use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.
the class YamlConfigBuilderTest method testSecurityConfig.
@Override
@Test
public void testSecurityConfig() {
String yaml = "" + "hazelcast:\n" + " security:\n" + " enabled: true\n" + " security-interceptors:\n" + " - foo\n" + " - bar\n" + " client-block-unmapped-actions: false\n" + " member-authentication:\n" + " realm: mr\n" + " client-authentication:\n" + " realm: cr\n" + " realms:\n" + " - name: mr\n" + " authentication:\n" + " jaas:\n" + " - class-name: MyRequiredLoginModule\n" + " usage: REQUIRED\n" + " properties:\n" + " login-property: login-value\n" + " - class-name: MyRequiredLoginModule2\n" + " usage: SUFFICIENT\n" + " properties:\n" + " login-property2: login-value2\n" + " identity:\n" + " credentials-factory:\n" + " class-name: MyCredentialsFactory\n" + " properties:\n" + " property: value\n" + " - name: cr\n" + " authentication:\n" + " jaas:\n" + " - class-name: MyOptionalLoginModule\n" + " usage: OPTIONAL\n" + " properties:\n" + " client-property: client-value\n" + " - class-name: MyRequiredLoginModule\n" + " usage: REQUIRED\n" + " properties:\n" + " client-property2: client-value2\n" + " - name: kerberos\n" + " authentication:\n" + " kerberos:\n" + " skip-role: false\n" + " relax-flags-check: true\n" + " use-name-without-realm: true\n" + " security-realm: krb5Acceptor\n" + " principal: jduke@HAZELCAST.COM\n" + " keytab-file: /opt/jduke.keytab\n" + " ldap:\n" + " url: ldap://127.0.0.1\n" + " identity:\n" + " kerberos:\n" + " realm: HAZELCAST.COM\n" + " security-realm: krb5Initializer\n" + " principal: jduke@HAZELCAST.COM\n" + " keytab-file: /opt/jduke.keytab\n" + " use-canonical-hostname: true\n" + " - name: simple\n" + " authentication:\n" + " simple:\n" + " skip-role: true\n" + " users:\n" + " - username: test\n" + " password: 'a1234'\n" + " roles:\n" + " - monitor\n" + " - hazelcast\n" + " - username: dev\n" + " password: secret\n" + " roles:\n" + " - root\n" + " client-permission-policy:\n" + " class-name: MyPermissionPolicy\n" + " properties:\n" + " permission-property: permission-value\n";
Config config = buildConfig(yaml);
SecurityConfig securityConfig = config.getSecurityConfig();
List<SecurityInterceptorConfig> interceptorConfigs = securityConfig.getSecurityInterceptorConfigs();
assertEquals(2, interceptorConfigs.size());
assertEquals("foo", interceptorConfigs.get(0).className);
assertEquals("bar", interceptorConfigs.get(1).className);
assertFalse(securityConfig.getClientBlockUnmappedActions());
RealmConfig memberRealm = securityConfig.getRealmConfig(securityConfig.getMemberRealm());
CredentialsFactoryConfig memberCredentialsConfig = memberRealm.getCredentialsFactoryConfig();
assertEquals("MyCredentialsFactory", memberCredentialsConfig.getClassName());
assertEquals(1, memberCredentialsConfig.getProperties().size());
assertEquals("value", memberCredentialsConfig.getProperties().getProperty("property"));
List<LoginModuleConfig> memberLoginModuleConfigs = memberRealm.getJaasAuthenticationConfig().getLoginModuleConfigs();
assertEquals(2, memberLoginModuleConfigs.size());
Iterator<LoginModuleConfig> memberLoginIterator = memberLoginModuleConfigs.iterator();
LoginModuleConfig memberLoginModuleCfg1 = memberLoginIterator.next();
assertEquals("MyRequiredLoginModule", memberLoginModuleCfg1.getClassName());
assertEquals(LoginModuleUsage.REQUIRED, memberLoginModuleCfg1.getUsage());
assertEquals(1, memberLoginModuleCfg1.getProperties().size());
assertEquals("login-value", memberLoginModuleCfg1.getProperties().getProperty("login-property"));
LoginModuleConfig memberLoginModuleCfg2 = memberLoginIterator.next();
assertEquals("MyRequiredLoginModule2", memberLoginModuleCfg2.getClassName());
assertEquals(LoginModuleUsage.SUFFICIENT, memberLoginModuleCfg2.getUsage());
assertEquals(1, memberLoginModuleCfg2.getProperties().size());
assertEquals("login-value2", memberLoginModuleCfg2.getProperties().getProperty("login-property2"));
RealmConfig clientRealm = securityConfig.getRealmConfig(securityConfig.getClientRealm());
List<LoginModuleConfig> clientLoginModuleConfigs = clientRealm.getJaasAuthenticationConfig().getLoginModuleConfigs();
assertEquals(2, clientLoginModuleConfigs.size());
Iterator<LoginModuleConfig> clientLoginIterator = clientLoginModuleConfigs.iterator();
LoginModuleConfig clientLoginModuleCfg1 = clientLoginIterator.next();
assertEquals("MyOptionalLoginModule", clientLoginModuleCfg1.getClassName());
assertEquals(LoginModuleUsage.OPTIONAL, clientLoginModuleCfg1.getUsage());
assertEquals(1, clientLoginModuleCfg1.getProperties().size());
assertEquals("client-value", clientLoginModuleCfg1.getProperties().getProperty("client-property"));
LoginModuleConfig clientLoginModuleCfg2 = clientLoginIterator.next();
assertEquals("MyRequiredLoginModule", clientLoginModuleCfg2.getClassName());
assertEquals(LoginModuleUsage.REQUIRED, clientLoginModuleCfg2.getUsage());
assertEquals(1, clientLoginModuleCfg2.getProperties().size());
assertEquals("client-value2", clientLoginModuleCfg2.getProperties().getProperty("client-property2"));
RealmConfig kerberosRealm = securityConfig.getRealmConfig("kerberos");
assertNotNull(kerberosRealm);
KerberosIdentityConfig kerbIdentity = kerberosRealm.getKerberosIdentityConfig();
assertNotNull(kerbIdentity);
assertEquals("HAZELCAST.COM", kerbIdentity.getRealm());
assertEquals("krb5Initializer", kerbIdentity.getSecurityRealm());
assertEquals("jduke@HAZELCAST.COM", kerbIdentity.getPrincipal());
assertEquals("/opt/jduke.keytab", kerbIdentity.getKeytabFile());
assertTrue(kerbIdentity.getUseCanonicalHostname());
KerberosAuthenticationConfig kerbAuthentication = kerberosRealm.getKerberosAuthenticationConfig();
assertNotNull(kerbAuthentication);
assertEquals(Boolean.TRUE, kerbAuthentication.getRelaxFlagsCheck());
assertEquals(Boolean.FALSE, kerbAuthentication.getSkipRole());
assertNull(kerbAuthentication.getSkipIdentity());
assertEquals("krb5Acceptor", kerbAuthentication.getSecurityRealm());
assertEquals("jduke@HAZELCAST.COM", kerbAuthentication.getPrincipal());
assertEquals("/opt/jduke.keytab", kerbAuthentication.getKeytabFile());
assertTrue(kerbAuthentication.getUseNameWithoutRealm());
LdapAuthenticationConfig kerbLdapAuthentication = kerbAuthentication.getLdapAuthenticationConfig();
assertNotNull(kerbLdapAuthentication);
assertEquals("ldap://127.0.0.1", kerbLdapAuthentication.getUrl());
RealmConfig simpleRealm = securityConfig.getRealmConfig("simple");
assertNotNull(simpleRealm);
SimpleAuthenticationConfig simpleAuthnCfg = simpleRealm.getSimpleAuthenticationConfig();
assertNotNull(simpleAuthnCfg);
assertEquals(2, simpleAuthnCfg.getUsernames().size());
assertTrue(simpleAuthnCfg.getUsernames().contains("test"));
assertEquals("a1234", simpleAuthnCfg.getPassword("test"));
Set<String> expectedRoles = new HashSet<>();
expectedRoles.add("monitor");
expectedRoles.add("hazelcast");
assertEquals(expectedRoles, simpleAuthnCfg.getRoles("test"));
assertEquals(Boolean.TRUE, simpleAuthnCfg.getSkipRole());
// client-permission-policy
PermissionPolicyConfig permissionPolicyConfig = securityConfig.getClientPolicyConfig();
assertEquals("MyPermissionPolicy", permissionPolicyConfig.getClassName());
assertEquals(1, permissionPolicyConfig.getProperties().size());
assertEquals("permission-value", permissionPolicyConfig.getProperties().getProperty("permission-property"));
}
use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.
the class TestFullApplicationContext method testSecurity.
@Test
public void testSecurity() {
SecurityConfig securityConfig = config.getSecurityConfig();
assertEquals(OnJoinPermissionOperationName.SEND, securityConfig.getOnJoinPermissionOperation());
final Set<PermissionConfig> clientPermissionConfigs = securityConfig.getClientPermissionConfigs();
assertFalse(securityConfig.getClientBlockUnmappedActions());
assertTrue(isNotEmpty(clientPermissionConfigs));
assertEquals(PermissionType.values().length, clientPermissionConfigs.size());
final PermissionConfig pnCounterPermission = new PermissionConfig(PermissionType.PN_COUNTER, "pnCounterPermission", "*").addAction("create").setEndpoints(Collections.emptySet());
assertContains(clientPermissionConfigs, pnCounterPermission);
Set<PermissionType> permTypes = new HashSet<>(Arrays.asList(PermissionType.values()));
for (PermissionConfig pc : clientPermissionConfigs) {
permTypes.remove(pc.getType());
}
assertTrue("All permission types should be listed in fullConfig. Not found ones: " + permTypes, permTypes.isEmpty());
RealmConfig kerberosRealm = securityConfig.getRealmConfig("kerberosRealm");
assertNotNull(kerberosRealm);
KerberosAuthenticationConfig kerbAuthentication = kerberosRealm.getKerberosAuthenticationConfig();
assertNotNull(kerbAuthentication);
assertEquals(TRUE, kerbAuthentication.getRelaxFlagsCheck());
assertEquals(TRUE, kerbAuthentication.getUseNameWithoutRealm());
assertEquals("krb5Acceptor", kerbAuthentication.getSecurityRealm());
assertNotNull(kerbAuthentication.getLdapAuthenticationConfig());
KerberosIdentityConfig kerbIdentity = kerberosRealm.getKerberosIdentityConfig();
assertNotNull(kerbIdentity);
assertEquals("HAZELCAST.COM", kerbIdentity.getRealm());
assertEquals(TRUE, kerbIdentity.getUseCanonicalHostname());
RealmConfig simpleRealm = securityConfig.getRealmConfig("simpleRealm");
assertNotNull(simpleRealm);
SimpleAuthenticationConfig simpleAuthnCfg = simpleRealm.getSimpleAuthenticationConfig();
assertNotNull(simpleAuthnCfg);
assertEquals(2, simpleAuthnCfg.getUsernames().size());
assertTrue(simpleAuthnCfg.getUsernames().contains("test"));
assertEquals("a1234", simpleAuthnCfg.getPassword("test"));
Set<String> expectedRoles = new HashSet<>();
expectedRoles.add("monitor");
expectedRoles.add("hazelcast");
assertEquals(expectedRoles, simpleAuthnCfg.getRoles("test"));
}
use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.
the class ClientDomConfigProcessor method handleKerberosIdentity.
private void handleKerberosIdentity(Node node, ClientSecurityConfig clientSecurityConfig) {
KerberosIdentityConfig kerbIdentity = new KerberosIdentityConfig();
for (Node child : childElements(node)) {
String nodeName = cleanNodeName(child);
if (matches("realm", nodeName)) {
kerbIdentity.setRealm(getTextContent(child));
} else if (matches("security-realm", nodeName)) {
kerbIdentity.setSecurityRealm(getTextContent(child));
} else if (matches("principal", nodeName)) {
kerbIdentity.setPrincipal(getTextContent(child));
} else if (matches("keytab-file", nodeName)) {
kerbIdentity.setKeytabFile(getTextContent(child));
} else if (matches("service-name-prefix", nodeName)) {
kerbIdentity.setServiceNamePrefix(getTextContent(child));
} else if (matches("spn", nodeName)) {
kerbIdentity.setSpn(getTextContent(child));
} else if (matches("use-canonical-hostname", nodeName)) {
kerbIdentity.setUseCanonicalHostname(getBooleanValue(getTextContent(child)));
}
}
clientSecurityConfig.setKerberosIdentityConfig(kerbIdentity);
}
use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.
the class MemberDomConfigProcessor method handleKerberosIdentity.
protected void handleKerberosIdentity(RealmConfig realmConfig, Node node) {
KerberosIdentityConfig kerbIdentity = new KerberosIdentityConfig();
for (Node child : childElements(node)) {
String nodeName = cleanNodeName(child);
if (matches("realm", nodeName)) {
kerbIdentity.setRealm(getTextContent(child));
} else if (matches("security-realm", nodeName)) {
kerbIdentity.setSecurityRealm(getTextContent(child));
} else if (matches("principal", nodeName)) {
kerbIdentity.setPrincipal(getTextContent(child));
} else if (matches("keytab-file", nodeName)) {
kerbIdentity.setKeytabFile(getTextContent(child));
} else if (matches("service-name-prefix", nodeName)) {
kerbIdentity.setServiceNamePrefix(getTextContent(child));
} else if (matches("spn", nodeName)) {
kerbIdentity.setSpn(getTextContent(child));
} else if (matches("use-canonical-hostname", nodeName)) {
kerbIdentity.setUseCanonicalHostname(getBooleanValue(getTextContent(child)));
}
}
realmConfig.setKerberosIdentityConfig(kerbIdentity);
}
use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.
the class YamlClientConfigBuilderTest method testKerberosIdentityConfig.
@Override
@Test
public void testKerberosIdentityConfig() {
String yaml = "" + "hazelcast-client:\n" + " security:\n" + " kerberos:\n" + " realm: HAZELCAST.COM\n" + " principal: jduke\n" + " keytab-file: /opt/jduke.keytab\n" + " security-realm: krb5Initiator\n" + " service-name-prefix: hz/\n" + " use-canonical-hostname: true\n" + " spn: hz/127.0.0.1@HAZELCAST.COM\n";
ClientConfig config = buildConfig(yaml);
KerberosIdentityConfig identityConfig = config.getSecurityConfig().getKerberosIdentityConfig();
assertNotNull(identityConfig);
assertEquals("HAZELCAST.COM", identityConfig.getRealm());
assertEquals("jduke", identityConfig.getPrincipal());
assertEquals("/opt/jduke.keytab", identityConfig.getKeytabFile());
assertEquals("krb5Initiator", identityConfig.getSecurityRealm());
assertEquals("hz/", identityConfig.getServiceNamePrefix());
assertTrue(identityConfig.getUseCanonicalHostname());
assertEquals("hz/127.0.0.1@HAZELCAST.COM", identityConfig.getSpn());
}
Aggregations