Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespaces

Existing) of READ, WRITE, EXECUTE, or ADMIN
Operation
Privileges Required (
Privileges Required (Proposed)
Integration test name
CreateADMIN (on the CDAP instance)

ADMIN

BasicAuthorizationTestBase.testNamespcePrivileges
UpdateADMIN (on the namespace)  
DeleteADMIN (on the namespace)ADMIN on the namespace, and all entities in the namespace
BasicAuthorizationTestBase.testNamespcePrivileges
View/ListAny Any privilege on the namespace or any of its descendants.

BasicAuthorizationTestBase.testCreatedDeletedPrivileges

This needs to have a more comprehensive test to cover the list of as many entities as possible.

Get Namespace Meta Any privilege on the namespace or any of its descendants. This can be easily added to test and this is covered in unit test.


Artifacts

Existing (on namespace) | ADMIN (on artifact) (on artifact) (on namespace) | ADMIN (on artifact)
Operation
Privileges Required (
Proposed)Privileges Required (Proposed)
Integration test name
AddWRITE (on the namespace)ADMINADMIN
Integration tests only tests deploy app with artifact
Add a propertyADMINADMIN 
Remove a propertyADMIN (on namespace) | ADMINADMIN 
Use to deploy an app ADMIN | READAppAuthorizationTestBase.testDeployApp
DeleteADMINADMIN 
View/ListAny of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on artifact)Any privilege on the artifact 
Get artifact info/summary/detail ADMIN | READ 
  We have tests in unit test but not in integration tests

 

Applications

ExistingWRITE (on the namespace) and READ (on the artifact if deployed from an artifact) (on the namespace)
Operation
Privileges Required (
Proposed)
Privileges Required (Proposed)
Add
Integration test name
Add

ADMIN

*Also see artifact privileges and principal privileges

AppAuthorizationTestBase.testDeployApp
DeleteADMIN (on the application) | ADMINADMINAppAuthorizationTestBase.testDeployApp
View/ListAny of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on application)Any privilege on the application or any of its descendants.can easily add
Get application detail ADMIN | READcan easily add
   

 

Programs

Existing (on the namespace)) & READ (on the namespace) (on the namespace) | ADMIN (on the application) | ADMIN (on the program) (on the namespace) | ADMIN (on the application) | ADMIN (on the program)
Operation
Privileges Required (
Proposed)Privileges Required (Proposed)
Integration test name
Start, Stop, or Debug(EXECUTE (on the program) | EXECUTE (on the application) | EXECUTEEXECUTEAppAuthorizationTestBase.testDatasetInProgram
Set instancesADMINADMIN 
Set runtime argumentsADMINADMIN 
Retrieve runtime argumentsREAD (on the namespace) | READ (on the application) | READ (on the program)READ | EXECUTE | ADMIN 
Retrieve statusAny of READ, WRITE, EXECUTE, or ADMIN  AppAuthorizationTestBase.testDatasetInProgram
View/ListAny of READ, WRITE, EXECUTE, or ADMIN  easily add
Get program specification ADMIN | READ 

 

Datasets

Existing) (on the namespace) and READ (on the namespace))
Operation
Privileges Required (
Privileges Required (Proposed)
Integration Test Name
CreateWRITE (on the namespace)ADMINBasicAuthorizationTestBase.testDatasetPrivileges
Read(READ (on the dataset) and READ (namespace)) | READ (on the namespace)READ AppAuthorizationTestBase.testDatasetInProgram
Retrieving propertiesNot DocumentedAny of READWRITEADMIN, or EXECUTE easily add
WriteWRITE (on the dataset) | WRITE (on the namespace)WRITE AppAuthorizationTestBase.testDatasetInProgram
Update(ADMIN (on the dataset) and READ (on the namespace)) | (ADMINADMINBasicAuthorizationTestBase.testDatasetPrivileges
UpgradeADMIN (on the dataset) | ADMIN (on the namespace)ADMIN 
TruncateADMIN (on the dataset) | ADMIN (on the namespace)ADMINBasicAuthorizationTestBase.testDatasetPrivileges
DropADMIN (on the dataset) | ADMIN (on the namespace)ADMINBasicAuthorizationTestBase.testDatasetPrivileges
View/ListAny of READ, WRITE, EXECUTE, or ADMIN BasicAuthorizationTestBase.testDatasetPrivileges
Get dataset meta ADMIN | READ | WRITEBasicAuthorizationTestBase.testDatasetPrivileges

 

Dataset Modules

Existing (on the dataset module) | ADMIN (on the namespace) (on the namespace)
Operation
Privileges Required (
Proposed)Privileges Required (Proposed)
Integration Test Name
DeployWRITE (on the namespace)ADMINADMIN 
DeleteADMINADMIN 
Delete-all in the namespaceADMINADMIN on all dataset modules in the namespace 
View/ListAny of READ, WRITE, EXECUTE, or ADMIN  
Get module meta ADMIN | READ 
  Unit test covers add module during app deployment

 

Dataset Types

Existing
Operation
Privileges Required (
Proposed)Privileges Required (Proposed)
Integration test name
View/ListAny of READ, WRITE, EXECUTE, or ADMIN  easy to add
Get dataset type meta ADMIN | READBasicAuthorizationTestBase.testDatasetPrivileges

 

Secure Keys

ExistingWRITE(on the namespace) (on the key) | ADMIN (on the namespace)
Operation
Privileges Required (
Proposed)Privileges Required (Proposed)
Integration test name
CreateADMIN ADMIN
DeleteADMINADMIN 
View/ListAny of READ, WRITE, EXECUTE, or ADMIN  
ReadNot DocumentedREAD (on the key) 
  We dont have test for any of them

 

Streams

Existing (on the stream) & READ (on the namespace) (on namespace & READ (on the namespace)) (on stream) | ADMIN (on namespace) (on the namespace) | ADMIN (on the stream)
Operation
Privileges Required (
Proposed)Privileges Required (Proposed)
Integration test name
CreateWRITE (on the namespace)ADMINADMINBasicAuthorizationTestBase.testStreamPrivileges
Retrieving eventsREADREADRetrieving propertiesAny of READWRITEADMIN, or EXECUTE BasicAuthorizationTestBase.testStreamPrivileges
Sending events to a stream (sync, async, or batch)(WRITE (on the stream) and READ (on the namespace)) | WRITEWRITEBasicAuthorizationTestBase.testStreamPrivileges
DropADMINADMINBasicAuthorizationTestBase.testStreamPrivileges
Drop-all in the namespaceADMIN (on the namespace) | ADMIN (on the stream)ADMIN on all the streams in the namespace 
UpdateADMINADMINTruncateADMIN (on the namespace) | ADMIN (on the stream)ADMIN 
TruncateADMIN 
View/ListAny of READ, WRITE, EXECUTE, or ADMIN  Easy to add
Get stream property ADMIN | READEasy to add

 

Principal

Existing
Operation
Privileges Required (
Proposed)Privileges Required (Proposed)
Integration test name
Deploy an app to impersonate a principal ADMINADMINAppImpersonationAuthorizationTest(in pr)
Create a namespace with owner prinicpal ADMINADMINNamespaceImpersonationBasicAuthorizationTest
Create a dataset with owner prinicpal ADMINADMINAppImpersonationAuthorizationTest(in pr)
Create a stream with owner prinicpalADMIN 

 

More in integration tests:

  1. Test creating namespaces with two different clients and try to delete them to test the explore user name issue(in pr)
  2. test namespace creation with different owners and make sure the owner is correct(in pr)
  3. all basic tests with ns/app impersonation, custom mapping 
  4. role based auth test(in pr)

 

More to do list:

  1. test create dataset with an unauthorized dataset type
  2. test CDAP-8568 with minimal privilege required

 

 

ADMIN