Namespaces
Operation | Privileges Required ( | Existing)Privileges Required (Proposed) | Integration test name(Class name + test name) |
|---|---|---|---|
| CreateADMIN (on the CDAP instance) | ADMIN | BasicAuthorizationTestBase.testNamespcePrivileges | |
| UpdateADMIN (on the namespace) | |||
| Delete | ADMIN (on the namespace) | ADMIN on the namespace, and all entities in the namespace | BasicAuthorizationTestBase.testNamespcePrivileges |
| View/List | Any | of READ, WRITE, EXECUTE, or ADMINAny privilege on the namespace or any of its descendants. | BasicAuthorizationTestBase.testCreatedDeletedPrivileges This needs to have a more comprehensive test to cover the list of as many entities as possible. |
| Get Namespace Meta | Any privilege on the namespace or any of its descendants. | This can be easily added to test and this is covered in unit test. |
Artifacts
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Add | WRITE (on the namespace) | ADMINADMIN | Integration tests only tests deploy app with artifact |
| Add a property | ADMIN | (on namespace) | ADMIN (on artifact)ADMIN | |
| Remove a propertyADMIN (on namespace) | | ADMIN | (on artifact)ADMIN | |
| Use to deploy an app | ADMIN | READ | AppAuthorizationTestBase.testDeployApp | |
| DeleteADMIN (on namespace) | | ADMIN | (on artifact)ADMIN | |
| View/List | Any | of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on artifact)Any privilege on the artifact | |
| Get artifact info/summary/detail | ADMIN | READ | ||
| We have tests in unit test but not in integration tests |
Applications
Operation | Privileges Required ( | ExistingProposed) | Privileges Required (Proposed) | Add | WRITE (on the namespace) and READ (on the artifact if deployed from an artifact)
|---|---|---|---|
| Integration test name | |||
| Add | ADMIN *Also see artifact privileges and principal privileges | AppAuthorizationTestBase.testDeployApp | |
| DeleteADMIN (on the application) | | ADMIN | (on the namespace)ADMIN | AppAuthorizationTestBase.testDeployApp |
| View/ListAny of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on application) | Any privilege on the application or any of its descendants. | can easily add | |
| Get application detail | ADMIN | READ | can easily add | |
Programs
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | ||
|---|---|---|---|---|---|
| Start, Stop, or Debug( | EXECUTE | (on the program) | EXECUTE (on the application) | EXECUTE (on the namespace)) & READ (on the namespace)EXECUTE | AppAuthorizationTestBase.testDatasetInProgram | ||
| Set instances | ADMIN | (on the namespace) | ADMIN (on the application) | ADMIN (on the program)ADMIN | |||
| Set runtime arguments | ADMIN | (on the namespace) | ADMIN (on the application) | ADMIN (on the program)ADMIN | Retrieve runtime arguments | READ (on the namespace) | READ (on the application) | READ (on the program)||
| Retrieve runtime arguments | READ | EXECUTE | ADMIN | ||||
| Retrieve status | Any of READ, WRITE, EXECUTE, or ADMIN | AppAuthorizationTestBase.testDatasetInProgram | |||
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | easily add | |||
| Get program specification | ADMIN | READ |
Datasets
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration Test Name |
|---|---|---|---|
| Create | WRITE (on the namespace) | ADMINADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Read( | READ | (on the dataset) and READ (namespace)) | READ (on the namespace)READ | AppAuthorizationTestBase.testDatasetInProgram |
| Retrieving properties | Not Documented | Any of READ, WRITE, ADMIN, or EXECUTE | easily add |
| WriteWRITE (on the dataset) | | WRITE | (on the namespace)WRITE | AppAuthorizationTestBase.testDatasetInProgram |
| Update( | ADMIN | (on the dataset) and READ (on the namespace)) | (ADMIN (on the namespace) and READ (on the namespace))ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Upgrade | ADMIN | (on the dataset) | ADMIN (on the namespace)ADMIN | |
| Truncate | ADMIN | (on the dataset) | ADMIN (on the namespace)ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Drop | ADMIN | (on the dataset) | ADMIN (on the namespace)ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | |
| Get dataset meta | ADMIN | READ | WRITE | BasicAuthorizationTestBase.testDatasetPrivileges |
Dataset Modules
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration Test Name | |
|---|---|---|---|---|
| Deploy | WRITE (on the namespace) | ADMINADMIN | ||
| Delete | ADMIN | (on the dataset module) | ADMIN (on the namespace)ADMIN | ||
| Delete-all in the namespace | ADMIN | (on the namespace)ADMIN on all dataset modules in the namespace | ||
| View/ListAny of READ, WRITE, EXECUTE, or ADMIN | ||||
| Get module meta | ADMIN | READ | |||
| Unit test covers add module during app deployment |
Dataset Types
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | easy to add | |
| Get dataset type meta | ADMIN | READ | BasicAuthorizationTestBase.testDatasetPrivileges |
Secure Keys
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Create | WRITE (on the namespace) | ADMINADMIN | |
| Delete | ADMIN | (on the key) | ADMIN (on the namespace)ADMIN | |
| View/ListAny of READ, WRITE, EXECUTE, or ADMIN | |||
| Read | Not Documented | READ (on the key) | |
| We dont have test for any of them |
Streams
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | ||||
|---|---|---|---|---|---|---|---|
| Create | WRITE (on the namespace) | ADMINADMIN | BasicAuthorizationTestBase.testStreamPrivileges | ||||
| Retrieving events | READ (on the stream) & READ (on the namespace) | READ | Retrieving properties | Any of READ, WRITE, ADMIN, or EXECUTE | READ | BasicAuthorizationTestBase.testStreamPrivileges | |
| Sending events to a stream (sync, async, or batch)( | WRITE | (on the stream) and READ (on the namespace)) | WRITE (on namespace & READ (on the namespace))WRITE | BasicAuthorizationTestBase.testStreamPrivileges | ||||
| Drop | ADMIN | (on stream) | ADMIN (on namespace)ADMIN | BasicAuthorizationTestBase.testStreamPrivileges | ||||
| Drop-all in the namespace | ADMIN | (on the namespace) | ADMIN (on | the stream)ADMIN on all the streams in the namespace | ||||
| Update | ADMIN | (on the namespace) | ADMIN (on the stream)||||||
| Truncate | ADMIN | Truncate | ADMIN (on the namespace) |ADMIN (on the stream) | ADMIN | |||
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | Easy to add | |||||
| Get stream property | ADMIN | READ | Easy to add |
Principal
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | ||
|---|---|---|---|---|---|
| Deploy an app to impersonate a principal | ADMINADMIN | AppImpersonationAuthorizationTest(in pr) | |||
| Create a namespace with owner prinicpal | ADMINADMIN | NamespaceImpersonationBasicAuthorizationTest | |||
| Create a dataset with owner prinicpal | ADMINADMIN | AppImpersonationAuthorizationTest(in pr) | |||
| Create a stream with owner prinicpal | ADMIN | ADMIN | Run a explore query as impersonated prinicpal | EXECUTE |
More in integration tests:
- Test creating namespaces with two different clients and try to delete them to test the explore user name issue(in pr)
- test namespace creation with different owners and make sure the owner is correct(in pr)
- all basic tests with ns/app impersonation, custom mapping
- role based auth test(in pr)
More to do list:
- test create dataset with an unauthorized dataset type
- test CDAP-8568 with minimal privilege required