| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| package org.apache.ambari.infra.security; |
| |
| import java.security.Principal; |
| import java.util.Enumeration; |
| import java.util.HashMap; |
| import java.util.List; |
| import java.util.Map; |
| |
| import org.apache.hadoop.security.authentication.server.AuthenticationToken; |
| import org.apache.solr.common.params.MapSolrParams; |
| import org.apache.solr.common.params.SolrParams; |
| import org.apache.solr.common.util.Utils; |
| import org.apache.solr.security.AuthorizationContext; |
| import org.apache.solr.security.AuthorizationContext.RequestType; |
| import org.apache.solr.security.AuthorizationResponse; |
| import org.junit.Test; |
| |
| import static java.util.Collections.singletonList; |
| import static java.util.Collections.singletonMap; |
| import static org.apache.solr.common.util.Utils.makeMap; |
| import static org.junit.Assert.assertEquals; |
| |
| public class InfraRuleBasedAuthorizationPluginTest { |
| |
| private static final String PERMISSIONS = "{" + |
| " user-host : {" + |
| " 'infra-solr@EXAMPLE.COM': [hostname, hostname2]" + |
| " }," + |
| " user-role : {" + |
| " 'infra-solr@EXAMPLE.COM': [admin]," + |
| " 'logsearch@EXAMPLE.COM': [logsearch_role,dev]," + |
| " 'logfeeder@EXAMPLE.COM': [logsearch_role,dev]," + |
| " 'atlas@EXAMPLE.COM': [atlas_role, audit_role, dev]," + |
| " 'knox@EXAMPLE.COM': [audit_role,dev]," + |
| " 'hdfs@EXAMPLE.COM': [audit_role,dev]," + |
| " 'hbase@EXAMPLE.COM': [audit_role,dev]," + |
| " 'yarn@EXAMPLE.COM': [audit_role,dev]," + |
| " 'knox@EXAMPLE.COM': [audit_role,dev]," + |
| " 'kafka@EXAMPLE.COM': [audit_role,dev]," + |
| " 'kms@EXAMPLE.COM': [audit_role,dev]," + |
| " 'storm@EXAMPLE.COM': [audit_role,dev]," + |
| " 'rangeradmin@EXAMPLE.COM':[ranger_role, audit_role, dev]" + |
| " }," + |
| " permissions : [" + |
| " {name:'collection-admin-read'," + |
| " role:null}," + |
| " {name:collection-admin-edit ," + |
| " role:[logsearch_role, atlas_role, ranger_role, admin]}," + |
| " {name:mycoll_update," + |
| " collection:mycoll," + |
| " path:'/*'," + |
| " role:[logsearch_role,admin]" + |
| " }," + |
| " {name:mycoll2_update," + |
| " collection:mycoll2," + |
| " path:'/*'," + |
| " role:[ranger_role, audit_role, admin]" + |
| " }," + |
| "{name:read , role:dev }]}"; |
| |
| @Test |
| public void testPermissions() { |
| int STATUS_OK = 200; |
| int FORBIDDEN = 403; |
| int PROMPT_FOR_CREDENTIALS = 401; |
| |
| checkRules(makeMap("resource", "/#", |
| "httpMethod", "POST", |
| "userPrincipal", "unknownuser", |
| "collectionRequests", "freeforall" ) |
| , STATUS_OK); |
| |
| checkRules(makeMap("resource", "/update/json/docs", |
| "httpMethod", "POST", |
| "userPrincipal", "tim", |
| "collectionRequests", "mycoll") |
| , FORBIDDEN); |
| |
| checkRules(makeMap("resource", "/update/json/docs", |
| "httpMethod", "POST", |
| "userPrincipal", "logsearch", |
| "collectionRequests", "mycoll") |
| , STATUS_OK); |
| |
| checkRules(makeMap("resource", "/update/json/docs", |
| "httpMethod", "GET", |
| "userPrincipal", "rangeradmin", |
| "collectionRequests", "mycoll") |
| , FORBIDDEN); |
| |
| checkRules(makeMap("resource", "/update/json/docs", |
| "httpMethod", "GET", |
| "userPrincipal", "rangeradmin", |
| "collectionRequests", "mycoll2") |
| , STATUS_OK); |
| |
| checkRules(makeMap("resource", "/update/json/docs", |
| "httpMethod", "GET", |
| "userPrincipal", "logsearch", |
| "collectionRequests", "mycoll2") |
| , FORBIDDEN); |
| |
| checkRules(makeMap("resource", "/update/json/docs", |
| "httpMethod", "POST", |
| "userPrincipal", "kms", |
| "collectionRequests", "mycoll2") |
| , STATUS_OK); |
| |
| checkRules(makeMap("resource", "/admin/collections", |
| "userPrincipal", "tim", |
| "requestType", RequestType.ADMIN, |
| "collectionRequests", null, |
| "params", new MapSolrParams(singletonMap("action", "CREATE"))) |
| , FORBIDDEN); |
| |
| checkRules(makeMap("resource", "/admin/collections", |
| "userPrincipal", null, |
| "requestType", RequestType.ADMIN, |
| "collectionRequests", null, |
| "params", new MapSolrParams(singletonMap("action", "CREATE"))) |
| , PROMPT_FOR_CREDENTIALS); |
| |
| checkRules(makeMap("resource", "/admin/collections", |
| "userPrincipal", "rangeradmin", |
| "requestType", RequestType.ADMIN, |
| "collectionRequests", null, |
| "params", new MapSolrParams(singletonMap("action", "CREATE"))) |
| , STATUS_OK); |
| |
| checkRules(makeMap("resource", "/admin/collections", |
| "userPrincipal", "kms", |
| "requestType", RequestType.ADMIN, |
| "collectionRequests", null, |
| "params", new MapSolrParams(singletonMap("action", "CREATE"))) |
| , FORBIDDEN); |
| |
| checkRules(makeMap("resource", "/admin/collections", |
| "userPrincipal", "kms", |
| "requestType", RequestType.ADMIN, |
| "collectionRequests", null, |
| "params", new MapSolrParams(singletonMap("action", "LIST"))) |
| , STATUS_OK); |
| |
| checkRules(makeMap("resource", "/admin/collections", |
| "userPrincipal", "rangeradmin", |
| "requestType", RequestType.ADMIN, |
| "collectionRequests", null, |
| "params", new MapSolrParams(singletonMap("action", "LIST"))) |
| , STATUS_OK); |
| } |
| |
| private void checkRules(Map<String, Object> values, int expected) { |
| checkRules(values,expected,(Map) Utils.fromJSONString(PERMISSIONS)); |
| } |
| |
| private void checkRules(Map<String, Object> values, int expected, Map<String ,Object> permissions) { |
| AuthorizationContext context = new MockAuthorizationContext(values); |
| InfraRuleBasedAuthorizationPlugin plugin = new InfraRuleBasedAuthorizationPlugin(); |
| plugin.init(permissions); |
| AuthorizationResponse authResp = plugin.authorize(context); |
| assertEquals(expected, authResp.statusCode); |
| } |
| |
| private static class MockAuthorizationContext extends AuthorizationContext { |
| private final Map<String,Object> values; |
| |
| private MockAuthorizationContext(Map<String, Object> values) { |
| this.values = values; |
| } |
| |
| @Override |
| public SolrParams getParams() { |
| SolrParams params = (SolrParams) values.get("params"); |
| return params == null ? new MapSolrParams(new HashMap<String, String>()) : params; |
| } |
| |
| @Override |
| public Principal getUserPrincipal() { |
| Object userPrincipal = values.get("userPrincipal"); |
| return userPrincipal == null ? null : |
| new AuthenticationToken(String.valueOf(userPrincipal), String.format("%s%s", String.valueOf(userPrincipal), "/hostname@EXAMPLE.COM"), "kerberos"); |
| } |
| |
| @Override |
| public String getHttpHeader(String header) { |
| return null; |
| } |
| |
| @Override |
| public Enumeration getHeaderNames() { |
| return null; |
| } |
| |
| @Override |
| public String getRemoteAddr() { |
| return null; |
| } |
| |
| @Override |
| public String getRemoteHost() { |
| return null; |
| } |
| |
| @Override |
| public List<CollectionRequest> getCollectionRequests() { |
| Object collectionRequests = values.get("collectionRequests"); |
| if (collectionRequests instanceof String) { |
| return singletonList(new CollectionRequest((String)collectionRequests)); |
| } |
| return (List<CollectionRequest>) collectionRequests; |
| } |
| |
| @Override |
| public RequestType getRequestType() { |
| return (RequestType) values.get("requestType"); |
| } |
| |
| @Override |
| public String getHttpMethod() { |
| return (String) values.get("httpMethod"); |
| } |
| |
| @Override |
| public String getResource() { |
| return (String) values.get("resource"); |
| } |
| } |
| |
| } |