Search in sources :

Example 1 with KerberosIdentityConfig

use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.

the class YamlConfigBuilderTest method testSecurityConfig.

@Override
@Test
public void testSecurityConfig() {
    String yaml = "" + "hazelcast:\n" + "  security:\n" + "    enabled: true\n" + "    security-interceptors:\n" + "      - foo\n" + "      - bar\n" + "    client-block-unmapped-actions: false\n" + "    member-authentication:\n" + "      realm: mr\n" + "    client-authentication:\n" + "      realm: cr\n" + "    realms:\n" + "      - name: mr\n" + "        authentication:\n" + "          jaas:\n" + "            - class-name: MyRequiredLoginModule\n" + "              usage: REQUIRED\n" + "              properties:\n" + "                login-property: login-value\n" + "            - class-name: MyRequiredLoginModule2\n" + "              usage: SUFFICIENT\n" + "              properties:\n" + "                login-property2: login-value2\n" + "        identity:\n" + "          credentials-factory:\n" + "            class-name: MyCredentialsFactory\n" + "            properties:\n" + "              property: value\n" + "      - name: cr\n" + "        authentication:\n" + "          jaas:\n" + "            - class-name: MyOptionalLoginModule\n" + "              usage: OPTIONAL\n" + "              properties:\n" + "                client-property: client-value\n" + "            - class-name: MyRequiredLoginModule\n" + "              usage: REQUIRED\n" + "              properties:\n" + "                client-property2: client-value2\n" + "      - name: kerberos\n" + "        authentication:\n" + "          kerberos:\n" + "            skip-role: false\n" + "            relax-flags-check: true\n" + "            use-name-without-realm: true\n" + "            security-realm: krb5Acceptor\n" + "            principal: jduke@HAZELCAST.COM\n" + "            keytab-file: /opt/jduke.keytab\n" + "            ldap:\n" + "              url: ldap://127.0.0.1\n" + "        identity:\n" + "          kerberos:\n" + "            realm: HAZELCAST.COM\n" + "            security-realm: krb5Initializer\n" + "            principal: jduke@HAZELCAST.COM\n" + "            keytab-file: /opt/jduke.keytab\n" + "            use-canonical-hostname: true\n" + "      - name: simple\n" + "        authentication:\n" + "          simple:\n" + "            skip-role: true\n" + "            users:\n" + "              - username: test\n" + "                password: 'a1234'\n" + "                roles:\n" + "                  - monitor\n" + "                  - hazelcast\n" + "              - username: dev\n" + "                password: secret\n" + "                roles:\n" + "                  - root\n" + "    client-permission-policy:\n" + "      class-name: MyPermissionPolicy\n" + "      properties:\n" + "        permission-property: permission-value\n";
    Config config = buildConfig(yaml);
    SecurityConfig securityConfig = config.getSecurityConfig();
    List<SecurityInterceptorConfig> interceptorConfigs = securityConfig.getSecurityInterceptorConfigs();
    assertEquals(2, interceptorConfigs.size());
    assertEquals("foo", interceptorConfigs.get(0).className);
    assertEquals("bar", interceptorConfigs.get(1).className);
    assertFalse(securityConfig.getClientBlockUnmappedActions());
    RealmConfig memberRealm = securityConfig.getRealmConfig(securityConfig.getMemberRealm());
    CredentialsFactoryConfig memberCredentialsConfig = memberRealm.getCredentialsFactoryConfig();
    assertEquals("MyCredentialsFactory", memberCredentialsConfig.getClassName());
    assertEquals(1, memberCredentialsConfig.getProperties().size());
    assertEquals("value", memberCredentialsConfig.getProperties().getProperty("property"));
    List<LoginModuleConfig> memberLoginModuleConfigs = memberRealm.getJaasAuthenticationConfig().getLoginModuleConfigs();
    assertEquals(2, memberLoginModuleConfigs.size());
    Iterator<LoginModuleConfig> memberLoginIterator = memberLoginModuleConfigs.iterator();
    LoginModuleConfig memberLoginModuleCfg1 = memberLoginIterator.next();
    assertEquals("MyRequiredLoginModule", memberLoginModuleCfg1.getClassName());
    assertEquals(LoginModuleUsage.REQUIRED, memberLoginModuleCfg1.getUsage());
    assertEquals(1, memberLoginModuleCfg1.getProperties().size());
    assertEquals("login-value", memberLoginModuleCfg1.getProperties().getProperty("login-property"));
    LoginModuleConfig memberLoginModuleCfg2 = memberLoginIterator.next();
    assertEquals("MyRequiredLoginModule2", memberLoginModuleCfg2.getClassName());
    assertEquals(LoginModuleUsage.SUFFICIENT, memberLoginModuleCfg2.getUsage());
    assertEquals(1, memberLoginModuleCfg2.getProperties().size());
    assertEquals("login-value2", memberLoginModuleCfg2.getProperties().getProperty("login-property2"));
    RealmConfig clientRealm = securityConfig.getRealmConfig(securityConfig.getClientRealm());
    List<LoginModuleConfig> clientLoginModuleConfigs = clientRealm.getJaasAuthenticationConfig().getLoginModuleConfigs();
    assertEquals(2, clientLoginModuleConfigs.size());
    Iterator<LoginModuleConfig> clientLoginIterator = clientLoginModuleConfigs.iterator();
    LoginModuleConfig clientLoginModuleCfg1 = clientLoginIterator.next();
    assertEquals("MyOptionalLoginModule", clientLoginModuleCfg1.getClassName());
    assertEquals(LoginModuleUsage.OPTIONAL, clientLoginModuleCfg1.getUsage());
    assertEquals(1, clientLoginModuleCfg1.getProperties().size());
    assertEquals("client-value", clientLoginModuleCfg1.getProperties().getProperty("client-property"));
    LoginModuleConfig clientLoginModuleCfg2 = clientLoginIterator.next();
    assertEquals("MyRequiredLoginModule", clientLoginModuleCfg2.getClassName());
    assertEquals(LoginModuleUsage.REQUIRED, clientLoginModuleCfg2.getUsage());
    assertEquals(1, clientLoginModuleCfg2.getProperties().size());
    assertEquals("client-value2", clientLoginModuleCfg2.getProperties().getProperty("client-property2"));
    RealmConfig kerberosRealm = securityConfig.getRealmConfig("kerberos");
    assertNotNull(kerberosRealm);
    KerberosIdentityConfig kerbIdentity = kerberosRealm.getKerberosIdentityConfig();
    assertNotNull(kerbIdentity);
    assertEquals("HAZELCAST.COM", kerbIdentity.getRealm());
    assertEquals("krb5Initializer", kerbIdentity.getSecurityRealm());
    assertEquals("jduke@HAZELCAST.COM", kerbIdentity.getPrincipal());
    assertEquals("/opt/jduke.keytab", kerbIdentity.getKeytabFile());
    assertTrue(kerbIdentity.getUseCanonicalHostname());
    KerberosAuthenticationConfig kerbAuthentication = kerberosRealm.getKerberosAuthenticationConfig();
    assertNotNull(kerbAuthentication);
    assertEquals(Boolean.TRUE, kerbAuthentication.getRelaxFlagsCheck());
    assertEquals(Boolean.FALSE, kerbAuthentication.getSkipRole());
    assertNull(kerbAuthentication.getSkipIdentity());
    assertEquals("krb5Acceptor", kerbAuthentication.getSecurityRealm());
    assertEquals("jduke@HAZELCAST.COM", kerbAuthentication.getPrincipal());
    assertEquals("/opt/jduke.keytab", kerbAuthentication.getKeytabFile());
    assertTrue(kerbAuthentication.getUseNameWithoutRealm());
    LdapAuthenticationConfig kerbLdapAuthentication = kerbAuthentication.getLdapAuthenticationConfig();
    assertNotNull(kerbLdapAuthentication);
    assertEquals("ldap://127.0.0.1", kerbLdapAuthentication.getUrl());
    RealmConfig simpleRealm = securityConfig.getRealmConfig("simple");
    assertNotNull(simpleRealm);
    SimpleAuthenticationConfig simpleAuthnCfg = simpleRealm.getSimpleAuthenticationConfig();
    assertNotNull(simpleAuthnCfg);
    assertEquals(2, simpleAuthnCfg.getUsernames().size());
    assertTrue(simpleAuthnCfg.getUsernames().contains("test"));
    assertEquals("a1234", simpleAuthnCfg.getPassword("test"));
    Set<String> expectedRoles = new HashSet<>();
    expectedRoles.add("monitor");
    expectedRoles.add("hazelcast");
    assertEquals(expectedRoles, simpleAuthnCfg.getRoles("test"));
    assertEquals(Boolean.TRUE, simpleAuthnCfg.getSkipRole());
    // client-permission-policy
    PermissionPolicyConfig permissionPolicyConfig = securityConfig.getClientPolicyConfig();
    assertEquals("MyPermissionPolicy", permissionPolicyConfig.getClassName());
    assertEquals(1, permissionPolicyConfig.getProperties().size());
    assertEquals("permission-value", permissionPolicyConfig.getProperties().getProperty("permission-property"));
}
Also used : RealmConfig(com.hazelcast.config.security.RealmConfig) LdapAuthenticationConfig(com.hazelcast.config.security.LdapAuthenticationConfig) SemaphoreConfig(com.hazelcast.config.cp.SemaphoreConfig) CPSubsystemConfig(com.hazelcast.config.cp.CPSubsystemConfig) RaftAlgorithmConfig(com.hazelcast.config.cp.RaftAlgorithmConfig) SimpleAuthenticationConfig(com.hazelcast.config.security.SimpleAuthenticationConfig) KerberosIdentityConfig(com.hazelcast.config.security.KerberosIdentityConfig) KerberosAuthenticationConfig(com.hazelcast.config.security.KerberosAuthenticationConfig) RealmConfig(com.hazelcast.config.security.RealmConfig) FencedLockConfig(com.hazelcast.config.cp.FencedLockConfig) KerberosIdentityConfig(com.hazelcast.config.security.KerberosIdentityConfig) LdapAuthenticationConfig(com.hazelcast.config.security.LdapAuthenticationConfig) KerberosAuthenticationConfig(com.hazelcast.config.security.KerberosAuthenticationConfig) SimpleAuthenticationConfig(com.hazelcast.config.security.SimpleAuthenticationConfig) HashSet(java.util.HashSet) ParallelJVMTest(com.hazelcast.test.annotation.ParallelJVMTest) QuickTest(com.hazelcast.test.annotation.QuickTest) Test(org.junit.Test)

Example 2 with KerberosIdentityConfig

use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.

the class TestFullApplicationContext method testSecurity.

@Test
public void testSecurity() {
    SecurityConfig securityConfig = config.getSecurityConfig();
    assertEquals(OnJoinPermissionOperationName.SEND, securityConfig.getOnJoinPermissionOperation());
    final Set<PermissionConfig> clientPermissionConfigs = securityConfig.getClientPermissionConfigs();
    assertFalse(securityConfig.getClientBlockUnmappedActions());
    assertTrue(isNotEmpty(clientPermissionConfigs));
    assertEquals(PermissionType.values().length, clientPermissionConfigs.size());
    final PermissionConfig pnCounterPermission = new PermissionConfig(PermissionType.PN_COUNTER, "pnCounterPermission", "*").addAction("create").setEndpoints(Collections.emptySet());
    assertContains(clientPermissionConfigs, pnCounterPermission);
    Set<PermissionType> permTypes = new HashSet<>(Arrays.asList(PermissionType.values()));
    for (PermissionConfig pc : clientPermissionConfigs) {
        permTypes.remove(pc.getType());
    }
    assertTrue("All permission types should be listed in fullConfig. Not found ones: " + permTypes, permTypes.isEmpty());
    RealmConfig kerberosRealm = securityConfig.getRealmConfig("kerberosRealm");
    assertNotNull(kerberosRealm);
    KerberosAuthenticationConfig kerbAuthentication = kerberosRealm.getKerberosAuthenticationConfig();
    assertNotNull(kerbAuthentication);
    assertEquals(TRUE, kerbAuthentication.getRelaxFlagsCheck());
    assertEquals(TRUE, kerbAuthentication.getUseNameWithoutRealm());
    assertEquals("krb5Acceptor", kerbAuthentication.getSecurityRealm());
    assertNotNull(kerbAuthentication.getLdapAuthenticationConfig());
    KerberosIdentityConfig kerbIdentity = kerberosRealm.getKerberosIdentityConfig();
    assertNotNull(kerbIdentity);
    assertEquals("HAZELCAST.COM", kerbIdentity.getRealm());
    assertEquals(TRUE, kerbIdentity.getUseCanonicalHostname());
    RealmConfig simpleRealm = securityConfig.getRealmConfig("simpleRealm");
    assertNotNull(simpleRealm);
    SimpleAuthenticationConfig simpleAuthnCfg = simpleRealm.getSimpleAuthenticationConfig();
    assertNotNull(simpleAuthnCfg);
    assertEquals(2, simpleAuthnCfg.getUsernames().size());
    assertTrue(simpleAuthnCfg.getUsernames().contains("test"));
    assertEquals("a1234", simpleAuthnCfg.getPassword("test"));
    Set<String> expectedRoles = new HashSet<>();
    expectedRoles.add("monitor");
    expectedRoles.add("hazelcast");
    assertEquals(expectedRoles, simpleAuthnCfg.getRoles("test"));
}
Also used : PermissionConfig(com.hazelcast.config.PermissionConfig) RealmConfig(com.hazelcast.config.security.RealmConfig) SecurityConfig(com.hazelcast.config.SecurityConfig) PermissionType(com.hazelcast.config.PermissionConfig.PermissionType) KerberosAuthenticationConfig(com.hazelcast.config.security.KerberosAuthenticationConfig) SimpleAuthenticationConfig(com.hazelcast.config.security.SimpleAuthenticationConfig) HashSet(java.util.HashSet) KerberosIdentityConfig(com.hazelcast.config.security.KerberosIdentityConfig) Test(org.junit.Test) QuickTest(com.hazelcast.test.annotation.QuickTest)

Example 3 with KerberosIdentityConfig

use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.

the class ClientDomConfigProcessor method handleKerberosIdentity.

private void handleKerberosIdentity(Node node, ClientSecurityConfig clientSecurityConfig) {
    KerberosIdentityConfig kerbIdentity = new KerberosIdentityConfig();
    for (Node child : childElements(node)) {
        String nodeName = cleanNodeName(child);
        if (matches("realm", nodeName)) {
            kerbIdentity.setRealm(getTextContent(child));
        } else if (matches("security-realm", nodeName)) {
            kerbIdentity.setSecurityRealm(getTextContent(child));
        } else if (matches("principal", nodeName)) {
            kerbIdentity.setPrincipal(getTextContent(child));
        } else if (matches("keytab-file", nodeName)) {
            kerbIdentity.setKeytabFile(getTextContent(child));
        } else if (matches("service-name-prefix", nodeName)) {
            kerbIdentity.setServiceNamePrefix(getTextContent(child));
        } else if (matches("spn", nodeName)) {
            kerbIdentity.setSpn(getTextContent(child));
        } else if (matches("use-canonical-hostname", nodeName)) {
            kerbIdentity.setUseCanonicalHostname(getBooleanValue(getTextContent(child)));
        }
    }
    clientSecurityConfig.setKerberosIdentityConfig(kerbIdentity);
}
Also used : Node(org.w3c.dom.Node) KerberosIdentityConfig(com.hazelcast.config.security.KerberosIdentityConfig)

Example 4 with KerberosIdentityConfig

use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.

the class MemberDomConfigProcessor method handleKerberosIdentity.

protected void handleKerberosIdentity(RealmConfig realmConfig, Node node) {
    KerberosIdentityConfig kerbIdentity = new KerberosIdentityConfig();
    for (Node child : childElements(node)) {
        String nodeName = cleanNodeName(child);
        if (matches("realm", nodeName)) {
            kerbIdentity.setRealm(getTextContent(child));
        } else if (matches("security-realm", nodeName)) {
            kerbIdentity.setSecurityRealm(getTextContent(child));
        } else if (matches("principal", nodeName)) {
            kerbIdentity.setPrincipal(getTextContent(child));
        } else if (matches("keytab-file", nodeName)) {
            kerbIdentity.setKeytabFile(getTextContent(child));
        } else if (matches("service-name-prefix", nodeName)) {
            kerbIdentity.setServiceNamePrefix(getTextContent(child));
        } else if (matches("spn", nodeName)) {
            kerbIdentity.setSpn(getTextContent(child));
        } else if (matches("use-canonical-hostname", nodeName)) {
            kerbIdentity.setUseCanonicalHostname(getBooleanValue(getTextContent(child)));
        }
    }
    realmConfig.setKerberosIdentityConfig(kerbIdentity);
}
Also used : Node(org.w3c.dom.Node) KerberosIdentityConfig(com.hazelcast.config.security.KerberosIdentityConfig)

Example 5 with KerberosIdentityConfig

use of com.hazelcast.config.security.KerberosIdentityConfig in project hazelcast by hazelcast.

the class YamlClientConfigBuilderTest method testKerberosIdentityConfig.

@Override
@Test
public void testKerberosIdentityConfig() {
    String yaml = "" + "hazelcast-client:\n" + "  security:\n" + "    kerberos:\n" + "      realm: HAZELCAST.COM\n" + "      principal: jduke\n" + "      keytab-file: /opt/jduke.keytab\n" + "      security-realm: krb5Initiator\n" + "      service-name-prefix: hz/\n" + "      use-canonical-hostname: true\n" + "      spn: hz/127.0.0.1@HAZELCAST.COM\n";
    ClientConfig config = buildConfig(yaml);
    KerberosIdentityConfig identityConfig = config.getSecurityConfig().getKerberosIdentityConfig();
    assertNotNull(identityConfig);
    assertEquals("HAZELCAST.COM", identityConfig.getRealm());
    assertEquals("jduke", identityConfig.getPrincipal());
    assertEquals("/opt/jduke.keytab", identityConfig.getKeytabFile());
    assertEquals("krb5Initiator", identityConfig.getSecurityRealm());
    assertEquals("hz/", identityConfig.getServiceNamePrefix());
    assertTrue(identityConfig.getUseCanonicalHostname());
    assertEquals("hz/127.0.0.1@HAZELCAST.COM", identityConfig.getSpn());
}
Also used : KerberosIdentityConfig(com.hazelcast.config.security.KerberosIdentityConfig) QuickTest(com.hazelcast.test.annotation.QuickTest) YamlConfigBuilderTest(com.hazelcast.config.YamlConfigBuilderTest) Test(org.junit.Test)

Aggregations

KerberosIdentityConfig (com.hazelcast.config.security.KerberosIdentityConfig)9 QuickTest (com.hazelcast.test.annotation.QuickTest)7 Test (org.junit.Test)7 RealmConfig (com.hazelcast.config.security.RealmConfig)5 KerberosAuthenticationConfig (com.hazelcast.config.security.KerberosAuthenticationConfig)4 SimpleAuthenticationConfig (com.hazelcast.config.security.SimpleAuthenticationConfig)4 ParallelJVMTest (com.hazelcast.test.annotation.ParallelJVMTest)4 CPSubsystemConfig (com.hazelcast.config.cp.CPSubsystemConfig)3 FencedLockConfig (com.hazelcast.config.cp.FencedLockConfig)3 SemaphoreConfig (com.hazelcast.config.cp.SemaphoreConfig)3 LdapAuthenticationConfig (com.hazelcast.config.security.LdapAuthenticationConfig)3 HashSet (java.util.HashSet)3 RaftAlgorithmConfig (com.hazelcast.config.cp.RaftAlgorithmConfig)2 JaasAuthenticationConfig (com.hazelcast.config.security.JaasAuthenticationConfig)2 TokenIdentityConfig (com.hazelcast.config.security.TokenIdentityConfig)2 Node (org.w3c.dom.Node)2 LoginModuleConfig (com.hazelcast.config.LoginModuleConfig)1 PermissionConfig (com.hazelcast.config.PermissionConfig)1 PermissionType (com.hazelcast.config.PermissionConfig.PermissionType)1 SecurityConfig (com.hazelcast.config.SecurityConfig)1