@POST @Path("/grant") public void grant(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); EntityId entityId = deserializeNext(arguments); Principal principal = deserializeNext(arguments); Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS); LOG.trace("Granting {} on {} to {}", actions, entityId, principal); privilegesManager.grant(Authorizable.fromEntityId(entityId), principal, actions); LOG.info("Granted {} on {} to {} successfully", actions, entityId, principal); responder.sendStatus(HttpResponseStatus.OK); }
@POST @Path("/listPrivileges") public void listPrivileges(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); Principal principal = deserializeNext(arguments); LOG.trace("Listing privileges for principal {}", principal); Set<Privilege> privileges = privilegesManager.listPrivileges(principal); LOG.debug("Returning privileges for principal {} as {}", principal, privileges); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(privileges)); }
@POST @Path("/revokeAll") public void revokeAll(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); EntityId entityId = deserializeNext(arguments); LOG.trace("Revoking all actions on {}", entityId); privilegesManager.revoke(Authorizable.fromEntityId(entityId)); LOG.info("Revoked all actions on {} successfully", entityId); responder.sendStatus(HttpResponseStatus.OK); } }
@Test public void testPrivilegesManager() throws Exception { // In this test, grants and revokes happen via PrivilegesManager, privilege listing and enforcement happens via // Authorizer. Also, since grants and revokes go directly to master and don't need a proxy, the // RemoteSystemOperationsService does not need to be started in this release. privilegesManager.grant(Authorizable.fromEntityId(NS), ALICE, EnumSet.allOf(Action.class)); privilegesManager.grant(Authorizable.fromEntityId(APP), ALICE, Collections.singleton(Action.ADMIN)); privilegesManager.grant(Authorizable.fromEntityId(PROGRAM), ALICE, Collections.singleton(Action.EXECUTE)); authorizationEnforcer.enforce(NS, ALICE, EnumSet.allOf(Action.class)); authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN); authorizationEnforcer.enforce(PROGRAM, ALICE, Action.EXECUTE); authorizationEnforcer.enforce(APP, ALICE, Collections.singleton(Action.ADMIN)); privilegesManager.revoke(Authorizable.fromEntityId(PROGRAM)); privilegesManager.revoke(Authorizable.fromEntityId(APP), ALICE, EnumSet.allOf(Action.class)); privilegesManager.revoke(Authorizable.fromEntityId(NS), ALICE, EnumSet.allOf(Action.class)); Set<Privilege> privileges = privilegesManager.listPrivileges(ALICE); Assert.assertTrue(String.format("Expected all of alice's privileges to be revoked, but found %s", privileges), privileges.isEmpty()); }
@Test public void testAuthorizationEnforcer() throws Exception { privilegesManager.grant(Authorizable.fromEntityId(NS), ALICE, EnumSet.allOf(Action.class)); privilegesManager.grant(Authorizable.fromEntityId(APP), ALICE, Collections.singleton(Action.ADMIN)); privilegesManager.grant(Authorizable.fromEntityId(PROGRAM), ALICE, Collections.singleton(Action.EXECUTE)); authorizationEnforcer.enforce(NS, ALICE, EnumSet.allOf(Action.class)); authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN); authorizationEnforcer.enforce(PROGRAM, ALICE, Action.EXECUTE); try { authorizationEnforcer.enforce(NS, BOB, Action.ADMIN); Assert.fail(); } catch (UnauthorizedException e) { // expected } privilegesManager.revoke(Authorizable.fromEntityId(PROGRAM)); privilegesManager.revoke(Authorizable.fromEntityId(APP)); privilegesManager.revoke(Authorizable.fromEntityId(NS)); }
privilegesManager.grant(Authorizable.fromEntityId(PROGRAM), ALICE, Collections.singleton(Action.EXECUTE)); privilegesManager.grant(Authorizable.fromEntityId(ds), ALICE, EnumSet.of(Action.READ, Action.WRITE)); privilegesManager.grant(Authorizable.fromEntityId(program2), BOB, Collections.singleton(Action.ADMIN)); privilegesManager.grant(Authorizable.fromEntityId(ds2), BOB, EnumSet.of(Action.READ, Action.WRITE)); privilegesManager.revoke(Authorizable.fromEntityId(entityId));
@POST @Path("/revokeAll") public void revokeAll(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); EntityId entityId = deserializeNext(arguments); LOG.trace("Revoking all actions on {}", entityId); privilegesManager.revoke(Authorizable.fromEntityId(entityId)); LOG.info("Revoked all actions on {} successfully", entityId); responder.sendStatus(HttpResponseStatus.OK); } }
@POST @Path("/grant") public void grant(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); EntityId entityId = deserializeNext(arguments); Principal principal = deserializeNext(arguments); Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS); LOG.trace("Granting {} on {} to {}", actions, entityId, principal); privilegesManager.grant(Authorizable.fromEntityId(entityId), principal, actions); LOG.info("Granted {} on {} to {} successfully", actions, entityId, principal); responder.sendStatus(HttpResponseStatus.OK); }
@POST @Path("/listPrivileges") public void listPrivileges(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); Principal principal = deserializeNext(arguments); LOG.trace("Listing privileges for principal {}", principal); Set<Privilege> privileges = privilegesManager.listPrivileges(principal); LOG.debug("Returning privileges for principal {} as {}", principal, privileges); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(privileges)); }
@POST @Path("/revoke") public void revoke(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); EntityId entityId = deserializeNext(arguments); Principal principal = deserializeNext(arguments); Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS); LOG.trace("Revoking {} on {} from {}", actions, entityId, principal); privilegesManager.revoke(Authorizable.fromEntityId(entityId), principal, actions); LOG.info("Revoked {} on {} from {} successfully", actions, entityId, principal); responder.sendStatus(HttpResponseStatus.OK); }
@Path("/privileges/grant") @POST @AuditPolicy(AuditDetail.REQUEST_BODY) public void grant(FullHttpRequest httpRequest, HttpResponder httpResponder) throws Exception { ensureSecurityEnabled(); GrantRequest request = parseBody(httpRequest, GrantRequest.class); if (request == null) { throw new BadRequestException("Missing request body"); } Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions(); privilegesManager.grant(request.getAuthorizable(), request.getPrincipal(), actions); httpResponder.sendStatus(HttpResponseStatus.OK); createLogEntry(httpRequest, HttpResponseStatus.OK); }
@POST @Path("/revoke") public void revoke(FullHttpRequest request, HttpResponder responder) throws Exception { Iterator<MethodArgument> arguments = parseArguments(request); EntityId entityId = deserializeNext(arguments); Principal principal = deserializeNext(arguments); Set<Action> actions = deserializeNext(arguments, SET_OF_ACTIONS); LOG.trace("Revoking {} on {} from {}", actions, entityId, principal); privilegesManager.revoke(Authorizable.fromEntityId(entityId), principal, actions); LOG.info("Revoked {} on {} from {} successfully", actions, entityId, principal); responder.sendStatus(HttpResponseStatus.OK); }
@Path("/privileges/grant") @POST @AuditPolicy(AuditDetail.REQUEST_BODY) public void grant(FullHttpRequest httpRequest, HttpResponder httpResponder) throws Exception { ensureSecurityEnabled(); GrantRequest request = parseBody(httpRequest, GrantRequest.class); if (request == null) { throw new BadRequestException("Missing request body"); } Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions(); privilegesManager.grant(request.getAuthorizable(), request.getPrincipal(), actions); httpResponder.sendStatus(HttpResponseStatus.OK); createLogEntry(httpRequest, HttpResponseStatus.OK); }
@Path("/privileges/revoke") @POST @AuditPolicy(AuditDetail.REQUEST_BODY) public void revoke(FullHttpRequest httpRequest, HttpResponder httpResponder) throws Exception { ensureSecurityEnabled(); RevokeRequest request = parseBody(httpRequest, RevokeRequest.class); if (request == null) { throw new BadRequestException("Missing request body"); } if (request.getPrincipal() == null && request.getActions() == null) { privilegesManager.revoke(request.getAuthorizable()); } else { Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions(); privilegesManager.revoke(request.getAuthorizable(), request.getPrincipal(), actions); } httpResponder.sendStatus(HttpResponseStatus.OK); createLogEntry(httpRequest, HttpResponseStatus.OK); }
@Path("/privileges/revoke") @POST @AuditPolicy(AuditDetail.REQUEST_BODY) public void revoke(FullHttpRequest httpRequest, HttpResponder httpResponder) throws Exception { ensureSecurityEnabled(); RevokeRequest request = parseBody(httpRequest, RevokeRequest.class); if (request == null) { throw new BadRequestException("Missing request body"); } if (request.getPrincipal() == null && request.getActions() == null) { privilegesManager.revoke(request.getAuthorizable()); } else { Set<Action> actions = request.getActions() == null ? EnumSet.allOf(Action.class) : request.getActions(); privilegesManager.revoke(request.getAuthorizable(), request.getPrincipal(), actions); } httpResponder.sendStatus(HttpResponseStatus.OK); createLogEntry(httpRequest, HttpResponseStatus.OK); }