@Override public void grant(Authorizable authorizable, Principal principal, Set<Action> actions) throws Exception { delegateAuthorizer.grant(authorizable, principal, actions); }
private void setUpPrivilegesAndExpectFailedDeploy(Map<EntityId, Set<Action>> neededPrivileges) throws Exception { int count = 0; for (Map.Entry<EntityId, Set<Action>> privilege : neededPrivileges.entrySet()) { authorizer.grant(Authorizable.fromEntityId(privilege.getKey()), ALICE, privilege.getValue()); count++; if (count < neededPrivileges.size()) { try { AppFabricTestHelper.deployApplication(Id.Namespace.DEFAULT, AllProgramsApp.class, null, cConf); Assert.fail(); } catch (Exception e) { // expected } } } } }
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception { Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal); authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions); ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder(); for (Action action : actions) { expectedPrivilegesAfterGrant.add(new Privilege(entityId, action)); } Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal)); }
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception { Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal); authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions); ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder(); for (Action action : actions) { expectedPrivilegesAfterGrant.add(new Privilege(entityId, action)); } Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal)); }
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception { Authorizer authorizer = getAuthorizer(); Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal); authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions); ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder(); for (Action action : actions) { expectedPrivilegesAfterGrant.add(new Privilege(entityId, action)); } Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal)); }
Set<NamespaceId> namespaces = ImmutableSet.of(ns1, ns2); authorizer.grant(Authorizable.fromEntityId(ns1), ALICE, Collections.singleton(Action.WRITE)); authorizer.grant(Authorizable.fromEntityId(ns2), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(ds11), ALICE, Collections.singleton(Action.READ)); authorizer.grant(Authorizable.fromEntityId(ds11), BOB, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(ds21), ALICE, Collections.singleton(Action.WRITE)); authorizer.grant(Authorizable.fromEntityId(ds12), BOB, Collections.singleton(Action.WRITE)); authorizer.grant(Authorizable.fromEntityId(ds12), BOB, EnumSet.allOf(Action.class)); authorizer.grant(Authorizable.fromEntityId(ds21), ALICE, Collections.singleton(Action.WRITE)); authorizer.grant(Authorizable.fromEntityId(ds23), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(ds22), BOB, Collections.singleton(Action.ADMIN)); DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator);
authorizer.grant(Authorizable.fromEntityId(applicationId), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.artifact(AllProgramsApp.class.getSimpleName(), "1.0-SNAPSHOT")), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME)), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME2)), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.dataset(AllProgramsApp.DATASET_NAME3)), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.dataset(AllProgramsApp.DS_WITH_SCHEMA_NAME)), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.datasetType(KeyValueTable.class.getName())), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.datasetType(KeyValueTable.class.getName())), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT.datasetType(ObjectMappedTable.class.getName())), ALICE, Collections.singleton(Action.ADMIN)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME)), ALICE, Collections.singleton(Action.EXECUTE)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME)), ALICE, Collections.singleton(Action.EXECUTE)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SPARK, AllProgramsApp.NoOpSpark.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
private void verifyDisabled(CConfiguration cConf) throws Exception { try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConf, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(cConf, authorizerInstantiator); DatasetId ds = NS.dataset("ds"); // All enforcement operations should succeed, since authorization is disabled authorizerInstantiator.get().grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(Action.ADMIN)); authEnforcementService.enforce(NS, ALICE, Action.ADMIN); authEnforcementService.enforce(ds, BOB, Action.ADMIN); Assert.assertEquals(2, authEnforcementService.isVisible(ImmutableSet.<EntityId>of(NS, ds), BOB).size()); } }
@Test public void testSimple() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); authorizer.enforce(namespace, user, Action.READ); Set<Privilege> expectedPrivileges = new HashSet<>(); expectedPrivileges.add(new Privilege(namespace, Action.READ)); Assert.assertEquals(expectedPrivileges, authorizer.listPrivileges(user)); authorizer.revoke(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); verifyAuthFailure(namespace, user, Action.READ); }
InstanceId instance = new InstanceId(cConf.get(Constants.INSTANCE_NAME)); Principal principal = new Principal(System.getProperty("user.name"), Principal.PrincipalType.USER); authorizerInstantiator.get().grant(Authorizable.fromEntityId(instance), principal, ImmutableSet.of(Action.ADMIN)); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), principal, ImmutableSet.of(Action.ADMIN));
InstanceId instance = new InstanceId(cConf.get(Constants.INSTANCE_NAME)); Principal principal = new Principal(System.getProperty("user.name"), Principal.PrincipalType.USER); authorizerInstantiator.get().grant(Authorizable.fromEntityId(instance), principal, ImmutableSet.of(Action.ADMIN)); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), principal, ImmutableSet.of(Action.ADMIN));
@BeforeClass public static void setup() throws Exception { cConf = createCConf(); final Injector injector = AppFabricTestHelper.getInjector(cConf); metadataAdmin = injector.getInstance(MetadataAdmin.class); authorizer = injector.getInstance(AuthorizerInstantiator.class).get(); appFabricServer = injector.getInstance(AppFabricServer.class); appFabricServer.startAndWait(); // Wait for the default namespace creation String user = AuthorizationUtil.getEffectiveMasterUser(cConf); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); // Starting the Appfabric server will create the default namespace Tasks.waitFor(true, () -> injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT), 5, TimeUnit.SECONDS); authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); }
authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SERVICE, AllProgramsApp.NoOpService.NAME)), ALICE, Collections.singleton(Action.EXECUTE)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKER, AllProgramsApp.NoOpWorker.NAME)), ALICE, Collections.singleton(Action.EXECUTE)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.SPARK, AllProgramsApp.NoOpSpark.NAME)), ALICE, Collections.singleton(Action.EXECUTE)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR.NAME)), ALICE, Collections.singleton(Action.EXECUTE)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.MAPREDUCE, AllProgramsApp.NoOpMR2.NAME)), ALICE, Collections.singleton(Action.EXECUTE)); authorizer.grant(Authorizable.fromEntityId(applicationId.program(ProgramType.WORKFLOW, AllProgramsApp.NoOpWorkflow.NAME)), ALICE, Collections.singleton(Action.EXECUTE));
@BeforeClass public static void setup() throws Exception { cConf = createCConf(); final Injector injector = AppFabricTestHelper.getInjector(cConf); authorizer = injector.getInstance(AuthorizerInstantiator.class).get(); appFabricServer = injector.getInstance(AppFabricServer.class); appFabricServer.startAndWait(); programLifecycleService = injector.getInstance(ProgramLifecycleService.class); // Wait for the default namespace creation String user = AuthorizationUtil.getEffectiveMasterUser(cConf); authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); // Starting the Appfabric server will create the default namespace Tasks.waitFor(true, new Callable<Boolean>() { @Override public Boolean call() throws Exception { return injector.getInstance(NamespaceAdmin.class).exists(NamespaceId.DEFAULT); } }, 5, TimeUnit.SECONDS); authorizer.revoke(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN)); }
@Test public void testWildcard() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); authorizer.enforce(namespace, user, Action.READ); authorizer.enforce(namespace, user, Action.WRITE); authorizer.enforce(namespace, user, Action.ADMIN); authorizer.enforce(namespace, user, Action.EXECUTE); authorizer.revoke(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); verifyAuthFailure(namespace, user, Action.READ); }
@Test public void testAll() throws Exception { Authorizer authorizer = get(); verifyAuthFailure(namespace, user, Action.READ); authorizer.grant(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); authorizer.enforce(namespace, user, Action.READ); authorizer.enforce(namespace, user, Action.WRITE); authorizer.enforce(namespace, user, Action.ADMIN); authorizer.enforce(namespace, user, Action.EXECUTE); authorizer.revoke(Authorizable.fromEntityId(namespace), user, EnumSet.allOf(Action.class)); verifyAuthFailure(namespace, user, Action.READ); Principal role = new Principal("admins", Principal.PrincipalType.ROLE); authorizer.grant(Authorizable.fromEntityId(namespace), user, Collections.singleton(Action.READ)); authorizer.grant(Authorizable.fromEntityId(namespace), role, EnumSet.allOf(Action.class)); authorizer.revoke(Authorizable.fromEntityId(namespace)); verifyAuthFailure(namespace, user, Action.READ); verifyAuthFailure(namespace, role, Action.ADMIN); verifyAuthFailure(namespace, role, Action.READ); verifyAuthFailure(namespace, role, Action.WRITE); verifyAuthFailure(namespace, role, Action.EXECUTE); }
authorizer.grant(Authorizable.fromEntityId(NamespaceId.DEFAULT), new Principal(user, Principal.PrincipalType.USER), Collections.singleton(Action.ADMIN));
@Test public void testPropagationDisabled() throws Exception { CConfiguration cConfCopy = CConfiguration.copy(CCONF); try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) { DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator); authorizerInstantiator.get().grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.ADMIN)); authorizationEnforcer.enforce(NS, ALICE, Action.ADMIN); try { authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN); Assert.fail("Alice should not have ADMIN privilege on the APP."); } catch (UnauthorizedException ignored) { // expected } } }
authorizer.grant(Authorizable.fromEntityId(NamespaceId.SYSTEM), ALICE, Collections.singleton(Action.ADMIN)); Assert.assertEquals( Collections.singleton(new Privilege(NamespaceId.SYSTEM, Action.ADMIN)), authorizer.listPrivileges(ALICE)); authorizer.grant(Authorizable.fromEntityId(namespaceId), ALICE, Collections.singleton(Action.ADMIN)); namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build()); authorizer.grant(Authorizable.fromEntityId(SYSTEM_ARTIFACT), ALICE, EnumSet.of(Action.ADMIN)); artifactRepository.deleteArtifact(Id.Artifact.fromEntityId(SYSTEM_ARTIFACT));