Overview

This page documents various scenarios for security use cases supported in 3.5. The scenarios below apply to the following combinations of security:

...

NOTE: This document also assumes that the Authorizer extension is Apache Sentry, so calls out Thrift as the communication mechanism

REST APIs

Publicly routed REST APIs in AppFabric Service

Application Deployment

...

Applications with non-existing dataset

...

1. Client --> Router ^HTTP: deployApp(artifact, appConfig)
2. Router --> AppFabric ^HTTP: deployApp(artifact, appConfig, SecurityRequestContext.userId)
3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. AppFabric --> AppFabric: doAs(namespace, deploy(jar, config))
5. AppFabric --> DatasetServiceClient: createDataset()
6. DatasetServiceClient --> DatasetService ^HTTP: createDataset(ds, Header(CDAP-UserId=SecurityRequestContext.userId))
7. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
8. DatasetService --> Authorizer ^Thrift: revoke(ds); grant(ds, SecurityRequestContext.userId, ALL)
9. DatasetService --> DatasetOpExecutor ^HTTP: success = doAs(namespace, createDataset(ds))
10. DatasetService --> Authorizer ^Thrift: !success ? revoke(ds)
11. DatasetService --> AppFabric --> Router --> Client ^HTTP: result

 

Applications with existing dataset

...

1. Client --> Router ^HTTP: deployApp(artifact, appConfig)
2. Router --> AppFabric ^HTTP: deployApp(artifact, appConfig, SecurityRequestContext.userId)
3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. AppFabric --> AppFabric: doAs(namespace, deploy(jar, config))
5. AppFabric --> DatasetServiceClient: !compatibleUpdate ? IncompatibleException
6. DatasetServiceClient --> DatasetService ^HTTP: update(ds, Header(CDAP-UserId=SecurityRequestContext.userId))
7. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
8. DatasetService --> DatasetService: success = update(ds)
9. DatasetService --> AppFabric --> Router --> Client ^HTTP: result

...

Applications with non-existing streams

Applications with existing streams

Namespace Creation

Namespace Creation

Namespace Deletion

1. Client --> Router ^HTTP: createNamespace(nsName, nsConfig)
2. Router --> AppFabric ^HTTP: createNamespace(nsName, nsConfig, 

...

1. SecurityRequestContext.userId)
2. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
3. AppFabric --> Authorizer ^Thrift: grant(namespace, SecurityRequestContext.userId, ALL)
4. AppFabric --> DatasetServiceClient: getDataset(app.meta)
5. DatasetServiceClient --> DatasetService ^HTTP: getDataset(app.meta, Header(CDAP-UserId=Principal.SYSTEM))
6. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)         This will always be non-empty, because of the system principal
7. DatasetService --> DatasetServiceClient ^HTTP —> AppFabric: MDS
8. AppFabric --> MDS: store(namespace)
9. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, createNamespace(namespaceMeta))      This will only check for access for custom mappings, but will create otherwise
10. AppFabric —> AppFabric: !result ? revoke(namespace) && NamespaceCannotBeCreatedException 
11. AppFabric --> Router --> Client ^HTTP: result

Namespace Deletion

1. Client --> Router ^HTTP: deleteNamespace(nsName)
2. Router --> AppFabric ^HTTP: deleteNamespace(nsName, SecurityRequestContext.userId)
3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. AppFabric --> Authorizer ^Thrift: revoke(namespace, SecurityRequestContext.userId, ALL)
5. AppFabric --> DatasetServiceClient: getDataset(app.meta)
6. DatasetServiceClient --> DatasetService ^HTTP: getDataset(app.meta, Header(CDAP-UserId=Principal.SYSTEM))
7. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)         This will always be non-empty, because of the system principal
8. DatasetService --> DatasetServiceClient ^HTTP —> AppFabric: MDS
9. AppFabric --> MDS: delete(namespace)
10. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, delete(namespaceMeta))               This will only check for access for custom mappings, but will delete otherwise
11. AppFabric --> Authorizer ^Thrift: revoke(namespace, SecurityRequestContext.userId, ALL)
12. AppFabric —> AppFabric: !result ? NamespaceCannotBeDeletedException 
13. AppFabric --> Router --> Client ^HTTP: result

Publicly routed REST APIs in Dataset Service

Create

1. Client --> Router ^HTTP: createDataset(dataset, type, properties)
2. Router --> DatasetService ^HTTP: createDataset(dataset, type, properties, SecurityRequestContext.userId)
3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. DatasetService --> Authorizer ^Thrift: revoke(dataset); grant(dataset, SecurityRequestContext.userId, ALL)
5. DatasetService --> DatasetOpExecutor ^HTTP: success = doAs(namespace, createDataset(dataset))
6. DatasetService --> Authorizer ^Thrift: !success ? revoke(dataset)
7. DatasetService --> Router --> Client ^HTTP: result

List

1. Client --> Router ^HTTP: listDatasets(namespace)
2. Router --> DatasetService ^HTTP: listDatasets(namespace, SecurityRequestContext.userId)
3. DatasetService --> AuthEnforcer: result = filter(datasetsInNamespace, SecurityRequestContext.userId)
4. DatasetService -->  Router --> Client ^HTTP: result

Get

...

1. Client --> Router ^HTTP: getDataset(dataset)
2. Router --> DatasetService ^HTTP: dataset = getDataset(dataset, SecurityRequestContext.userId)
3. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)
4. DatasetService -->  Router --> Client ^HTTP: result.isEmpty ? UnauthorizedException

 

Update

1. Client --> Router ^HTTP: updateDataset(dataset, type, properties)
2. Router --> DatasetService ^HTTP: updateDataset(dataset, type, properties, SecurityRequestContext.userId)
3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. DatasetService --> DatasetService: result = update(dataset, type, properties)
5. DatasetService --> Router --> Client ^HTTP: result

Truncate

...

1. Client --> Router ^HTTP: truncate(dataset)
2. Router --> DatasetService ^HTTP: truncate(ds, SecurityRequestContext.userId)
3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. DatasetService --> DatasetOpExecutor ^HTTP: result = doAs(namespace, truncate(dataset))
5. DatasetService --> Router --> Client ^HTTP: result

...

Drop

1. Client --> Router ^HTTP: drop(dataset)
2. Router --> DatasetService ^HTTP: drop(dataset, SecurityRequestContext.userId)
3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. DatasetService --> DatasetOpExecutor ^HTTP: result = doAs(namespace, drop(dataset))
5. DatasetService --> Authorizer ^Thrift: revoke(dataset)
6. DatasetService --> Router --> Client ^HTTP: result

Upgrade

1. Client --> Router ^HTTP: upgrade(dataset)
2. Router --> DatasetService ^HTTP: upgrade(dataset, SecurityRequestContext.userId)
3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. DatasetService --> DatasetOpExecutor ^HTTP: result = doAs(namespace, upgrade(dataset))
5. DatasetService --> Router --> Client ^HTTP: result

...

Publicly routed REST APIs in Stream Service

...