pndaproject
diff --git a/‎README.md‎
Lines changed: 2 additions & 0 deletions b/‎README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎api/src/main/resources/app.py‎
Lines changed: 20 additions & 18 deletions b/‎api/src/main/resources/app.py‎
Lines changed: 20 additions & 18 deletions
diff --git a/‎api/src/main/resources/application_summary_registrar.py‎
Lines changed: 1 addition & 1 deletion b/‎api/src/main/resources/application_summary_registrar.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/src/main/resources/authorizer.py‎
Lines changed: 37 additions & 0 deletions b/‎api/src/main/resources/authorizer.py‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎api/src/main/resources/authorizer_local.py‎
Lines changed: 66 additions & 0 deletions b/‎api/src/main/resources/authorizer_local.py‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎api/src/main/resources/authorizer_rules.yaml‎
Lines changed: 52 additions & 0 deletions b/‎api/src/main/resources/authorizer_rules.yaml‎
Lines changed: 52 additions & 0 deletions
@@ -159,6 +159,7 @@ Example response:
 	"status": "DEPLOYED",
 	"version": "1.0.23",
 	"name": "spark-batch-example-app",
+	"user": "who-deployed-this",
 	"defaults": {
 		"oozie": {
 			"example": {
@@ -193,6 +194,7 @@ DELETE /packages/<package>
 
 Response Codes:
 202 - Accepted, poll /packages/<package>/status for status
+403 - Unauthorised user
 404 - Package not deployed
 500 - Server Error
 ````
 
@@ -69,27 +69,29 @@ def finish():
             if isinstance(ex, NotFound):
                 logging.info(ex.msg)
                 self.set_status(404)
+                # Format already expected to be JSON when raised
                 self.finish(ex.msg)
             elif isinstance(ex, ConflictingState):
                 logging.info(ex.msg)
                 self.set_status(409)
+                # Format already expected to be JSON when raised
                 self.finish(ex.msg)
             elif isinstance(ex, FailedValidation):
                 logging.info(ex.msg)
                 self.set_status(400)
-                self.finish(ex.msg)
+                self.finish({"information": str(ex.msg)})
             elif isinstance(ex, Forbidden):
                 logging.info(ex.msg)
                 self.set_status(403)
-                self.finish(ex.msg)
+                self.finish({"information": str(ex.msg)})
             elif isinstance(ex, FailedCreation):
                 logging.info(ex.msg)
                 self.set_status(500)
-                self.finish(ex.msg)
+                self.finish({"information": str(ex.msg)})
             elif isinstance(ex, FailedConnection):
                 logging.info(ex.msg)
                 self.set_status(503)
-                self.finish(ex.msg)
+                self.finish({"information": str(ex.msg)})
             else:
                 self.set_status(500)
                 if "information" in str(ex):
@@ -137,7 +139,7 @@ class EnvironmentHandler(BaseHandler):
     @asynchronous
     def get(self):
         def do_call():
-            self.send_result(dm.get_environment())
+            self.send_result(dm.get_environment(self.get_argument("user.name", default='')))
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
@@ -151,7 +153,7 @@ def do_call():
             recency = 1
             if 'recency' in args:
                 recency = int(args['recency'][0])
-            self.send_result(dm.list_repository(recency))
+            self.send_result(dm.list_repository(recency, self.get_argument("user.name", default='')))
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
@@ -160,7 +162,7 @@ class PackagesHandler(BaseHandler):
     @asynchronous
     def get(self):
         def do_call():
-            self.send_result(dm.list_packages())
+            self.send_result(dm.list_packages(self.get_argument("user.name", default='')))
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
@@ -169,22 +171,22 @@ class PackageHandler(BaseHandler):
     @asynchronous
     def get(self, name):
         def do_call():
-            self.send_result(dm.get_package_info(name))
+            self.send_result(dm.get_package_info(name, self.get_argument("user.name", default='')))
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
     @asynchronous
     def put(self, name):
         def do_call():
-            dm.deploy_package(name)
+            dm.deploy_package(name, self.get_argument("user.name"))
             self.send_accepted()
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
     @asynchronous
     def delete(self, name):
         def do_call():
-            dm.undeploy_package(name)
+            dm.undeploy_package(name, self.get_argument("user.name"))
             self.send_accepted()
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
@@ -194,7 +196,7 @@ class PackageApplicationsHandler(BaseHandler):
     @asynchronous
     def get(self, name):
         def do_call():
-            self.send_result(dm.list_package_applications(name))
+            self.send_result(dm.list_package_applications(name, self.get_argument("user.name", default='')))
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
@@ -203,7 +205,7 @@ class PackageStatusHandler(BaseHandler):
     @asynchronous
     def get(self, name):
         def do_call():
-            package_info = dm.get_package_info(name)
+            package_info = dm.get_package_info(name, self.get_argument("user.name", default=''))
             self.send_result({
                 "status": package_info.get("status"),
                 "information": package_info.get("information", None)
@@ -216,7 +218,7 @@ class ApplicationsHandler(BaseHandler):
     @asynchronous
     def get(self):
         def do_call():
-            self.send_result(dm.list_applications())
+            self.send_result(dm.list_applications(self.get_argument("user.name", default='')))
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
@@ -241,16 +243,16 @@ def do_call():
     def get(self, name, action):
         def do_call():
             if action == 'status':
-                app_info = dm.get_application_info(name)
+                app_info = dm.get_application_info(name, self.get_argument("user.name", default=''))
                 ret = {
                     "status": app_info["status"],
                     "information": app_info.get("information", None)
                 }
                 self.send_result(ret)
             elif action == 'detail':
-                self.send_result(dm.get_application_detail(name))
+                self.send_result(dm.get_application_detail(name, self.get_argument("user.name", default='')))
             elif action == 'summary':
-                self.send_result(dm.get_application_summary(name))
+                self.send_result(dm.get_application_summary(name, self.get_argument("user.name", default='')))
             else:
                 self.send_client_error("%s is not a valid query (status|detail|summary)" % action)
 
@@ -275,15 +277,15 @@ def put(self, aname):
         user_name = self.get_argument("user.name")
         def do_call():
             request_body.update({'user': user_name})
-            dm.create_application(request_body['package'], aname, request_body)
+            dm.create_application(request_body['package'], aname, request_body, user_name)
             self.send_accepted()
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
     @asynchronous
     def get(self, name):
         def do_call():
-            self.send_result(dm.get_application_info(name))
+            self.send_result(dm.get_application_info(name, self.get_argument("user.name", default='')))
 
         DISPATCHER.run_as_asynch(task=do_call, on_error=self.handle_error)
 
 
@@ -1,8 +1,8 @@
 import json
 import logging
 import happybase
-from Hbase_thrift import AlreadyExists
 from thriftpy.transport import TTransportException
+from Hbase_thrift import AlreadyExists
 
 #pylint: disable=E0602
 
 
@@ -0,0 +1,37 @@
+"""
+Name:       authorizer.py
+Purpose:    Interface definition for modules that validate requests to access resources by comparing the attributes of an
+            identity, a resource and an action against a set of rules.
+
+Author:     PNDA team
+
+Created:    17/05/2018
+
+Copyright (c) 2018 Cisco and/or its affiliates.
+
+This software is licensed to you under the terms of the Apache License, Version 2.0 (the "License").
+You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+The code, technical concepts, and all information contained herein, are the property of Cisco Technology, Inc.
+and/or its affiliated entities, under various laws including copyright, international treaties, patent,
+and/or contract. Any use of the material herein must be in accordance with the terms of the License.
+All rights not expressly granted by the License are reserved.
+
+Unless required by applicable law or agreed to separately in writing, software distributed under the
+License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied.
+"""
+
+class Authorizer(object):
+    '''
+    Interface definition that validate requests to access resources
+    '''
+    def authorize(self, identity, resource, action):
+        '''
+        Validate a request to access a resource
+        Parameters:
+         - identity: dictionary of attributes defining the user performing the action
+         - resource: dictionary of attributes defining the resource that access is required for
+         - action: dictionary of attributes defining the action being performed
+        '''
+        pass
@@ -0,0 +1,66 @@
+"""
+Name:       authorizer_local.py
+Purpose:    Validates requests to access resources by comparing the attributes of an
+            identity, a resource and an action against rules defined in authorizer_rules.yaml
+
+Author:     PNDA team
+
+Created:    17/05/2018
+
+Copyright (c) 2018 Cisco and/or its affiliates.
+
+This software is licensed to you under the terms of the Apache License, Version 2.0 (the "License").
+You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+The code, technical concepts, and all information contained herein, are the property of Cisco Technology, Inc.
+and/or its affiliated entities, under various laws including copyright, international treaties, patent,
+and/or contract. Any use of the material herein must be in accordance with the terms of the License.
+All rights not expressly granted by the License are reserved.
+
+Unless required by applicable law or agreed to separately in writing, software distributed under the
+License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied.
+"""
+import logging
+import json
+import yaml
+from authorizer import Authorizer
+
+class AuthorizerLocal(Authorizer):
+    '''
+    Authorizer implementation that validates requests based on locally defined rules
+    '''
+    def __init__(self):
+        '''
+        Initialise the authorizer by loading the rules file
+        '''
+        with open('authorizer_rules.yaml') as rules_file:
+            self._rules = yaml.load(rules_file)
+
+    def authorize(self, identity, resource, action):
+        '''
+        Validate a request to access a resource
+        Parameters:
+         - identity: dictionary of attributes defining the user performing the action
+         - resource: dictionary of attributes defining the resource that access is required for
+         - action: dictionary of attributes defining the action being performed
+        '''
+        logging.debug("authorize: identity:%s, resource:%s, action:%s", json.dumps(identity), json.dumps(resource), json.dumps(action))
+        sets = self._rules['sets']
+        logging.debug("sets: %s", json.dumps(sets))
+        authorize = False
+        for grant_rule in self._rules['rules']['grant']:
+            logging.debug("checking rule: %s", grant_rule)
+            try:
+                #pylint: disable=eval-used
+                if eval(grant_rule):
+                    authorize = True
+                    logging.debug("authorize: %s for %s", authorize, grant_rule)
+                    break
+            except KeyError, ex:
+                logging.warning("missing attribute %s", ex)
+
+        if not authorize:
+            logging.debug("authorize: %s", authorize)
+
+        return authorize
@@ -0,0 +1,52 @@
+# 
+# Name:       authorizer_rules.yaml
+# Purpose:    rules defining who is allowed to perform actions on deployment manager resources
+#
+# Author:     PNDA team
+# 
+# Created:    17/05/2018
+# 
+# Copyright (c) 2018 Cisco and/or its affiliates.
+# 
+# This software is licensed to you under the terms of the Apache License, Version 2.0 (the "License").
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# 
+# The code, technical concepts, and all information contained herein, are the property of Cisco Technology, Inc.
+# and/or its affiliated entities, under various laws including copyright, international treaties, patent,
+# and/or contract. Any use of the material herein must be in accordance with the terms of the License.
+# All rights not expressly granted by the License are reserved.
+# 
+# Unless required by applicable law or agreed to separately in writing, software distributed under the
+# License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied.
+
+# action, resource and identity are dictiionaries of attributes defining the action, resource and identity respectively
+# action
+#   - name: the name of the action being performed e.g. 'deployment_manager:package:deploy'
+# resource
+#   - type: the resource type, e.g. 'deployment_manager:package'
+# identity
+#   - user: the username of the user performing this action
+#   - groups: the (linux) groups that this user belongs to
+rules:
+  grant:
+    - "action['name'] in sets['owner_only_actions'] and (resource['owner'] == identity['user'] or 'admin' in identity['groups'])"
+    - "action['name'] in sets['everyone_actions']"
+
+# Sets allow arbitrary groups to be referenced as a whole in the rules and reused
+sets:
+  owner_only_actions:
+    - "deployment_manager:package:undeploy"
+    - "deployment_manager:application:start"
+    - "deployment_manager:application:stop"
+    - "deployment_manager:application:destroy"
+ 
+  everyone_actions:
+    - "deployment_manager:package:deploy"
+    - "deployment_manager:application:create"
+    - "deployment_manager:package:read"
+    - "deployment_manager:application:read"
+    - "deployment_manager:environment:read"
+    - "deployment_manager:packages:read"
+    - "deployment_manager:applications:read"
+    - "deployment_manager:repository:read"