Overview

This page documents various scenarios for security use cases supported in 3.5. The scenarios below apply to the following combinations of security:

...

Applications with existing streams

Namespace Creation

1. Client --> Router ^HTTP: createNamespace(nsName, nsConfig)
2. Router --> AppFabric ^HTTP: createNamespace(nsName, nsConfig, SecurityRequestContext.userId)
3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. AppFabric --> Authorizer ^Thrift: grant(namespace, SecurityRequestContext.userId, ALL)
5. AppFabric --> DatasetServiceClient: getDataset(app.meta)
6. DatasetServiceClient --> DatasetService ^HTTP: getDataset(app.meta, Header(CDAP-UserId=Principal.SYSTEM))
7. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)         This will always be non-empty, because of the system principal
8. DatasetService --> DatasetServiceClient ^HTTP —> AppFabric: MDS
9. AppFabric --> MDS: store(namespace)
10. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, createNamespace(namespaceMeta))      This will only check for access for custom mappings, but will create otherwise
11. AppFabric —> AppFabric: !result ? revoke(namespace) && NamespaceCannotBeCreatedException 
12. AppFabric --> Router --> Client ^HTTP: result

...

1. Client --> Router ^HTTP: deleteNamespace(nsName)
2. Router --> AppFabric ^HTTP: deleteNamespace(nsName, SecurityRequestContext.userId)
3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
4. AppFabric --> Authorizer ^Thrift: revoke(namespace, SecurityRequestContext.userId, ALL)
5. AppFabric --> DatasetServiceClient: getDataset(app.meta)
6. DatasetServiceClient --> DatasetService ^HTTP: getDataset(app.meta, Header(CDAP-UserId=Principal.SYSTEM))
7. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)         This will always be non-empty, because of the system principal
8. DatasetService --> DatasetServiceClient ^HTTP —> AppFabric: MDS
9. AppFabric --> MDS: delete(namespace)
10. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, delete(namespaceMeta))               This will only check for access for custom mappings, but will delete otherwise
11. AppFabric --> Authorizer ^Thrift: revoke(namespace, SecurityRequestContext.userId, ALL)
12. AppFabric —> AppFabric: !result ? NamespaceCannotBeDeletedException 
13. AppFabric --> Router --> Client ^HTTP: result

...