...
- Ideally, D-Rock would like to be able to authorize all operations on all entities in CDAP.
- However, this can be rolled out in phases. In the initial phase, he would like to control who can:
- Create/update/delete a namespace
- Only users with WRITE permission on CDAP instance should be able to perform this operation.
- A property in
cdap-site.xmlshould decide a set of users who have admin permission on cdap instance. These admins can then later grant permissions to other users.
- Deploy an application in a namespace
- Only users with WRITE permission on the namespace should be able to perform this operation
- One the application is deployed the the user who deployed becomes the ADMIN of the application.
- Start/stop a program
- Only users with READ permission on the namespace and application, and EXECUTE permission on the program should be able to perform this operation
- Only users with ADMIN permission on the program can set preference for the program
- Only users with WRITE permission can provide runtime args
- Read/write to a stream
- Only users with READ privilege on the namespace and READ permission on the stream should be able to read from the stream
- Only users with READ privilege on the namespace and WRITE permission on the stream should be able to write to the stream
- Create/update/delete a namespace
Design
This feature can be broken down into the following main parts, in no specific order:
Authorization Hooks in CDAP
This would include the authorization system in CDAP. External systems like Apache Sentry/Ranger could be plugged into this system. It provides authorization hooks during various operations within CDAP, that throw AuthorizationException if the operation is not authorized.
This system exposes a set of interfaces defined below.
AuthChecker
The AuthChecker interface provides a way to check if an operation is authorized. At various points in the CDAP code (NamespaceHttpHandler, AppLifecycleHttpHandler, ProgramLifecycleHttpHandler, StreamHandler in 3.4), this interface will be used to check if an operation is authorized.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
interface AuthChecker {
/**
* Checks if a user is allowed to perform a set of actions on an entity.
*
* @param Principal the Principal that performs the actions. This could be a user, group or a role
* @param entity the entity on which an action is being performed
* @param action the action being performed
* @throws AuthorizationException if the Principal is not authorized to perform action on the entity
*/
void checkAuthorized(Principal Principal, Entity entity, Action action) throws AuthorizationException;
} |
Authorizer
This interface allows CDAP admins to grant/revoke permissions for specific operations on specific CDAP entities to specified Principals. It will be used by the ACL Management module, which may or may not reside in CDAP for the purposes of integration with Apache Sentry 
TBD.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
interface Authorizer extends AuthChecker {
/**
* Grants a principal authorization to perform a set of actions on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the Principal that performs the actions. This could be a user, group or a role
* @param actions the set of actions to grant
*/
void grant(EntityId entity, Principal principal, Set<Action> actions);
/**
* Grants a Principal authorization to perform all actions on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the Principal that performs the actions. This could be a user, group or a role
*/
void grant(EntityId entity, Principal principal, Set<Action> actions);
/**
* Revokes a principal's authorization to perform a set of actions on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the principal that performs the actions. This could be a user, group or a role
* @param actions the set of actions to revoke permissions on
*/
void revoke(EntityId entity, Principal principal, Set<Action> actions);
/**
* Revokes a principal's authorization to perform any action on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the principal that performs the actions. This could be a user, group or a role
*/
void revoke(EntityId entity, Principal Principal);
/**
* Revokes all principals' authorization to perform any action on an entity.
*
* @param entity the entity on which an action is being performed
*/
void revoke(EntityId entity);
} |
Where Principal is the entity performing actions defined as below:
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
public class Principal {
enum PrincipalType {
USER,
GROUP,
ROLE
}
private final String name;
private final PrincipalType type;
public Principal(String name, PrincipalType type) {
this.name = name;
this.type = type;
}
public String getName() {
return name;
}
public PrincipalType getType() {
return type;
}
} |
Integration with Apache Sentry will be achieved by implementations of these interfaces that delegate to Apache Sentry.
...
Entities, Operations and Required Privileges
| Entity | Operation | Required Privileges | Resultant Privileges |
|---|---|---|---|
| Namespace | create | ADMIN (Instance) | ADMIN (Namespace) |
| update | ADMIN (Namespace) | ||
| list | READ (Instance) | ||
| get | READ (Namespace) | ||
| delete | ADMIN (Namespace) | ||
| set preference | WRITE (Namespace) | ||
| get preference | READ (Namespace) | ||
| search | READ (Namespace) | ||
| Artifact | add | WRITE (Namespace) | ADMIN (Artifact) |
| delete | ADMIN (Artifact) | ||
| get | READ (Artifact) | ||
| list | READ (Namespace) | ||
| write property | ADMIN (Artifact) | ||
| delete property | ADMIN (Artifact) | ||
| get property | READ (Artifact) | ||
| refresh | WRITE (Instance) | ||
| write metadata | ADMIN (Artifact) | ||
| read metadata | READ (Artifact) | ||
| Application | deploy | WRITE (Namespace) | ADMIN (Application) |
| get | READ (Application) | ||
| list | READ (Namespace) | ||
| update | ADMIN (Application) | ||
| delete | ADMIN (Application) | ||
| set preference | WRITE (Application) | ||
| get preference | READ (Application) | ||
| add metadata | ADMIN (Application) | ||
| get metadata | READ (Application) | ||
| Programs | start/stop/debug | EXECUTE (Program) | |
| set instances | ADMIN (Program) | ||
| list | READ (Namespace) | ||
| set runtime args | EXECUTE (Program) | ||
| get runtime args | READ (Program) | ||
| get instances | READ (Program) | ||
| set preference | ADMIN (Program) | ||
| get preference | READ (Program) | ||
| get status | READ (Program) | ||
| get history | READ (Program) | ||
| add metadata | ADMIN (Program) | ||
| get metadata | READ (Program) | ||
| emit logs | WRITE (Program) | ||
| view logs | READ (Program) | ||
| emit metrics | WRITE (Program) | ||
| view metrics | READ (Program) | ||
| Streams | create | WRITE (Namespace) | ADMIN (Stream) |
| update properties | ADMIN (Stream) | ||
| delete | ADMIN (Stream) | ||
| truncate | ADMIN (Stream) | ||
| enqueue asyncEnqueue batch | WRITE (Stream) | ||
| get | READ (Stream) | ||
| list | READ (Namespace) | ||
| read events | READ (Stream) | ||
| set preferences | ADMIN (Stream) | ||
| get preferences | READ (Stream) | ||
| add metadata | ADMIN (Stream) | ||
| get metadata | READ (Stream) | ||
| view lineage | READ (Stream) | ||
| emit metrics | WRITE (Stream) | ||
| view metrics | READ (Stream) | ||
| Datasets | list | READ (Namespace) | |
| get | READ (Dataset) | ||
| create | WRITE (Namespace) | ADMIN (Dataset) | |
| update | ADMIN (Dataset) | ||
| drop | ADMIN (Dataset) | ||
| executeAdmin (exists/truncate/upgrade) | ADMIN (Dataset) | ||
| add metadata | ADMIN (Dataset) | ||
| get metadata | READ (Dataset) | ||
| view lineage | READ (Dataset) | ||
| emit metrics | WRITE (Dataset) | ||
| view metrics | READ (Dataset) | ||
| Stream View | create | WRITE (Namespace) & ADMIN (Stream) | ADMIN (Stream View) |
| delete | ADMIN (Stream View) | ||
| list | READ (Namespace) & READ (Stream) | ||
| get | READ (Stream View) | ||
| add metadata | ADMIN (Stream View) | ||
| get metadata | READ (Stream View) |
NOTE: Cells marked green are in scope for 3.4
Design
This feature can be broken down into the following main parts, in no specific order:
Authorization Hooks in CDAP
This would include the authorization system in CDAP. External systems like Apache Sentry/Ranger could be plugged into this system. It provides authorization hooks during various operations within CDAP, that throw AuthorizationException if the operation is not authorized.
This system exposes a set of interfaces defined below.
AuthChecker
The AuthChecker interface provides a way to check if an operation is authorized. At various points in the CDAP code (NamespaceHttpHandler, AppLifecycleHttpHandler, ProgramLifecycleHttpHandler, StreamHandler in 3.4), this interface will be used to check if an operation is authorized.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
interface AuthChecker {
/**
* Checks if a user is allowed to perform a set of actions on an entity.
*
* @param Principal the Principal that performs the actions. This could be a user, group or a role
* @param entity the entity on which an action is being performed
* @param action the action being performed
* @throws AuthorizationException if the Principal is not authorized to perform action on the entity
*/
void checkAuthorized(Principal Principal, Entity entity, Action action) throws AuthorizationException;
} |
Authorizer
This interface allows CDAP admins to grant/revoke permissions for specific operations on specific CDAP entities to specified Principals. It will be used by the ACL Management module, which may or may not reside in CDAP for the purposes of integration with Apache Sentry TBD.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
interface Authorizer extends AuthChecker {
/**
* Grants a principal authorization to perform a set of actions on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the Principal that performs the actions. This could be a user, group or a role
* @param actions the set of actions to grant
*/
void grant(EntityId entity, Principal principal, Set<Action> actions);
/**
* Grants a Principal authorization to perform all actions on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the Principal that performs the actions. This could be a user, group or a role
*/
void grant(EntityId entity, Principal principal, Set<Action> actions);
/**
* Revokes a principal's authorization to perform a set of actions on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the principal that performs the actions. This could be a user, group or a role
* @param actions the set of actions to revoke permissions on
*/
void revoke(EntityId entity, Principal principal, Set<Action> actions);
/**
* Revokes a principal's authorization to perform any action on an entity.
*
* @param entity the entity on which an action is being performed
* @param principal the principal that performs the actions. This could be a user, group or a role
*/
void revoke(EntityId entity, Principal Principal);
/**
* Revokes all principals' authorization to perform any action on an entity.
*
* @param entity the entity on which an action is being performed
*/
void revoke(EntityId entity);
} |
Where Principal is the entity performing actions defined as below:
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
public class Principal {
enum PrincipalType {
USER,
GROUP,
ROLE
}
private final String name;
private final PrincipalType type;
public Principal(String name, PrincipalType type) {
this.name = name;
this.type = type;
}
public String getName() {
return name;
}
public PrincipalType getType() {
return type;
}
} |
Integration with Apache Sentry will be achieved by implementations of these interfaces that delegate to Apache Sentry.
Integration with Apache Sentry
...