use of com.yahoo.pulsar.common.policies.data.AuthAction in project pulsar by yahoo.
the class PersistentTopics method getPermissionsOnDestination.
@GET
@Path("/{property}/{cluster}/{namespace}/{destination}/permissions")
@ApiOperation(value = "Get permissions on a destination.", notes = "Retrieve the effective permissions for a destination. These permissions are defined by the permissions set at the" + "namespace level combined (union) with any eventual specific permission set on the destination.")
@ApiResponses(value = { @ApiResponse(code = 403, message = "Don't have admin permission"), @ApiResponse(code = 404, message = "Namespace doesn't exist") })
public Map<String, Set<AuthAction>> getPermissionsOnDestination(@PathParam("property") String property, @PathParam("cluster") String cluster, @PathParam("namespace") String namespace, @PathParam("destination") @Encoded String destination) {
// This operation should be reading from zookeeper and it should be allowed without having admin privileges
destination = decode(destination);
validateAdminAccessOnProperty(property);
String destinationUri = DestinationName.get(domain(), property, cluster, namespace, destination).toString();
try {
Policies policies = policiesCache().get(path("policies", property, cluster, namespace)).orElseThrow(() -> new RestException(Status.NOT_FOUND, "Namespace does not exist"));
Map<String, Set<AuthAction>> permissions = Maps.newTreeMap();
AuthPolicies auth = policies.auth_policies;
// First add namespace level permissions
for (String role : auth.namespace_auth.keySet()) {
permissions.put(role, auth.namespace_auth.get(role));
}
// Then add destination level permissions
if (auth.destination_auth.containsKey(destinationUri)) {
for (Map.Entry<String, Set<AuthAction>> entry : auth.destination_auth.get(destinationUri).entrySet()) {
String role = entry.getKey();
Set<AuthAction> destinationPermissions = entry.getValue();
if (!permissions.containsKey(role)) {
permissions.put(role, destinationPermissions);
} else {
// Do the union between namespace and destination level
Set<AuthAction> union = Sets.union(permissions.get(role), destinationPermissions);
permissions.put(role, union);
}
}
}
return permissions;
} catch (Exception e) {
log.error("[{}] Failed to get permissions for destination {}", clientAppId(), destinationUri, e);
throw new RestException(e);
}
}
use of com.yahoo.pulsar.common.policies.data.AuthAction in project pulsar by yahoo.
the class AdminTest method persistentTopics.
@Test
void persistentTopics() throws Exception {
final String property = "prop-xyz";
final String cluster = "use";
final String namespace = "ns";
final String destination = "ds1";
Policies policies = new Policies();
doReturn(policies).when(resourceQuotas).getNamespacePolicies(property, cluster, namespace);
doReturn("client-id").when(resourceQuotas).clientAppId();
// create policies
PropertyAdmin admin = new PropertyAdmin();
admin.getAllowedClusters().add(cluster);
ZkUtils.createFullPathOptimistic(mockZookKeeper, PulsarWebResource.path("policies", property, cluster, namespace), ObjectMapperFactory.getThreadLocal().writeValueAsBytes(new Policies()), ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
List<String> list = persistentTopics.getList(property, cluster, namespace);
assertTrue(list.isEmpty());
// create destination
persistentTopics.createPartitionedTopic(property, cluster, namespace, destination, 5, false);
CountDownLatch notificationLatch = new CountDownLatch(2);
configurationCache.policiesCache().registerListener((path, data, stat) -> {
notificationLatch.countDown();
});
// grant permission
final Set<AuthAction> actions = Sets.newHashSet(AuthAction.produce);
final String role = "test-role";
persistentTopics.grantPermissionsOnDestination(property, cluster, namespace, destination, role, actions);
// verify permission
Map<String, Set<AuthAction>> permission = persistentTopics.getPermissionsOnDestination(property, cluster, namespace, destination);
assertEquals(permission.get(role), actions);
// remove permission
persistentTopics.revokePermissionsOnDestination(property, cluster, namespace, destination, role);
// Wait for cache to be updated
notificationLatch.await();
// verify removed permission
permission = persistentTopics.getPermissionsOnDestination(property, cluster, namespace, destination);
assertTrue(permission.isEmpty());
}
Aggregations