use of com.yahoo.pulsar.common.policies.data.ClusterData in project pulsar by yahoo.
the class AuthorizationTest method simple.
@Test
void simple() throws Exception {
AuthorizationManager auth = pulsar.getBrokerService().getAuthorizationManager();
assertEquals(auth.canLookup(DestinationName.get("persistent://p1/c1/ns1/ds1"), "my-role"), false);
admin.clusters().createCluster("c1", new ClusterData());
admin.properties().createProperty("p1", new PropertyAdmin(Lists.newArrayList("role1"), Sets.newHashSet("c1")));
waitForChange();
admin.namespaces().createNamespace("p1/c1/ns1");
waitForChange();
assertEquals(auth.canLookup(DestinationName.get("persistent://p1/c1/ns1/ds1"), "my-role"), false);
admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.of(AuthAction.produce));
waitForChange();
assertEquals(auth.canLookup(DestinationName.get("persistent://p1/c1/ns1/ds1"), "my-role"), true);
assertEquals(auth.canProduce(DestinationName.get("persistent://p1/c1/ns1/ds1"), "my-role"), true);
admin.persistentTopics().grantPermission("persistent://p1/c1/ns1/ds2", "other-role", EnumSet.of(AuthAction.consume));
waitForChange();
assertEquals(auth.canLookup(DestinationName.get("persistent://p1/c1/ns1/ds2"), "other-role"), true);
assertEquals(auth.canProduce(DestinationName.get("persistent://p1/c1/ns1/ds1"), "my-role"), true);
assertEquals(auth.canProduce(DestinationName.get("persistent://p1/c1/ns1/ds2"), "other-role"), false);
assertEquals(auth.canConsume(DestinationName.get("persistent://p1/c1/ns1/ds2"), "other-role"), true);
assertEquals(auth.canConsume(DestinationName.get("persistent://p1/c1/ns1/ds2"), "no-access-role"), false);
assertEquals(auth.canLookup(DestinationName.get("persistent://p1/c1/ns1/ds1"), "no-access-role"), false);
admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.allOf(AuthAction.class));
waitForChange();
assertEquals(auth.canProduce(DestinationName.get("persistent://p1/c1/ns1/ds1"), "my-role"), true);
assertEquals(auth.canConsume(DestinationName.get("persistent://p1/c1/ns1/ds1"), "my-role"), true);
admin.namespaces().deleteNamespace("p1/c1/ns1");
admin.properties().deleteProperty("p1");
admin.clusters().deleteCluster("c1");
}
use of com.yahoo.pulsar.common.policies.data.ClusterData in project pulsar by yahoo.
the class AdminTest method properties.
@Test
void properties() throws Exception {
assertEquals(properties.getProperties(), Lists.newArrayList());
verify(properties, times(1)).validateSuperUserAccess();
Set<String> allowedClusters = Sets.newHashSet();
PropertyAdmin propertyAdmin = new PropertyAdmin(Lists.newArrayList("role1", "role2"), allowedClusters);
properties.createProperty("test-property", propertyAdmin);
verify(properties, times(2)).validateSuperUserAccess();
assertEquals(properties.getProperties(), Lists.newArrayList("test-property"));
verify(properties, times(3)).validateSuperUserAccess();
assertEquals(properties.getPropertyAdmin("test-property"), propertyAdmin);
verify(properties, times(4)).validateSuperUserAccess();
PropertyAdmin newPropertyAdmin = new PropertyAdmin(Lists.newArrayList("role1", "other-role"), allowedClusters);
properties.updateProperty("test-property", newPropertyAdmin);
verify(properties, times(5)).validateSuperUserAccess();
// Wait for updateProperty to take effect
Thread.sleep(100);
assertEquals(properties.getPropertyAdmin("test-property"), newPropertyAdmin);
assertNotSame(properties.getPropertyAdmin("test-property"), propertyAdmin);
verify(properties, times(7)).validateSuperUserAccess();
// Check creating existing property
try {
properties.createProperty("test-property", propertyAdmin);
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.CONFLICT.getStatusCode());
}
// Check non-existing property
try {
properties.getPropertyAdmin("non-existing");
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.NOT_FOUND.getStatusCode());
}
try {
properties.updateProperty("xxx-non-existing", newPropertyAdmin);
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.NOT_FOUND.getStatusCode());
}
// Check deleting non-existing property
try {
properties.deleteProperty("non-existing");
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.NOT_FOUND.getStatusCode());
}
// Test zk failures
mockZookKeeper.failNow(Code.SESSIONEXPIRED);
try {
properties.getProperties();
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
}
mockZookKeeper.failNow(Code.SESSIONEXPIRED);
try {
properties.getPropertyAdmin("my-property");
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
}
mockZookKeeper.failNow(Code.SESSIONEXPIRED);
try {
properties.updateProperty("my-property", newPropertyAdmin);
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
}
mockZookKeeper.failNow(Code.SESSIONEXPIRED);
try {
properties.createProperty("test", propertyAdmin);
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
}
mockZookKeeper.failNow(Code.SESSIONEXPIRED);
try {
properties.deleteProperty("my-property");
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
}
properties.createProperty("error-property", propertyAdmin);
mockZookKeeper.failAfter(2, Code.SESSIONEXPIRED);
try {
properties.deleteProperty("error-property");
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
}
properties.deleteProperty("test-property");
properties.deleteProperty("error-property");
assertEquals(properties.getProperties(), Lists.newArrayList());
// Create a namespace to test deleting a non-empty property
clusters.createCluster("use", new ClusterData());
newPropertyAdmin = new PropertyAdmin(Lists.newArrayList("role1", "other-role"), Sets.newHashSet("use"));
properties.createProperty("my-property", newPropertyAdmin);
namespaces.createNamespace("my-property", "use", "my-namespace", new BundlesData());
try {
properties.deleteProperty("my-property");
fail("should have failed");
} catch (RestException e) {
// Ok
}
// Check name validation
try {
properties.createProperty("test&", propertyAdmin);
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.PRECONDITION_FAILED.getStatusCode());
}
namespaces.deleteNamespace("my-property", "use", "my-namespace", false);
properties.deleteProperty("my-property");
}
use of com.yahoo.pulsar.common.policies.data.ClusterData in project pulsar by yahoo.
the class Namespaces method deleteNamespaceBundle.
@DELETE
@Path("/{property}/{cluster}/{namespace}/{bundle}")
@ApiOperation(value = "Delete a namespace bundle and all the destinations under it.")
@ApiResponses(value = { @ApiResponse(code = 403, message = "Don't have admin permission"), @ApiResponse(code = 404, message = "Property or cluster or namespace doesn't exist"), @ApiResponse(code = 409, message = "Namespace bundle is not empty") })
public void deleteNamespaceBundle(@PathParam("property") String property, @PathParam("cluster") String cluster, @PathParam("namespace") String namespace, @PathParam("bundle") String bundleRange, @QueryParam("authoritative") @DefaultValue("false") boolean authoritative) {
NamespaceName nsName = new NamespaceName(property, cluster, namespace);
validateAdminAccessOnProperty(property);
validatePoliciesReadOnlyAccess();
// ensure that non-global namespace is directed to the correct cluster
validateClusterOwnership(cluster);
Policies policies = getNamespacePolicies(property, cluster, namespace);
// ensure the local cluster is the only cluster for the global namespace configuration
try {
if (cluster.equals(Namespaces.GLOBAL_CLUSTER)) {
if (policies.replication_clusters.size() > 1) {
// There are still more than one clusters configured for the global namespace
throw new RestException(Status.PRECONDITION_FAILED, "Cannot delete the global namespace " + nsName + ". There are still more than one replication clusters configured.");
}
if (policies.replication_clusters.size() == 1 && !policies.replication_clusters.contains(config().getClusterName())) {
// the only replication cluster is other cluster, redirect
String replCluster = policies.replication_clusters.get(0);
ClusterData replClusterData = clustersCache().get(AdminResource.path("clusters", replCluster)).orElseThrow(() -> new RestException(Status.NOT_FOUND, "Cluser " + replCluster + " does not exist"));
URL replClusterUrl;
if (!config().isTlsEnabled()) {
replClusterUrl = new URL(replClusterData.getServiceUrl());
} else if (!replClusterData.getServiceUrlTls().isEmpty()) {
replClusterUrl = new URL(replClusterData.getServiceUrlTls());
} else {
throw new RestException(Status.PRECONDITION_FAILED, "The replication cluster does not provide TLS encrypted service");
}
URI redirect = UriBuilder.fromUri(uri.getRequestUri()).host(replClusterUrl.getHost()).port(replClusterUrl.getPort()).replaceQueryParam("authoritative", false).build();
log.debug("[{}] Redirecting the rest call to {}: cluster={}", clientAppId(), redirect, cluster);
throw new WebApplicationException(Response.temporaryRedirect(redirect).build());
}
}
} catch (WebApplicationException wae) {
throw wae;
} catch (Exception e) {
throw new RestException(e);
}
NamespaceBundle bundle = validateNamespaceBundleOwnership(nsName, policies.bundles, bundleRange, authoritative, true);
try {
List<String> destinations = getDestinations(property, cluster, namespace);
for (String destination : destinations) {
NamespaceBundle destinationBundle = (NamespaceBundle) pulsar().getNamespaceService().getBundle(DestinationName.get(destination));
if (bundle.equals(destinationBundle)) {
throw new RestException(Status.CONFLICT, "Cannot delete non empty bundle");
}
}
// remove from owned namespace map and ephemeral node from ZK
pulsar().getNamespaceService().removeOwnedServiceUnit(bundle);
} catch (WebApplicationException wae) {
throw wae;
} catch (Exception e) {
log.error("[{}] Failed to remove namespace bundle {}/{}", clientAppId(), nsName.toString(), bundleRange, e);
throw new RestException(e);
}
}
use of com.yahoo.pulsar.common.policies.data.ClusterData in project pulsar by yahoo.
the class BrokerService method getReplicationClient.
public PulsarClient getReplicationClient(String cluster) {
PulsarClient client = replicationClients.get(cluster);
if (client != null) {
return client;
}
return replicationClients.computeIfAbsent(cluster, key -> {
try {
String path = PulsarWebResource.path("clusters", cluster);
ClusterData data = this.pulsar.getConfigurationCache().clustersCache().get(path).orElseThrow(() -> new KeeperException.NoNodeException(path));
ClientConfiguration configuration = new ClientConfiguration();
configuration.setUseTcpNoDelay(false);
configuration.setConnectionsPerBroker(pulsar.getConfiguration().getReplicationConnectionsPerBroker());
configuration.setStatsInterval(0, TimeUnit.SECONDS);
if (pulsar.getConfiguration().isAuthenticationEnabled()) {
configuration.setAuthentication(pulsar.getConfiguration().getBrokerClientAuthenticationPlugin(), pulsar.getConfiguration().getBrokerClientAuthenticationParameters());
}
String clusterUrl = configuration.isUseTls() ? (isNotBlank(data.getBrokerServiceUrlTls()) ? data.getBrokerServiceUrlTls() : data.getServiceUrlTls()) : null;
clusterUrl = (isNotBlank(clusterUrl)) ? clusterUrl : (isNotBlank(data.getBrokerServiceUrl()) ? data.getBrokerServiceUrl() : data.getServiceUrl());
return new PulsarClientImpl(clusterUrl, configuration, this.workerGroup);
} catch (Exception e) {
throw new RuntimeException(e);
}
});
}
Aggregations