Search in sources :

Example 16 with PropertyAdmin

use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.

the class BrokerDiscoveryProvider method checkAuthorization.

protected static void checkAuthorization(DiscoveryService service, DestinationName destination, String role) throws Exception {
    if (!service.getConfiguration().isAuthorizationEnabled() || service.getConfiguration().getSuperUserRoles().contains(role)) {
        // No enforcing of authorization policies
        return;
    }
    // get zk policy manager
    if (!service.getAuthorizationManager().canLookup(destination, role)) {
        LOG.warn("[{}] Role {} is not allowed to lookup topic", destination, role);
        // check namespace authorization
        PropertyAdmin propertyAdmin;
        try {
            propertyAdmin = service.getConfigurationCacheService().propertiesCache().get(path("policies", destination.getProperty())).orElseThrow(() -> new IllegalAccessException("Property does not exist"));
        } catch (KeeperException.NoNodeException e) {
            LOG.warn("Failed to get property admin data for non existing property {}", destination.getProperty());
            throw new IllegalAccessException("Property does not exist");
        } catch (Exception e) {
            LOG.error("Failed to get property admin data for property");
            throw new IllegalAccessException(String.format("Failed to get property %s admin data due to %s", destination.getProperty(), e.getMessage()));
        }
        if (!propertyAdmin.getAdminRoles().contains(role)) {
            throw new IllegalAccessException("Don't have permission to administrate resources on this property");
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Successfully authorized {} on property {}", role, destination.getProperty());
    }
}
Also used : PropertyAdmin(com.yahoo.pulsar.common.policies.data.PropertyAdmin) KeeperException(org.apache.zookeeper.KeeperException) KeeperException(org.apache.zookeeper.KeeperException) IOException(java.io.IOException)

Example 17 with PropertyAdmin

use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.

the class PulsarStandaloneStarter method start.

void start() throws Exception {
    if (config == null) {
        System.exit(1);
    }
    log.debug("--- setup PulsarStandaloneStarter ---");
    if (!onlyBroker) {
        // Start LocalBookKeeper
        bkEnsemble = new LocalBookkeeperEnsemble(numOfBk, zkPort, bkPort, zkDir, bkDir, wipeData);
        bkEnsemble.start();
    }
    if (noBroker) {
        return;
    }
    // Start Broker
    broker = new PulsarService(config);
    broker.start();
    // Create a sample namespace
    URL webServiceUrl = new URL(String.format("http://%s:%d", config.getAdvertisedAddress(), config.getWebServicePort()));
    String brokerServiceUrl = String.format("pulsar://%s:%d", config.getAdvertisedAddress(), config.getBrokerServicePort());
    admin = new PulsarAdmin(webServiceUrl, config.getBrokerClientAuthenticationPlugin(), config.getBrokerClientAuthenticationParameters());
    String property = "sample";
    String cluster = config.getClusterName();
    String namespace = property + "/" + cluster + "/ns1";
    try {
        ClusterData clusterData = new ClusterData(webServiceUrl.toString(), null, /* serviceUrlTls */
        brokerServiceUrl, null);
        if (!admin.clusters().getClusters().contains(cluster)) {
            admin.clusters().createCluster(cluster, clusterData);
        } else {
            admin.clusters().updateCluster(cluster, clusterData);
        }
        if (!admin.properties().getProperties().contains(property)) {
            admin.properties().createProperty(property, new PropertyAdmin(Lists.newArrayList(config.getSuperUserRoles()), Sets.newHashSet(cluster)));
        }
        if (!admin.namespaces().getNamespaces(property).contains(namespace)) {
            admin.namespaces().createNamespace(namespace);
        }
    } catch (PulsarAdminException e) {
        log.info(e.getMessage());
    }
    log.debug("--- setup completed ---");
}
Also used : ClusterData(com.yahoo.pulsar.common.policies.data.ClusterData) PulsarService(com.yahoo.pulsar.broker.PulsarService) PulsarAdmin(com.yahoo.pulsar.client.admin.PulsarAdmin) PropertyAdmin(com.yahoo.pulsar.common.policies.data.PropertyAdmin) PulsarAdminException(com.yahoo.pulsar.client.admin.PulsarAdminException) LocalBookkeeperEnsemble(com.yahoo.pulsar.zookeeper.LocalBookkeeperEnsemble) URL(java.net.URL)

Example 18 with PropertyAdmin

use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.

the class AdminApiTest method properties.

@Test(enabled = true)
public void properties() throws PulsarAdminException {
    Set<String> allowedClusters = Sets.newHashSet("use");
    PropertyAdmin propertyAdmin = new PropertyAdmin(Lists.newArrayList("role1", "role2"), allowedClusters);
    admin.properties().updateProperty("prop-xyz", propertyAdmin);
    assertEquals(admin.properties().getProperties(), Lists.newArrayList("prop-xyz"));
    assertEquals(admin.properties().getPropertyAdmin("prop-xyz"), propertyAdmin);
    PropertyAdmin newPropertyAdmin = new PropertyAdmin(Lists.newArrayList("role3", "role4"), allowedClusters);
    admin.properties().updateProperty("prop-xyz", newPropertyAdmin);
    assertEquals(admin.properties().getPropertyAdmin("prop-xyz"), newPropertyAdmin);
    admin.namespaces().deleteNamespace("prop-xyz/use/ns1");
    admin.properties().deleteProperty("prop-xyz");
    assertEquals(admin.properties().getProperties(), Lists.newArrayList());
    // Check name validation
    try {
        admin.properties().createProperty("prop-xyz&", propertyAdmin);
        fail("should have failed");
    } catch (PulsarAdminException e) {
        assertTrue(e instanceof PreconditionFailedException);
    }
}
Also used : PropertyAdmin(com.yahoo.pulsar.common.policies.data.PropertyAdmin) PreconditionFailedException(com.yahoo.pulsar.client.admin.PulsarAdminException.PreconditionFailedException) PulsarAdminException(com.yahoo.pulsar.client.admin.PulsarAdminException) Test(org.testng.annotations.Test) MockedPulsarServiceBaseTest(com.yahoo.pulsar.broker.auth.MockedPulsarServiceBaseTest)

Example 19 with PropertyAdmin

use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.

the class AdminApiTest method namespaces.

@Test(invocationCount = 1)
public void namespaces() throws PulsarAdminException, PulsarServerException, Exception {
    admin.clusters().createCluster("usw", new ClusterData());
    PropertyAdmin propertyAdmin = new PropertyAdmin(Lists.newArrayList("role1", "role2"), Sets.newHashSet("use", "usw"));
    admin.properties().updateProperty("prop-xyz", propertyAdmin);
    assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns1").bundles, Policies.defaultBundle());
    admin.namespaces().createNamespace("prop-xyz/use/ns2");
    admin.namespaces().createNamespace("prop-xyz/use/ns3", 4);
    assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns3").bundles.numBundles, 4);
    assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns3").bundles.boundaries.size(), 5);
    admin.namespaces().deleteNamespace("prop-xyz/use/ns3");
    try {
        admin.namespaces().createNamespace("non-existing/usw/ns1");
        fail("Should not have passed");
    } catch (NotFoundException e) {
    // Ok
    }
    assertEquals(admin.namespaces().getNamespaces("prop-xyz"), Lists.newArrayList("prop-xyz/use/ns1", "prop-xyz/use/ns2"));
    assertEquals(admin.namespaces().getNamespaces("prop-xyz", "use"), Lists.newArrayList("prop-xyz/use/ns1", "prop-xyz/use/ns2"));
    try {
        admin.namespaces().createNamespace("prop-xyz/usc/ns1");
        fail("Should not have passed");
    } catch (NotAuthorizedException e) {
    // Ok, got the non authorized exception since usc cluster is not in the allowed clusters list.
    }
    admin.namespaces().grantPermissionOnNamespace("prop-xyz/use/ns1", "my-role", EnumSet.allOf(AuthAction.class));
    Policies policies = new Policies();
    policies.auth_policies.namespace_auth.put("my-role", EnumSet.allOf(AuthAction.class));
    assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns1"), policies);
    assertEquals(admin.namespaces().getPermissions("prop-xyz/use/ns1"), policies.auth_policies.namespace_auth);
    assertEquals(admin.namespaces().getDestinations("prop-xyz/use/ns1"), Lists.newArrayList());
    admin.namespaces().revokePermissionsOnNamespace("prop-xyz/use/ns1", "my-role");
    policies.auth_policies.namespace_auth.remove("my-role");
    assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns1"), policies);
    assertEquals(admin.namespaces().getPersistence("prop-xyz/use/ns1"), new PersistencePolicies(1, 1, 1, 0.0));
    admin.namespaces().setPersistence("prop-xyz/use/ns1", new PersistencePolicies(3, 2, 1, 10.0));
    assertEquals(admin.namespaces().getPersistence("prop-xyz/use/ns1"), new PersistencePolicies(3, 2, 1, 10.0));
    // Force topic creation and namespace being loaded
    Producer producer = pulsarClient.createProducer("persistent://prop-xyz/use/ns1/my-topic");
    producer.close();
    admin.persistentTopics().delete("persistent://prop-xyz/use/ns1/my-topic");
    admin.namespaces().unloadNamespaceBundle("prop-xyz/use/ns1", "0x00000000_0xffffffff");
    NamespaceName ns = new NamespaceName("prop-xyz/use/ns1");
    // Now, w/ bundle policies, we will use default bundle
    NamespaceBundle defaultBundle = bundleFactory.getFullBundle(ns);
    int i = 0;
    for (; i < 10; i++) {
        Optional<NamespaceEphemeralData> data1 = pulsar.getNamespaceService().getOwnershipCache().getOwnerAsync(defaultBundle).get();
        if (!data1.isPresent()) {
            // Already unloaded
            break;
        }
        LOG.info("Waiting for unload namespace {} to complete. Current service unit isDisabled: {}", defaultBundle, data1.get().isDisabled());
        Thread.sleep(1000);
    }
    assertTrue(i < 10);
    admin.namespaces().deleteNamespace("prop-xyz/use/ns1");
    assertEquals(admin.namespaces().getNamespaces("prop-xyz", "use"), Lists.newArrayList("prop-xyz/use/ns2"));
    try {
        admin.namespaces().unload("prop-xyz/use/ns1");
        fail("should have raised exception");
    } catch (Exception e) {
    // OK excepted
    }
    // Force topic creation and namespace being loaded
    producer = pulsarClient.createProducer("persistent://prop-xyz/use/ns2/my-topic");
    producer.close();
    admin.persistentTopics().delete("persistent://prop-xyz/use/ns2/my-topic");
// both unload and delete should succeed for ns2 on other broker with a redirect
// otheradmin.namespaces().unload("prop-xyz/use/ns2");
}
Also used : NamespaceBundle(com.yahoo.pulsar.common.naming.NamespaceBundle) Policies(com.yahoo.pulsar.common.policies.data.Policies) PersistencePolicies(com.yahoo.pulsar.common.policies.data.PersistencePolicies) RetentionPolicies(com.yahoo.pulsar.common.policies.data.RetentionPolicies) PersistencePolicies(com.yahoo.pulsar.common.policies.data.PersistencePolicies) NotFoundException(com.yahoo.pulsar.client.admin.PulsarAdminException.NotFoundException) NotAuthorizedException(com.yahoo.pulsar.client.admin.PulsarAdminException.NotAuthorizedException) NotAuthorizedException(com.yahoo.pulsar.client.admin.PulsarAdminException.NotAuthorizedException) PreconditionFailedException(com.yahoo.pulsar.client.admin.PulsarAdminException.PreconditionFailedException) NotFoundException(com.yahoo.pulsar.client.admin.PulsarAdminException.NotFoundException) PulsarAdminException(com.yahoo.pulsar.client.admin.PulsarAdminException) ConflictException(com.yahoo.pulsar.client.admin.PulsarAdminException.ConflictException) PulsarServerException(com.yahoo.pulsar.broker.PulsarServerException) AuthAction(com.yahoo.pulsar.common.policies.data.AuthAction) NamespaceName(com.yahoo.pulsar.common.naming.NamespaceName) ClusterData(com.yahoo.pulsar.common.policies.data.ClusterData) PropertyAdmin(com.yahoo.pulsar.common.policies.data.PropertyAdmin) Producer(com.yahoo.pulsar.client.api.Producer) NamespaceEphemeralData(com.yahoo.pulsar.broker.namespace.NamespaceEphemeralData) Test(org.testng.annotations.Test) MockedPulsarServiceBaseTest(com.yahoo.pulsar.broker.auth.MockedPulsarServiceBaseTest)

Example 20 with PropertyAdmin

use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.

the class AdminApiTest method testObjectWithUnknowProperties.

@Test
public void testObjectWithUnknowProperties() {
    class CustomPropertyAdmin extends PropertyAdmin {

        @SuppressWarnings("unused")
        public int newProperty;
    }
    PropertyAdmin pa = new PropertyAdmin(Lists.newArrayList("test_appid1", "test_appid2"), Sets.newHashSet("use"));
    CustomPropertyAdmin cpa = new CustomPropertyAdmin();
    cpa.setAdminRoles(pa.getAdminRoles());
    cpa.setAllowedClusters(pa.getAllowedClusters());
    cpa.newProperty = 100;
    try {
        admin.properties().createProperty("test-property", cpa);
    } catch (Exception e) {
        fail("Should not happen.");
    }
}
Also used : PropertyAdmin(com.yahoo.pulsar.common.policies.data.PropertyAdmin) NotAuthorizedException(com.yahoo.pulsar.client.admin.PulsarAdminException.NotAuthorizedException) PreconditionFailedException(com.yahoo.pulsar.client.admin.PulsarAdminException.PreconditionFailedException) NotFoundException(com.yahoo.pulsar.client.admin.PulsarAdminException.NotFoundException) PulsarAdminException(com.yahoo.pulsar.client.admin.PulsarAdminException) ConflictException(com.yahoo.pulsar.client.admin.PulsarAdminException.ConflictException) PulsarServerException(com.yahoo.pulsar.broker.PulsarServerException) Test(org.testng.annotations.Test) MockedPulsarServiceBaseTest(com.yahoo.pulsar.broker.auth.MockedPulsarServiceBaseTest)

Aggregations

PropertyAdmin (com.yahoo.pulsar.common.policies.data.PropertyAdmin)26 ClusterData (com.yahoo.pulsar.common.policies.data.ClusterData)15 Test (org.testng.annotations.Test)14 MockedPulsarServiceBaseTest (com.yahoo.pulsar.broker.auth.MockedPulsarServiceBaseTest)9 RestException (com.yahoo.pulsar.broker.web.RestException)5 PulsarAdmin (com.yahoo.pulsar.client.admin.PulsarAdmin)5 PulsarAdminException (com.yahoo.pulsar.client.admin.PulsarAdminException)5 PulsarService (com.yahoo.pulsar.broker.PulsarService)4 ServiceConfiguration (com.yahoo.pulsar.broker.ServiceConfiguration)4 AuthAction (com.yahoo.pulsar.common.policies.data.AuthAction)4 URL (java.net.URL)4 KeeperException (org.apache.zookeeper.KeeperException)4 PreconditionFailedException (com.yahoo.pulsar.client.admin.PulsarAdminException.PreconditionFailedException)3 Authentication (com.yahoo.pulsar.client.api.Authentication)3 Policies (com.yahoo.pulsar.common.policies.data.Policies)3 LocalBookkeeperEnsemble (com.yahoo.pulsar.zookeeper.LocalBookkeeperEnsemble)3 BeforeMethod (org.testng.annotations.BeforeMethod)3 PulsarServerException (com.yahoo.pulsar.broker.PulsarServerException)2 AuthorizationManager (com.yahoo.pulsar.broker.authorization.AuthorizationManager)2 ConflictException (com.yahoo.pulsar.client.admin.PulsarAdminException.ConflictException)2