Authentication for operations on application

user query parameter added for application create, start, stop and delete APIs
PNDA-4546

Author: dharaneeshvrd

README.md

@@ -59,7 +59,6 @@ Applications may be paused and restarted. This leaves all the installed componen
 
 Each Creator implements a specific set of steps to uninstall components of its associated type. The Creator is passed the application data associated with the package and component and uses this to execute those steps.
 
-
 # Requirements
 
 * [Maven](https://maven.apache.org/install.html)
@@ -358,22 +357,30 @@ Response Codes:
 
 ### Start _application_
 ````
-POST /applications/<application>/start
+POST /applications/<application>/start?user=<username>
 
 Response Codes:
 202 - Accepted, poll /applications/<application>/status for status
+403 - Unauthorised user
 404 - Application not known
 500 - Server Error
+
+Query Parameters:
+user - User with permisson to perform this action on the application should be passed. 
 ````
 
 ### Stop _application_
 ````
-POST /applications/<application>/stop
+POST /applications/<application>/stop?user=<username>
 
 Response Codes:
 202 - Accepted, poll /applications/<application>/status for status
+403 - Unauthorised user
 404 - Application not known
 500 - Server Error
+
+Query Parameters:
+user - User with permisson to perform this action on the application should be passed. 
 ````
 
 ### Get full information for _application_
@@ -419,9 +426,8 @@ Example response:
 ### Create _application_ from _package_
 
 ````
-PUT /applications/<application>
+PUT /applications/<application>?user=<username>
 {
-	"user": "<username>",
 	"package": "<package>",
 	"<componentType>": {
 		"<componentName>": {
@@ -437,9 +443,11 @@ Response Codes:
 409 - Application already exists
 500 - Server Error
 
+Query Parameters:
+user - User creating this application should be passed.
+
 Example body:
 {
-	"user": "somebody",
 	"package": "<package>",
 	"oozie": {
 		"example": {
@@ -448,17 +456,21 @@ Example body:
 	}
 }
 
-Package and user are mandatory, property settings are optional
+Package is mandatory, property settings are optional
 ````
 
 ### Destroy _application_
 ````
-DELETE /applications/<application>
+DELETE /applications/<application>?user=<username>
 
 Response Codes:
 200 - OK
+403 - Unauthorised user
 404 - Application not known
 500 - Server Error
+
+Query Parameters:
+user - User with permisson to perform this action on the application should be passed.
 ````
 
 ## Environment Endpoints API
@@ -557,3 +569,4 @@ oozie.libpath                  /pnda/deployment/platform
 oozie.use.system.libpath       true
 user.name                      prod1
 ````
+

api/src/main/resources/app.py

@@ -37,7 +37,7 @@
 import application_summary_registrar
 import deployment_manager
 from deployer_system_test import DeployerRestClientTester
-from exceptiondef import NotFound, ConflictingState, FailedValidation, FailedCreation, FailedConnection
+from exceptiondef import NotFound, ConflictingState, FailedValidation, FailedCreation, FailedConnection, Forbidden
 from async_dispatcher import AsyncDispatcher
 from package_repo_rest_client import PackageRepoRestClient
 
@@ -78,6 +78,10 @@ def finish():
                 logging.info(ex.msg)
                 self.set_status(400)
                 self.finish(ex.msg)
+            elif isinstance(ex, Forbidden):
+                logging.info(ex.msg)
+                self.set_status(403)
+                self.finish(ex.msg)
             elif isinstance(ex, FailedCreation):
                 logging.info(ex.msg)
                 self.set_status(500)
@@ -220,12 +224,13 @@ def do_call():
 class ApplicationDetailHandler(BaseHandler):
     @asynchronous
     def post(self, name, action):
+        user_name = self.get_argument("user")
         def do_call():
             if action == 'start':
-                dm.start_application(name)
+                dm.start_application(name, user_name)
                 self.send_accepted()
             elif action == 'stop':
-                dm.stop_application(name)
+                dm.stop_application(name, user_name)
                 self.send_accepted()
             else:
                 self.send_client_error("%s is not a valid action (start|stop)" % action)
@@ -264,11 +269,12 @@ def put(self, aname):
             self.send_client_error("Invalid request body. Missing field 'package'")
             return
 
-        if 'user' not in request_body:
-            self.send_client_error("Invalid request body. Missing field 'user'")
+        if 'user' in request_body:
+            self.send_client_error("Invalid request body. User should be passed in URI")
             return
-
+        user_name = self.get_argument("user")
         def do_call():
+            request_body.update({'user': user_name})
             dm.create_application(request_body['package'], aname, request_body)
             self.send_accepted()
 
@@ -283,8 +289,9 @@ def do_call():
 
     @asynchronous
     def delete(self, name):
+        user_name = self.get_argument("user")
         def do_call():
-            dm.delete_application(name)
+            dm.delete_application(name, user_name)
             self.send_accepted()
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)

api/src/main/resources/deployment_manager.py

@@ -30,7 +30,7 @@
 import requests
 
 import application_creator
-from exceptiondef import ConflictingState, NotFound
+from exceptiondef import ConflictingState, NotFound, Forbidden
 from package_parser import PackageParser
 from async_dispatcher import AsyncDispatcher
 from lifecycle_states import ApplicationState, PackageDeploymentState
@@ -268,7 +268,7 @@ def list_applications(self):
         applications = self._application_registrar.list_applications()
         return applications
 
-    def _assert_application_status(self, application, required_status):
+    def _assert_application_status(self, application, required_status, user_name):
         app_info = self.get_application_info(application)
         status = app_info['status']
 
@@ -279,15 +279,21 @@ def _assert_application_status(self, application, required_status):
             else:
                 raise ConflictingState(json.dumps({'status': status}))
 
+        if status != ApplicationState.NOTCREATED:
+            created_user = app_info['overrides']['user']
+            if user_name != created_user and user_name != self._config["admin_user"]:
+                information = '%s is not authorized' % user_name
+                raise Forbidden(json.dumps({'information': information}))
+
     def _assert_application_exists(self, application):
         status = self.get_application_info(application)['status']
         if status == ApplicationState.NOTCREATED:
             raise NotFound(json.dumps({'status': status}))
 
-    def start_application(self, application):
+    def start_application(self, application, user_name):
         logging.info('start_application')
         with self._lock:
-            self._assert_application_status(application, ApplicationState.CREATED)
+            self._assert_application_status(application, ApplicationState.CREATED, user_name)
             self._mark_starting(application)
 
         def do_work():
@@ -306,10 +312,10 @@ def do_work():
 
         self.dispatcher.run_as_asynch(task=do_work)
 
-    def stop_application(self, application):
+    def stop_application(self, application, user_name):
         logging.info('stop_application')
         with self._lock:
-            self._assert_application_status(application, ApplicationState.STARTED)
+            self._assert_application_status(application, ApplicationState.STARTED, user_name)
             self._mark_stopping(application)
 
         def do_work():
@@ -360,7 +366,7 @@ def create_application(self, package, application, overrides):
         package_data_path = None
 
         with self._lock:
-            self._assert_application_status(application, ApplicationState.NOTCREATED)
+            self._assert_application_status(application, ApplicationState.NOTCREATED, overrides['user'])
             self._assert_package_status(package, PackageDeploymentState.DEPLOYED)
             defaults = self.get_package_info(package)['defaults']
             package_data_path = self._package_registrar.get_package_data(package)
@@ -404,10 +410,10 @@ def _handle_application_error(self, application, ex, app_status, operation):
         # set the status:
         self._application_registrar.set_application_status(application, app_status, error_message)
 
-    def delete_application(self, application):
+    def delete_application(self, application, user_name):
         logging.info('delete_application')
         with self._lock:
-            self._assert_application_status(application, [ApplicationState.CREATED, ApplicationState.STARTED])
+            self._assert_application_status(application, [ApplicationState.CREATED, ApplicationState.STARTED], user_name)
             self._mark_destroying(application)
 
         def do_work():

api/src/main/resources/exceptiondef.py

@@ -38,6 +38,12 @@ def __init__(self, arg):
         super(NotFound, self).__init__(arg)
         self.msg = arg
 
+class Forbidden(DmException):
+
+    def __init__(self, arg):
+        super(Forbidden, self).__init__(arg)
+        self.msg = arg
+
 
 class ConflictingState(DmException):
 

api/src/main/resources/test_deployer_manager.py

@@ -25,7 +25,7 @@
 from multiprocessing import Event
 from mock import Mock, patch, mock_open
 from deployment_manager import DeploymentManager
-from exceptiondef import NotFound, ConflictingState, FailedValidation
+from exceptiondef import NotFound, ConflictingState, FailedValidation, Forbidden
 from lifecycle_states import ApplicationState, PackageDeploymentState
 
 
@@ -75,15 +75,15 @@ def setUp(self):
             'queue_policy': 'echo dev',
             'namespace': 'mockspace'
         }
-        self.mock_config = {"deployer_thread_limit": 1, 'stage_root': 'stage', 'plugins_path': 'plugins'}
+        self.mock_config = {"deployer_thread_limit": 1, 'stage_root': 'stage', 'plugins_path': 'plugins', 'admin_user': 'username'}
         # mock app registrar:
         mock_application_registar = Mock()
         application_data = {}
         mock_application_registar.application_has_record = lambda app: app in application_data
         mock_application_registar.get_application = lambda app: application_data.get(app, None)
         mock_application_registar.set_application_status = \
             lambda app, status, info=None: set_dictionary_value(application_data, app,
-                                                                {"status": status, "information": info})
+                                                                {"status": status, "information": info, 'overrides':{'user':'username'}})
         self.mock_application_registar = mock_application_registar
         self.mock_summary_registar = Mock()
 
@@ -342,7 +342,7 @@ def _assert_package_status(self, package, required_status):
 
         self.mock_application_registar.set_application_status(self.test_app_name, ApplicationState.CREATED)
         # launch the asynch test
-        deployment_manager.start_application(self.test_app_name)
+        deployment_manager.start_application(self.test_app_name, 'username')
         # wait for test to finsish
         on_complete.wait(5)
         self.assertIsNotNone(test_result[0], "async task completed")
@@ -381,7 +381,7 @@ def _assert_package_status(self, package, required_status):
 
         self.mock_application_registar.set_application_status(self.test_app_name, ApplicationState.STARTED)
         # launch the asynch test
-        deployment_manager.delete_application(self.test_app_name)
+        deployment_manager.delete_application(self.test_app_name, 'username')
         # wait for test to finsish
         on_complete.wait(5)
         self.assertIsNotNone(test_result[0], "async task completed")
@@ -420,7 +420,7 @@ def _assert_package_status(self, package, required_status):
 
         self.mock_application_registar.set_application_status(self.test_app_name, ApplicationState.STARTED)
         # launch the asynch test
-        deployment_manager.stop_application(self.test_app_name)
+        deployment_manager.stop_application(self.test_app_name, 'username')
         # wait for test to finsish
         on_complete.wait(5)
         self.assertIsNotNone(test_result[0], "async task completed")
@@ -458,7 +458,7 @@ def create_mocks(self):
 
         # launch the asynch test
         self.mock_application_registar.set_application_status(self.test_app_name, "STARTED")
-        deployment_manager.stop_application(self.test_app_name)
+        deployment_manager.stop_application(self.test_app_name, 'username')
         # wait for test to finsish
         on_complete.wait(5)
         self.assertIsNotNone(test_result[0], "async task completed")
@@ -731,7 +731,7 @@ def test_application_in_progress(self):
             'information': None}
         application_summary_registrar = Mock()
         environment = {"namespace": "some_namespace", 'webhdfs_host': 'webhdfshost', 'webhdfs_port': 'webhdfsport'}
-        config = {"deployer_thread_limit": 10}
+        config = {"deployer_thread_limit": 10, 'admin_user':'username'}
 
         dmgr = DeploymentManager(repository,
                                  package_registrar,
@@ -740,15 +740,15 @@ def test_application_in_progress(self):
                                  environment,
                                  config)
 
-        self.assertRaises(ConflictingState, dmgr.start_application, "name")
+        self.assertRaises(ConflictingState, dmgr.start_application, "name", 'username')
 
     def test_package_in_progress(self):
         repository = Mock()
         package_registrar = Mock()
         application_registrar = Mock()
         application_summary_registrar = Mock()
         environment = {"namespace": "some_namespace", 'webhdfs_host': 'webhdfshost', 'webhdfs_port': 'webhdfsport'}
-        config = {"deployer_thread_limit": 10}
+        config = {"deployer_thread_limit": 10, 'admin_user':'username'}
 
         class DeploymentManagerTester(DeploymentManager):
             def set_package_progress(self, package, state):
@@ -772,7 +772,7 @@ def test_package_not_exists(self):
         application_registrar = Mock()
         application_summary_registrar = Mock()
         environment = {"namespace": "some_namespace", 'webhdfs_host': 'webhdfshost', 'webhdfs_port': 'webhdfsport'}
-        config = {"deployer_thread_limit": 10}
+        config = {"deployer_thread_limit": 10, 'admin_user':'username'}
         dmgr = DeploymentManager(repository,
                                  package_registrar,
                                  application_registrar,
@@ -858,3 +858,28 @@ def test_get_application_summary(self):
                                  config)
 
         self.assertEqual(dmgr.get_application_summary('name'), {'name':{'aggregate_status': 'COMPLETED_WITH_NO_FAILURES', 'component-1': {}}})
+
+    def test_unauthorized_user_start(self):
+        repository = Mock()
+        package_registrar = Mock()
+        application_registrar = Mock()
+        application_registrar.get_application.return_value = {
+            'overrides': {"user":"user2"},
+            'defaults': {},
+            'name': 'name',
+            'package_name': 'package_name',
+            'status': ApplicationState.CREATED,
+            'information': None}
+        application_registrar.get_application_user.return_value = 'user2'
+        application_summary_registrar = Mock()
+        environment = {"namespace": "some_namespace", 'webhdfs_host': 'webhdfshost', 'webhdfs_port': 'webhdfsport'}
+        config = {"deployer_thread_limit": 10, "admin_user": "admin"}
+
+        dmgr = DeploymentManager(repository,
+                                 package_registrar,
+                                 application_registrar,
+                                 application_summary_registrar,
+                                 environment,
+                                 config)
+
+        self.assertRaises(Forbidden, dmgr.start_application, "name", 'user1')