Namespaces
Operation | Privileges Required ( | Existing)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Create | ADMIN | (on the CDAP instance)ADMIN | BasicAuthorizationTestBase.testNamespcePrivileges |
| UpdateADMIN (on the namespace) | |||
| Delete | ADMIN (on the namespace) | ADMIN on the namespace, and all entities in the namespace | BasicAuthorizationTestBase.testNamespcePrivileges |
| View/List | Any | of READ, WRITE, EXECUTE, or ADMINAny privilege on the namespace or any of its descendants. | BasicAuthorizationTestBase.testCreatedDeletedPrivileges This needs to have a more comprehensive test to cover the list of as many entities as possible. |
| Get Namespace Meta | Any privilege on the namespace or any of its descendants. | This can be easily added to test and this is covered in unit test. |
Artifacts
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Add | WRITE (on the namespace) | ADMINADMIN | Integration tests only tests deploy app with artifact |
| Add a property | ADMIN | (on namespace) | ADMIN (on artifact)ADMIN | |
| Remove a property | ADMIN | (on namespace) | ADMIN (on artifact)ADMIN | |
| Use to deploy an app | ADMIN | READ | AppAuthorizationTestBase.testDeployApp | |
| Delete | ADMIN | (on namespace) | ADMIN (on artifact)ADMIN | |
| View/ListAny of READ, WRITE, EXECUTE, or ADMIN (on namespace) | | Any | of READ, WRITE, EXECUTE, or ADMIN (on artifact)Any privilege on the artifact | |
| Get artifact info/summary/detail | ADMIN | READ | ||
| We have tests in unit test but not in integration tests |
Applications
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Add | WRITE (on the namespace) and READ (on the artifact if deployed from an artifact) | ADMIN *Also see artifact privileges and principal privileges | AppAuthorizationTestBase.testDeployApp |
| Delete | ADMIN | (on the application) | ADMIN (on the namespace)ADMIN | AppAuthorizationTestBase.testDeployApp |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on application) | Any privilege on the application or any of its descendants. | can easily add |
| Get application detail | ADMIN | READ | can easily add | |
Programs
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | |
|---|---|---|---|---|
| Start, Stop, or Debug( | EXECUTE | (on the program) | EXECUTE (on the application) | EXECUTE (on the namespace)) & READ (on the namespace)EXECUTE | AppAuthorizationTestBase.testDatasetInProgram | |
| Set instances | ADMIN | (on the namespace) | ADMIN (on the application) | ADMIN (on the program)ADMIN | ||
| Set runtime arguments | ADMIN | (on the namespace) | ADMIN (on the application) | ADMIN (on the program)ADMIN | ||
| Retrieve runtime arguments | READ | (on the namespace)| | READ (on the application) | READ (on the program)READ | EXECUTE | ADMIN | |
| Retrieve status | Any of READ, WRITE, EXECUTE, or ADMIN | AppAuthorizationTestBase.testDatasetInProgram | ||
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | easily add | ||
| Get program specification | ADMIN | READ |
Datasets
OperationPrivileges Required (Existing) | Privileges Required (Proposed) | Integration Test Name | ||||||
|---|---|---|---|---|---|---|---|---|
| CreateWRITE (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | ||||||
| Read(READ (on the dataset) and READ (namespace)) | READ (on the namespace) | READ | AppAuthorizationTestBase.testDatasetInProgram | ||||||
| Retrieving propertiesNot Documented | Any of READ, WRITE, ADMIN, or EXECUTE | easily add | ||||||
| Write | WRITE | (on the dataset) | WRITE (on the namespace)WRITE | Update | (ADMIN (on the dataset) and READ (on the namespace)) | (ADMIN (on the namespace) and READ (on the namespace)) | ADMIN | AppAuthorizationTestBase.testDatasetInProgram | ||
| Update | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | ||||||
| Upgrade | ADMIN | (on the dataset) | ADMIN (on the namespace)ADMIN | ||||||
| Truncate | ADMIN | (on the dataset) | ADMIN (on the namespace)ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | |||||
| DropADMIN (on the dataset) | ADMIN (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | ||||||
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | ||||||
| Get dataset meta | ADMIN | READ | WRITE | BasicAuthorizationTestBase.testDatasetPrivileges |
Dataset Modules
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration Test Name |
|---|---|---|---|
| Deploy | ADMIN | WRITE(on the namespace) | ADMIN |
| Delete | ADMIN | (on the dataset module) | ADMIN (on the namespace)ADMIN | |
| Delete-all in the namespace | ADMIN | (on the namespace)ADMIN on all dataset modules in the namespace | |
| View/ListAny of READ, WRITE, EXECUTE, or ADMIN | |||
| Get module meta | ADMIN | READ | ||
| Unit test covers add module during app deployment |
Dataset Types
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | easy to add | |
| Get dataset type meta | ADMIN | READ | BasicAuthorizationTestBase.testDatasetPrivileges |
Secure Keys
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | |
|---|---|---|---|---|
| Create | ADMIN | WRITE(on the namespace) | ADMIN | |
| Delete | ADMIN | (on the key) | ADMIN (on the namespace)ADMIN | ||
| View/ListAny of READ, WRITE, EXECUTE, or ADMIN | ||||
| ReadNot Documented | READ (on the key) | |||
| We dont have test for any of them |
Streams
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Create | WRITE (on the namespace) | ADMINADMIN | BasicAuthorizationTestBase.testStreamPrivileges |
| Retrieving eventsREAD (on the stream) & READ (on the namespace) | READ | ||
| Retrieving properties | Any of READ, WRITE, ADMIN, or EXECUTE | ||
| BasicAuthorizationTestBase.testStreamPrivileges | |||
| Sending events to a stream (sync, async, or batch)( | WRITE | (on the stream) and READ (on the namespace)) | WRITE (on namespace & READ (on the namespace))WRITE | BasicAuthorizationTestBase.testStreamPrivileges |
| Drop | ADMIN | (on stream) | ADMIN (on namespace)ADMIN | BasicAuthorizationTestBase.testStreamPrivileges |
| Drop-all in the namespaceADMIN (on the namespace) | ADMIN (on the stream) | ADMIN on all the streams in the namespace | ||
| Update | ADMIN | (on the namespace) | ADMIN (on the stream)ADMIN | |
| Truncate | ADMIN (on the namespace) | ADMIN (on the stream) | ADMIN | |
| Truncate | ADMIN | ||
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | Easy to add | |
| Get stream property | ADMIN | READ | Easy to add |
Principal
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Deploy an app to impersonate a principal | ADMINADMIN | AppImpersonationAuthorizationTest(in pr) | |
| Create a namespace with owner prinicpal | ADMINADMIN | NamespaceImpersonationBasicAuthorizationTest | |
| Create a dataset with owner prinicpal | ADMINADMIN | AppImpersonationAuthorizationTest(in pr) | |
| Create a stream with owner prinicpal | ADMIN |
More in integration tests:
- Test creating namespaces with two different clients and try to delete them to test the explore user name issue(in pr)
- test namespace creation with different owners and make sure the owner is correct(in pr)
- all basic tests with ns/app impersonation, custom mapping
- role based auth test(in pr)
ADMIN