("Enforcing actions {} on {} for principal {}.", actions, entity, principal); // create new stopwatch instance every time enforce is called since the DefaultAuthorizationEnforcer is binded as // singleton we don't want the stopwatch instance to get re-used across multiple calls. StopWatch watch = new StopWatch(); watch.start(); try { authorizerInstantiator.get().enforce(entity, principal, actions); } finally { watch.stop(); long timeTaken = watch.getTime(); String logLine = "Enforced actions {} on {} for principal {}. Time spent in enforcement was {} ms."; if (timeTaken > logTimeTakenAsWarn) { LOG.warn(logLine, actions, entity, principal, watch.getTime()); } else { LOG.trace(logLine, actions, entity, principal, watch.getTime()); } } }
@Test public void testSimple() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); authorizer.enforce(namespace, user, Action.READ); Set<Privilege> expectedPrivileges = new HashSet<>(); expectedPrivileges.add(new Privilege(namespace, Action.READ)); Assert.assertEquals(expectedPrivileges, authorizer.listPrivileges(user)); authorizer.revoke(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); verifyAuthFailure(namespace, user, Action.READ); }
@Test public void testAll() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); authorizer.enforce(namespace, user, Action.READ); authorizer.enforce(namespace, user, Action.WRITE); authorizer.enforce(namespace, user, Action.ADMIN); authorizer.enforce(namespace, user, Action.EXECUTE); authorizer.revoke(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); verifyAuthFailure(namespace, user, Action.READ); Principal role = new Principal("admins", Principal.PrincipalType.ROLE); authorizer.grant(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); authorizer.grant(Authorizable.fromEntityId(namespace), role, EnumSet.allOf(Action.class)); authorizer.revoke(Authorizable.fromEntityId(namespace)); verifyAuthFailure(namespace, user, Action.READ); verifyAuthFailure(namespace, role, Action.ADMIN); verifyAuthFailure(namespace, role, Action.READ); verifyAuthFailure(namespace, role, Action.WRITE); verifyAuthFailure(namespace, role, Action.EXECUTE); }
authorizer.enforce(ns1, spiderman, Action.READ);
authorizer.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(Action.class)); Assert.fail(); } catch (UnauthorizedException e) {