private boolean hasAccess(ProgramId programId) throws Exception { Principal principal = authenticationContext.getPrincipal(); return !authorizationEnforcer.isVisible(Collections.singleton(programId), principal).isEmpty(); }
private boolean hasAccess(ProgramId programId) throws Exception { Principal principal = authenticationContext.getPrincipal(); return !authorizationEnforcer.isVisible(Collections.singleton(programId), principal).isEmpty(); }
/** * Checks if one entity is visible to the principal * * @param entityId entity id to be checked * @param authorizationEnforcer enforcer to make the authorization check * @param principal the principal to be checked * @throws UnauthorizedException if the principal does not have any privilege in the action set on the entity */ public static void ensureAccess(EntityId entityId, AuthorizationEnforcer authorizationEnforcer, Principal principal) throws Exception { if (authorizationEnforcer.isVisible(Collections.singleton(entityId), principal).isEmpty()) { throw new UnauthorizedException(principal, entityId); } }
@POST @Path("/isVisible") public void isVisible(FullHttpRequest request, HttpResponder responder) throws Exception { VisibilityRequest visibilityRequest = GSON.fromJson(request.content().toString(StandardCharsets.UTF_8), VisibilityRequest.class); Principal principal = visibilityRequest.getPrincipal(); Set<EntityId> entityIds = visibilityRequest.getEntityIds(); LOG.trace("Checking visibility for principal {} on entities {}", principal, entityIds); Set<? extends EntityId> visiableEntities = authorizationEnforcer.isVisible(entityIds, principal); LOG.debug("Returning entities visible for principal {} as {}", principal, visiableEntities); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(visiableEntities)); }
@POST @Path("/isVisible") public void isVisible(FullHttpRequest request, HttpResponder responder) throws Exception { VisibilityRequest visibilityRequest = GSON.fromJson(request.content().toString(StandardCharsets.UTF_8), VisibilityRequest.class); Principal principal = visibilityRequest.getPrincipal(); Set<EntityId> entityIds = visibilityRequest.getEntityIds(); LOG.trace("Checking visibility for principal {} on entities {}", principal, entityIds); Set<? extends EntityId> visiableEntities = authorizationEnforcer.isVisible(entityIds, principal); LOG.debug("Returning entities visible for principal {} as {}", principal, visiableEntities); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(visiableEntities)); }
/** * Checks the visibility of the entity info in batch size and returns the visible entities * * @param entityInfo the entity info to check visibility * @param authorizationEnforcer enforcer to make the authorization check * @param principal the principal to be checked * @param transformer the function to transform the entity info to an entity id * @param byPassFilter an optional bypass filter which allows to skip the auth check for some entities * @return an unmodified list of visible entities */ public static <EntityInfo> List<EntityInfo> isVisible( Collection<EntityInfo> entityInfo, AuthorizationEnforcer authorizationEnforcer, Principal principal, Function<EntityInfo, EntityId> transformer, @Nullable Predicate<EntityInfo> byPassFilter) throws Exception { List<EntityInfo> visibleEntities = new ArrayList<>(entityInfo.size()); for (List<EntityInfo> split : Iterables.partition(entityInfo, Constants.Security.Authorization.VISIBLE_BATCH_SIZE)) { Map<EntityId, EntityInfo> datasetTypesMapping = new LinkedHashMap<>(split.size()); for (EntityInfo info : split) { if (byPassFilter != null && byPassFilter.apply(info)) { visibleEntities.add(info); } else { datasetTypesMapping.put(transformer.apply(info), info); } } datasetTypesMapping.keySet().retainAll(authorizationEnforcer.isVisible(datasetTypesMapping.keySet(), principal)); visibleEntities.addAll(datasetTypesMapping.values()); } return Collections.unmodifiableList(visibleEntities); }
private void addProgramHistory(List<ProgramHistory> histories, List<ProgramId> programs, ProgramRunStatus programRunStatus, long start, long end, int limit) throws Exception { Set<? extends EntityId> visibleEntities = authorizationEnforcer.isVisible(new HashSet<>(programs), authenticationContext.getPrincipal()); for (ProgramHistory programHistory : store.getRuns(programs, programRunStatus, start, end, limit, x -> true)) { ProgramId programId = programHistory.getProgramId(); if (visibleEntities.contains(programId)) { histories.add(programHistory); } else { histories.add(new ProgramHistory(programId, Collections.emptyList(), new UnauthorizedException(authenticationContext.getPrincipal(), programId))); } } }
private void addProgramHistory(List<ProgramHistory> histories, List<ProgramId> programs, ProgramRunStatus programRunStatus, long start, long end, int limit) throws Exception { Set<? extends EntityId> visibleEntities = authorizationEnforcer.isVisible(new HashSet<>(programs), authenticationContext.getPrincipal()); for (ProgramHistory programHistory : store.getRuns(programs, programRunStatus, start, end, limit, x -> true)) { ProgramId programId = programHistory.getProgramId(); if (visibleEntities.contains(programId)) { histories.add(programHistory); } else { histories.add(new ProgramHistory(programId, Collections.emptyList(), new UnauthorizedException(authenticationContext.getPrincipal(), programId))); } } }
@Override public void testVisibility() throws Exception { super.testVisibility(); // The super class revokes all privileges after test is done. Since cache is enabled, visibility should still work. Assert.assertEquals(ImmutableSet.of(NS, APP, PROGRAM), authorizationEnforcer.isVisible(ImmutableSet.of(NS, APP, PROGRAM), ALICE)); } }
@Override public void testVisibility() throws Exception { super.testVisibility(); // The super class revokes all privileges after test is done. Since cache is disabled, nothing should be visible. Assert.assertEquals(ImmutableSet.of(), authorizationEnforcer.isVisible(ImmutableSet.of(NS, APP, PROGRAM), ALICE)); } }
/** * Returns the program run count of the given program id list. * * @param programIds the list of program ids to get the count * @return the counts of given program ids */ public List<RunCountResult> getProgramRunCounts(List<ProgramId> programIds) throws Exception { List<RunCountResult> result = store.getProgramRunCounts(programIds); // filter the result Set<? extends EntityId> visibleEntities = authorizationEnforcer.isVisible(new HashSet<>(programIds), authenticationContext.getPrincipal()); return result.stream() .map(runCount -> { if (!visibleEntities.contains(runCount.getProgramId())) { return new RunCountResult(runCount.getProgramId(), null, new UnauthorizedException(authenticationContext.getPrincipal(), runCount.getProgramId())); } return runCount; }) .collect(Collectors.toList()); }
/** * Returns the program run count of the given program id list. * * @param programIds the list of program ids to get the count * @return the counts of given program ids */ public List<RunCountResult> getProgramRunCounts(List<ProgramId> programIds) throws Exception { List<RunCountResult> result = store.getProgramRunCounts(programIds); // filter the result Set<? extends EntityId> visibleEntities = authorizationEnforcer.isVisible(new HashSet<>(programIds), authenticationContext.getPrincipal()); return result.stream() .map(runCount -> { if (!visibleEntities.contains(runCount.getProgramId())) { return new RunCountResult(runCount.getProgramId(), null, new UnauthorizedException(authenticationContext.getPrincipal(), runCount.getProgramId())); } return runCount; }) .collect(Collectors.toList()); }
appSpecs.put(namespace.app(appSpec.getName(), appSpec.getAppVersion()), appSpec); appSpecs.keySet().retainAll(authorizationEnforcer.isVisible(appSpecs.keySet(), authenticationContext.getPrincipal()));
appSpecs.put(namespace.app(appSpec.getName(), appSpec.getAppVersion()), appSpec); appSpecs.keySet().retainAll(authorizationEnforcer.isVisible(appSpecs.keySet(), authenticationContext.getPrincipal()));