tessl/maven-co-cask-cdap--cdap-security-spi
Service Provider Interface for CDAP's security and authorization framework enabling pluggable authorization mechanisms.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-co-cask-cdap--cdap-security-spi@5.1.0index.mddocs/
CDAP Security SPI
CDAP Security SPI provides the Service Provider Interface for CDAP's security and authorization framework, enabling pluggable authorization mechanisms for the CDAP data platform. It defines core interfaces for authorization enforcement, privilege management, and access control that can be extended to integrate with enterprise security systems.
Package Information
- Package Name: cdap-security-spi
- Package Type: maven
- Group ID: co.cask.cdap
- Language: Java
- Installation: Add dependency to your Maven pom.xml:
<dependency>
<groupId>co.cask.cdap</groupId>
<artifactId>cdap-security-spi</artifactId>
<version>5.1.2</version>
</dependency>Core Imports
// Core authorization interfaces
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.AuthorizationEnforcer;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.PrivilegesManager;
// Authentication context
import co.cask.cdap.security.spi.authentication.AuthenticationContext;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
// Exception classes
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import co.cask.cdap.security.spi.authorization.AlreadyExistsException;
// Base implementations
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.NoOpAuthorizer;Basic Usage
Implementing a Custom Authorizer
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.id.EntityId;
public class CustomAuthorizer extends AbstractAuthorizer {
@Override
public void initialize(AuthorizationContext context) throws Exception {
// Initialize your authorization backend
Properties config = context.getExtensionProperties();
// Setup connection to your authorization system
}
@Override
public void enforce(EntityId entity, Principal principal, Set<Action> actions)
throws Exception {
// Check if principal has permissions for actions on entity
// Throw UnauthorizedException if not authorized
if (!hasPermission(entity, principal, actions)) {
throw new UnauthorizedException(principal, actions, entity);
}
}
@Override
public void grant(Authorizable authorizable, Principal principal, Set<Action> actions)
throws Exception {
// Grant permissions to principal on authorizable
}
// Implement other required methods...
}Using Security Request Context
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.proto.security.Principal;
// Set user context for current thread
SecurityRequestContext.setUserId("alice");
SecurityRequestContext.setUserIP("192.168.1.100");
// Get user information
String userId = SecurityRequestContext.getUserId();
String userIP = SecurityRequestContext.getUserIP();
// Convert to Principal
Principal principal = SecurityRequestContext.toPrincipal();Architecture
The CDAP Security SPI follows a modular architecture with distinct responsibilities:
- Authorization Layer: Core authorization enforcement and privilege management
- Authentication Layer: User identification and context management
- Exception Layer: Structured error handling with HTTP status codes
- Extension Points: Abstract base classes for custom implementations
Capabilities
Authorization Management
Core authorization interfaces for implementing custom authorization backends with role-based access control and privilege management.
@Beta
interface Authorizer extends PrivilegesFetcher, PrivilegesManager, AuthorizationEnforcer {
void initialize(AuthorizationContext context) throws Exception;
void createRole(Role role) throws Exception;
void dropRole(Role role) throws Exception;
Set<Role> listAllRoles() throws Exception;
void destroy() throws Exception;
}@Beta
interface AuthorizationEnforcer {
void enforce(EntityId entity, Principal principal, Action action) throws Exception;
void enforce(EntityId entity, Principal principal, Set<Action> actions) throws Exception;
Set<? extends EntityId> isVisible(Set<? extends EntityId> entityIds, Principal principal) throws Exception;
}Authentication Context
Thread-local authentication context management and user identification for authorization requests.
interface AuthenticationContext {
Principal getPrincipal();
}class SecurityRequestContext {
static String getUserId();
static void setUserId(String userIdParam);
static Principal toPrincipal();
}Exception Handling
Structured exception hierarchy with HTTP status codes for proper error handling in web contexts.
class UnauthorizedException extends RuntimeException implements HttpErrorStatusProvider {
UnauthorizedException(Principal principal, Action action, EntityId entityId);
UnauthorizedException(Principal principal, Set<Action> actions, EntityId entityId);
int getStatusCode(); // Returns 403
}Types
Core Types
// From cdap-proto dependency
class Principal {
Principal(String name, PrincipalType type);
String getName();
PrincipalType getType();
}
enum PrincipalType {
USER, GROUP, ROLE
}
class Role {
Role(String name);
String getName();
}
interface EntityId {
// Entity identifier for CDAP resources
}
enum Action {
READ, WRITE, EXECUTE, ADMIN
// Actions that can be performed on entities
}
class Privilege {
Privilege(Authorizable authorizable, Action action);
Authorizable getAuthorizable();
Action getAction();
}
interface Authorizable {
// Represents an entity that can have privileges granted on it
}
interface HttpErrorStatusProvider {
/**
* Get the HTTP status code for this error condition.
*
* @return HTTP status code (e.g., 403, 404, 409, 400)
*/
int getStatusCode();
}Extension Context
interface AuthorizationContext extends DatasetContext, Admin, Transactional,
AuthenticationContext, SecureStore {
Properties getExtensionProperties();
// Messaging methods throw UnsupportedOperationException
}