Versions Compared

Old Version 7

changes.mady.by.user Bhooshan Mogal

Saved on

compared with

New Version Current

changes.mady.by.user Bhooshan Mogal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

This page documents various scenarios for security use cases supported in 3.5. The scenarios below apply to the following combinations of security:

...

NOTE: This document also assumes that the Authorizer extension is Apache Sentry, so calls out Thrift as the communication mechanism

 

REST APIs

 

Publicly routed REST APIs in AppFabric Service

 

Application Deployment

 

Applications with non-existing dataset

...

  1. Client --> Router HTTPdeployApp(artifact, appConfig)
  2. Router --> AppFabric HTTPdeployApp(artifact, appConfig, SecurityRequestContext.userId)
  3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. AppFabric --> AppFabric: doAs(namespace, deploy(jar, config))
  5. AppFabric --> DatasetServiceClient: createDataset()
  6. DatasetServiceClient --> DatasetService HTTP: createDataset(ds, Header(CDAP-UserId=SecurityRequestContext.userId))
  7. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  8. DatasetService --> Authorizer Thriftrevoke(ds); grant(ds, SecurityRequestContext.userId, ALL)
  9. DatasetService --> DatasetOpExecutor HTTPsuccess = doAs(namespace, createDataset(ds))
  10. DatasetService --> Authorizer Thrift!success ? revoke(ds)
  11. DatasetService --> AppFabric --> Router --> Client HTTPresult

 

Applications with existing dataset

 

  1. Client --> Router HTTPdeployApp(artifact, appConfig)
  2. Router --> AppFabric HTTPdeployApp(artifact, appConfig, SecurityRequestContext.userId)
  3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. AppFabric --> AppFabric: doAs(namespace, deploy(jar, config))
  5. AppFabric --> DatasetServiceClient: !compatibleUpdate ? IncompatibleException
  6. DatasetServiceClient --> DatasetService HTTP: update(ds, Header(CDAP-UserId=SecurityRequestContext.userId))
  7. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  8. DatasetService --> DatasetService: success = update(ds)
  9. DatasetService --> AppFabric --> Router --> Client HTTPresult

...

Applications with non-existing streams

 

Applications with existing streams

Namespace Creation

 

Namespace Creation

 

 

Namespace Deletion

 

  1. Client --> Router HTTP: createNamespace(nsName, nsConfig)
  2. Router --> AppFabric HTTP: createNamespace(nsName, nsConfig, SecurityRequestContext.userId)
  3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. AppFabric --> Authorizer Thrift: grant(namespace, SecurityRequestContext.userId, ALL)
  5. AppFabric --> DatasetServiceClient: getDataset(app.meta)
  6. DatasetServiceClient --> DatasetService HTTP: getDataset(app.meta, 

...

  1. Header(CDAP-UserId=Principal.SYSTEM))
  2. DatasetService --> AuthEnforcerresult = filter(dataset, SecurityRequestContext.userId)        (info) This will always be non-empty, because of the system principal
  3. DatasetService --> DatasetServiceClient HTTP —> AppFabric: MDS
  4. AppFabric --> MDS: store(namespace)
  5. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, createNamespace(namespaceMeta))     (info) This will only check for access for custom mappings, but will create otherwise
  6. AppFabric —> AppFabric: !result ? revoke(namespace) && NamespaceCannotBeCreatedException 
  7. AppFabric --> Router --> Client HTTPresult

Namespace Deletion

  1. Client --> Router HTTPdeleteNamespace(nsName)
  2. Router --> AppFabric HTTP: deleteNamespace(nsName, SecurityRequestContext.userId)
  3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. AppFabric --> Authorizer Thriftrevoke(namespace, SecurityRequestContext.userId, ALL)
  5. AppFabric --> DatasetServiceClient: getDataset(app.meta)
  6. DatasetServiceClient --> DatasetService HTTP: getDataset(app.meta, Header(CDAP-UserId=Principal.SYSTEM))
  7. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)        (info) This will always be non-empty, because of the system principal
  8. DatasetService --> DatasetServiceClient HTTP —> AppFabric: MDS
  9. AppFabric --> MDS: delete(namespace)
  10. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, delete(namespaceMeta))              (info) This will only check for access for custom mappings, but will delete otherwise
  11. AppFabric --> Authorizer Thriftrevoke(namespace, SecurityRequestContext.userId, ALL)
  12. AppFabric —> AppFabric: !result ? NamespaceCannotBeDeletedException 
  13. AppFabric --> Router --> Client HTTPresult

Publicly routed REST APIs in Dataset Service

...

Create

...

  1. Client --> Router HTTPcreateDataset(dataset, type, properties)
  2. Router --> DatasetService HTTPcreateDataset(dataset, type, properties, SecurityRequestContext.userId)
  3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. DatasetService --> Authorizer Thriftrevoke(dataset); grant(dataset, SecurityRequestContext.userId, ALL)
  5. DatasetService --> DatasetOpExecutor HTTPsuccess = doAs(namespace, createDataset(dataset))
  6. DatasetService --> Authorizer Thrift!success ? revoke(dataset)
  7. DatasetService --> Router --> Client HTTPresult

 

List

 

  1. Client --> Router HTTPlistDatasets(namespace)
  2. Router --> DatasetService HTTPlistDatasets(namespace, SecurityRequestContext.userId)
  3. DatasetService --> AuthEnforcer: result = filter(datasetsInNamespace, SecurityRequestContext.userId)
  4. DatasetService -->  Router --> Client HTTPresult

 

Get

 

  1. Client --> Router HTTPgetDataset(dataset)
  2. Router --> DatasetService HTTPdataset = getDataset(dataset, SecurityRequestContext.userId)
  3. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)
  4. DatasetService -->  Router --> Client HTTPresult.isEmpty ? UnauthorizedException

 

Update

...

  1. Client --> Router HTTPupdateDataset(dataset, type, properties)
  2. Router --> DatasetService HTTPupdateDataset(dataset, type, properties, SecurityRequestContext.userId)
  3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. DatasetService --> DatasetService: result = update(dataset, type, properties)
  5. DatasetService --> Router --> Client HTTPresult

 

Truncate

 

  1. Client --> Router HTTPtruncate(dataset)
  2. Router --> DatasetService HTTPtruncate(ds, SecurityRequestContext.userId)
  3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. DatasetService --> DatasetOpExecutor HTTPresult = doAs(namespace, truncate(dataset))
  5. DatasetService --> Router --> Client HTTPresult

 

Drop

...

  1. Client --> Router HTTPdrop(dataset)
  2. Router --> DatasetService HTTPdrop(dataset, SecurityRequestContext.userId)
  3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. DatasetService --> DatasetOpExecutor HTTPresult = doAs(namespace, drop(dataset))
  5. DatasetService --> Authorizer Thriftrevoke(dataset)
  6. DatasetService --> Router --> Client HTTPresult

...

Upgrade

 

  1. Client --> Router HTTPupgrade(dataset)
  2. Router --> DatasetService HTTPupgrade(dataset, SecurityRequestContext.userId)
  3. DatasetService --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. DatasetService --> DatasetOpExecutor HTTPresult = doAs(namespace, upgrade(dataset))
  5. DatasetService --> Router --> Client HTTPresult

 

Publicly routed REST APIs in Stream Service

...

Create operations on datasets and streams can create tables in Hive if explore is enabled. Similarly, delete can drop and truncate tables.

Authorization Cache Updates

Scratch Pad

a) Authorization

...