Search in sources :

Example 1 with AuthAction

use of com.yahoo.pulsar.common.policies.data.AuthAction in project pulsar by yahoo.

the class PersistentTopics method getPermissionsOnDestination.

@GET
@Path("/{property}/{cluster}/{namespace}/{destination}/permissions")
@ApiOperation(value = "Get permissions on a destination.", notes = "Retrieve the effective permissions for a destination. These permissions are defined by the permissions set at the" + "namespace level combined (union) with any eventual specific permission set on the destination.")
@ApiResponses(value = { @ApiResponse(code = 403, message = "Don't have admin permission"), @ApiResponse(code = 404, message = "Namespace doesn't exist") })
public Map<String, Set<AuthAction>> getPermissionsOnDestination(@PathParam("property") String property, @PathParam("cluster") String cluster, @PathParam("namespace") String namespace, @PathParam("destination") @Encoded String destination) {
    // This operation should be reading from zookeeper and it should be allowed without having admin privileges
    destination = decode(destination);
    validateAdminAccessOnProperty(property);
    String destinationUri = DestinationName.get(domain(), property, cluster, namespace, destination).toString();
    try {
        Policies policies = policiesCache().get(path("policies", property, cluster, namespace)).orElseThrow(() -> new RestException(Status.NOT_FOUND, "Namespace does not exist"));
        Map<String, Set<AuthAction>> permissions = Maps.newTreeMap();
        AuthPolicies auth = policies.auth_policies;
        // First add namespace level permissions
        for (String role : auth.namespace_auth.keySet()) {
            permissions.put(role, auth.namespace_auth.get(role));
        }
        // Then add destination level permissions
        if (auth.destination_auth.containsKey(destinationUri)) {
            for (Map.Entry<String, Set<AuthAction>> entry : auth.destination_auth.get(destinationUri).entrySet()) {
                String role = entry.getKey();
                Set<AuthAction> destinationPermissions = entry.getValue();
                if (!permissions.containsKey(role)) {
                    permissions.put(role, destinationPermissions);
                } else {
                    // Do the union between namespace and destination level
                    Set<AuthAction> union = Sets.union(permissions.get(role), destinationPermissions);
                    permissions.put(role, union);
                }
            }
        }
        return permissions;
    } catch (Exception e) {
        log.error("[{}] Failed to get permissions for destination {}", clientAppId(), destinationUri, e);
        throw new RestException(e);
    }
}
Also used : AuthPolicies(com.yahoo.pulsar.common.policies.data.AuthPolicies) Policies(com.yahoo.pulsar.common.policies.data.Policies) AuthPolicies(com.yahoo.pulsar.common.policies.data.AuthPolicies) Set(java.util.Set) RestException(com.yahoo.pulsar.broker.web.RestException) Map(java.util.Map) TreeMap(java.util.TreeMap) RestException(com.yahoo.pulsar.broker.web.RestException) TopicBusyException(com.yahoo.pulsar.broker.service.BrokerServiceException.TopicBusyException) WebApplicationException(javax.ws.rs.WebApplicationException) PulsarClientException(com.yahoo.pulsar.client.api.PulsarClientException) PreconditionFailedException(com.yahoo.pulsar.client.admin.PulsarAdminException.PreconditionFailedException) SubscriptionBusyException(com.yahoo.pulsar.broker.service.BrokerServiceException.SubscriptionBusyException) NotFoundException(com.yahoo.pulsar.client.admin.PulsarAdminException.NotFoundException) NotAllowedException(com.yahoo.pulsar.broker.service.BrokerServiceException.NotAllowedException) KeeperException(org.apache.zookeeper.KeeperException) IOException(java.io.IOException) AuthAction(com.yahoo.pulsar.common.policies.data.AuthAction) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 2 with AuthAction

use of com.yahoo.pulsar.common.policies.data.AuthAction in project pulsar by yahoo.

the class AdminTest method persistentTopics.

@Test
void persistentTopics() throws Exception {
    final String property = "prop-xyz";
    final String cluster = "use";
    final String namespace = "ns";
    final String destination = "ds1";
    Policies policies = new Policies();
    doReturn(policies).when(resourceQuotas).getNamespacePolicies(property, cluster, namespace);
    doReturn("client-id").when(resourceQuotas).clientAppId();
    // create policies
    PropertyAdmin admin = new PropertyAdmin();
    admin.getAllowedClusters().add(cluster);
    ZkUtils.createFullPathOptimistic(mockZookKeeper, PulsarWebResource.path("policies", property, cluster, namespace), ObjectMapperFactory.getThreadLocal().writeValueAsBytes(new Policies()), ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
    List<String> list = persistentTopics.getList(property, cluster, namespace);
    assertTrue(list.isEmpty());
    // create destination
    persistentTopics.createPartitionedTopic(property, cluster, namespace, destination, 5, false);
    CountDownLatch notificationLatch = new CountDownLatch(2);
    configurationCache.policiesCache().registerListener((path, data, stat) -> {
        notificationLatch.countDown();
    });
    // grant permission
    final Set<AuthAction> actions = Sets.newHashSet(AuthAction.produce);
    final String role = "test-role";
    persistentTopics.grantPermissionsOnDestination(property, cluster, namespace, destination, role, actions);
    // verify permission
    Map<String, Set<AuthAction>> permission = persistentTopics.getPermissionsOnDestination(property, cluster, namespace, destination);
    assertEquals(permission.get(role), actions);
    // remove permission
    persistentTopics.revokePermissionsOnDestination(property, cluster, namespace, destination, role);
    // Wait for cache to be updated
    notificationLatch.await();
    // verify removed permission
    permission = persistentTopics.getPermissionsOnDestination(property, cluster, namespace, destination);
    assertTrue(permission.isEmpty());
}
Also used : Policies(com.yahoo.pulsar.common.policies.data.Policies) Set(java.util.Set) PropertyAdmin(com.yahoo.pulsar.common.policies.data.PropertyAdmin) CountDownLatch(java.util.concurrent.CountDownLatch) AuthAction(com.yahoo.pulsar.common.policies.data.AuthAction) Test(org.testng.annotations.Test) MockedPulsarServiceBaseTest(com.yahoo.pulsar.broker.auth.MockedPulsarServiceBaseTest)

Aggregations

AuthAction (com.yahoo.pulsar.common.policies.data.AuthAction)2 Policies (com.yahoo.pulsar.common.policies.data.Policies)2 Set (java.util.Set)2 MockedPulsarServiceBaseTest (com.yahoo.pulsar.broker.auth.MockedPulsarServiceBaseTest)1 NotAllowedException (com.yahoo.pulsar.broker.service.BrokerServiceException.NotAllowedException)1 SubscriptionBusyException (com.yahoo.pulsar.broker.service.BrokerServiceException.SubscriptionBusyException)1 TopicBusyException (com.yahoo.pulsar.broker.service.BrokerServiceException.TopicBusyException)1 RestException (com.yahoo.pulsar.broker.web.RestException)1 NotFoundException (com.yahoo.pulsar.client.admin.PulsarAdminException.NotFoundException)1 PreconditionFailedException (com.yahoo.pulsar.client.admin.PulsarAdminException.PreconditionFailedException)1 PulsarClientException (com.yahoo.pulsar.client.api.PulsarClientException)1 AuthPolicies (com.yahoo.pulsar.common.policies.data.AuthPolicies)1 PropertyAdmin (com.yahoo.pulsar.common.policies.data.PropertyAdmin)1 ApiOperation (io.swagger.annotations.ApiOperation)1 ApiResponses (io.swagger.annotations.ApiResponses)1 IOException (java.io.IOException)1 Map (java.util.Map)1 TreeMap (java.util.TreeMap)1 CountDownLatch (java.util.concurrent.CountDownLatch)1 GET (javax.ws.rs.GET)1