Namespaces
Operation | Privileges Required ( | Existing)Privileges Required (Proposed) | Integration test name |
---|---|---|---|
CreateADMIN (on the CDAP instance) | ADMIN | BasicAuthorizationTestBase.testNamespcePrivileges | |
Update | ADMIN (on the namespace) | ||
Delete | ADMIN (on the namespace) | ADMIN on the namespace, and all entities in the namespace | BasicAuthorizationTestBase.testNamespcePrivileges |
View/List | Any | of READ, WRITE, EXECUTE, or ADMINAny privilege on the namespace or any of its descendants. | BasicAuthorizationTestBase.testCreatedDeletedPrivileges This needs to have a more comprehensive test to cover the list of as many entities as possible. |
Get Namespace Meta | Any privilege on the namespace or any of its descendants. | This can be easily added to test and this is covered in unit test. |
Artifacts
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
---|---|---|---|
Add | WRITE (on the namespace) | ADMINADMIN | Integration tests only tests deploy app with artifact |
Add a property | ADMIN | (on namespace) | ADMIN (on artifact)ADMIN | |
Remove a propertyADMIN (on namespace) | | ADMIN | (on artifact)ADMIN | |
Use to deploy an app | ADMIN | READ | AppAuthorizationTestBase.testDeployApp | |
Delete | ADMIN | (on namespace) | ADMIN (on artifact)ADMIN | |
View/ListAny of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on artifact) | Any privilege on the artifact | ||
Get artifact info/summary/detail | ADMIN | READ | ||
We have tests in unit test but not in integration tests |
Applications
Operation | Privileges Required ( | ExistingProposed) | Privileges Required (Proposed) | Add | WRITE (on the namespace) and READ (on the artifact if deployed from an artifact)
---|---|---|---|
Integration test name | |||
Add | ADMIN *Also see artifact privileges and principal privileges | AppAuthorizationTestBase.testDeployApp | |
DeleteADMIN (on the application) | | ADMIN | (on the namespace)ADMIN | AppAuthorizationTestBase.testDeployApp |
View/List | Any of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on application) | Any privilege on the application or any of its descendants. | can easily add |
Get application detail | ADMIN | READ | can easily add | |
Programs
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | |
---|---|---|---|---|
Start, Stop, or Debug(EXECUTE (on the program) | EXECUTE (on the application) | | EXECUTE | (on the namespace)) & READ (on the namespace)EXECUTE | AppAuthorizationTestBase.testDatasetInProgram | |
Set instances | ADMIN | (on the namespace) | ADMIN (on the application) | ADMIN (on the program)ADMIN | ||
Set runtime arguments | ADMIN | (on the namespace) | ADMIN (on the application) | ADMIN (on the program)ADMIN | ||
Retrieve runtime argumentsREAD (on the namespace) | READ (on the application) | READ (on the program) | READ | EXECUTE | ADMIN | |||
Retrieve status | Any of READ, WRITE, EXECUTE, or ADMIN | AppAuthorizationTestBase.testDatasetInProgram | ||
View/List | Any of READ, WRITE, EXECUTE, or ADMIN | easily add | ||
Get program specification | ADMIN | READ |
Datasets
Operation | Privileges Required ( | Existing)Privileges Required (Proposed) | Integration Test Name |
---|---|---|---|
CreateWRITE (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | |
Read(READ (on the dataset) and READ (namespace)) | READ (on the namespace) | READ | AppAuthorizationTestBase.testDatasetInProgram | |
Retrieving propertiesNot Documented | Any of READ, WRITE, ADMIN, or EXECUTE | easily add | |
WriteWRITE (on the dataset) | WRITE (on the namespace) | WRITE | AppAuthorizationTestBase.testDatasetInProgram | |
Update(ADMIN (on the dataset) and READ (on the namespace)) | ( | ADMIN | (on the namespace) and READ (on the namespace))ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
UpgradeADMIN (on the dataset) | ADMIN (on the namespace) | ADMIN | ||
TruncateADMIN (on the dataset) | ADMIN (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | |
DropADMIN (on the dataset) | ADMIN (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | |
View/List | Any of READ, WRITE, EXECUTE, or ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | |
Get dataset meta | ADMIN | READ | WRITE | BasicAuthorizationTestBase.testDatasetPrivileges |
Dataset Modules
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration Test Name |
---|---|---|---|
Deploy | WRITE (on the namespace) | ADMINADMIN | |
Delete | ADMIN | (on the dataset module) | ADMIN (on the namespace)ADMIN | |
Delete-all in the namespace | ADMIN | (on the namespace)ADMIN on all dataset modules in the namespace | |
View/ListAny of READ, WRITE, EXECUTE, or ADMIN | |||
Get module meta | ADMIN | READ | ||
Unit test covers add module during app deployment |
Dataset Types
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
---|---|---|---|
View/List | Any of READ, WRITE, EXECUTE, or ADMIN | easy to add | |
Get dataset type meta | ADMIN | READ | BasicAuthorizationTestBase.testDatasetPrivileges |
Secure Keys
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | |
---|---|---|---|---|
Create | ADMIN | WRITE(on the namespace) | ADMIN | |
Delete | ADMIN | (on the key) | ADMIN (on the namespace)ADMIN | ||
View/ListAny of READ, WRITE, EXECUTE, or ADMIN | ||||
ReadNot Documented | READ (on the key) | |||
We dont have test for any of them |
Streams
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name | |||
---|---|---|---|---|---|---|
Create | WRITE (on the namespace) | ADMINADMIN | BasicAuthorizationTestBase.testStreamPrivileges | |||
Retrieving events | READ | (on the stream) & READ (on the namespace)READ | Retrieving properties | Any of READ, WRITE, ADMIN, or EXECUTE | BasicAuthorizationTestBase.testStreamPrivileges | |
Sending events to a stream (sync, async, or batch)(WRITE (on the stream) and READ (on the namespace)) | | WRITE | (on namespace & READ (on the namespace))WRITE | BasicAuthorizationTestBase.testStreamPrivileges | |||
Drop | ADMIN | (on stream) | ADMIN (on namespace)ADMIN | BasicAuthorizationTestBase.testStreamPrivileges | |||
Drop-all in the namespaceADMIN (on the namespace) | ADMIN (on the stream) | ADMIN on all the streams in the namespace | |||||
Update | ADMIN | (on the namespace) | ADMIN (on the stream)ADMIN | Truncate | ADMIN (on the namespace) | ADMIN (on the stream) | ADMIN | |
Truncate | ADMIN | |||||
View/List | Any of READ, WRITE, EXECUTE, or ADMIN | Easy to add | ||||
Get stream property | ADMIN | READ | Easy to add |
Principal
Operation | Privileges Required ( | ExistingProposed)Privileges Required (Proposed) | Integration test name |
---|---|---|---|
Deploy an app to impersonate a principal | ADMINADMIN | AppImpersonationAuthorizationTest(in pr) | |
Create a namespace with owner prinicpal | ADMINADMIN | NamespaceImpersonationBasicAuthorizationTest | |
Create a dataset with owner prinicpal | ADMINADMIN | AppImpersonationAuthorizationTest(in pr) | |
Create a stream with owner prinicpal | ADMIN |
More in integration tests:
- Test creating namespaces with two different clients and try to delete them to test the explore user name issue(in pr)
- test namespace creation with different owners and make sure the owner is correct(in pr)
- all basic tests with ns/app impersonation, custom mapping
- role based auth test(in pr)
More to do list:
- test create dataset with an unauthorized dataset type
- test CDAP-8568 with minimal privilege required
ADMIN