use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.
the class BrokerDiscoveryProvider method checkAuthorization.
protected static void checkAuthorization(DiscoveryService service, DestinationName destination, String role) throws Exception {
if (!service.getConfiguration().isAuthorizationEnabled() || service.getConfiguration().getSuperUserRoles().contains(role)) {
// No enforcing of authorization policies
return;
}
// get zk policy manager
if (!service.getAuthorizationManager().canLookup(destination, role)) {
LOG.warn("[{}] Role {} is not allowed to lookup topic", destination, role);
// check namespace authorization
PropertyAdmin propertyAdmin;
try {
propertyAdmin = service.getConfigurationCacheService().propertiesCache().get(path("policies", destination.getProperty())).orElseThrow(() -> new IllegalAccessException("Property does not exist"));
} catch (KeeperException.NoNodeException e) {
LOG.warn("Failed to get property admin data for non existing property {}", destination.getProperty());
throw new IllegalAccessException("Property does not exist");
} catch (Exception e) {
LOG.error("Failed to get property admin data for property");
throw new IllegalAccessException(String.format("Failed to get property %s admin data due to %s", destination.getProperty(), e.getMessage()));
}
if (!propertyAdmin.getAdminRoles().contains(role)) {
throw new IllegalAccessException("Don't have permission to administrate resources on this property");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Successfully authorized {} on property {}", role, destination.getProperty());
}
}
use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.
the class PulsarStandaloneStarter method start.
void start() throws Exception {
if (config == null) {
System.exit(1);
}
log.debug("--- setup PulsarStandaloneStarter ---");
if (!onlyBroker) {
// Start LocalBookKeeper
bkEnsemble = new LocalBookkeeperEnsemble(numOfBk, zkPort, bkPort, zkDir, bkDir, wipeData);
bkEnsemble.start();
}
if (noBroker) {
return;
}
// Start Broker
broker = new PulsarService(config);
broker.start();
// Create a sample namespace
URL webServiceUrl = new URL(String.format("http://%s:%d", config.getAdvertisedAddress(), config.getWebServicePort()));
String brokerServiceUrl = String.format("pulsar://%s:%d", config.getAdvertisedAddress(), config.getBrokerServicePort());
admin = new PulsarAdmin(webServiceUrl, config.getBrokerClientAuthenticationPlugin(), config.getBrokerClientAuthenticationParameters());
String property = "sample";
String cluster = config.getClusterName();
String namespace = property + "/" + cluster + "/ns1";
try {
ClusterData clusterData = new ClusterData(webServiceUrl.toString(), null, /* serviceUrlTls */
brokerServiceUrl, null);
if (!admin.clusters().getClusters().contains(cluster)) {
admin.clusters().createCluster(cluster, clusterData);
} else {
admin.clusters().updateCluster(cluster, clusterData);
}
if (!admin.properties().getProperties().contains(property)) {
admin.properties().createProperty(property, new PropertyAdmin(Lists.newArrayList(config.getSuperUserRoles()), Sets.newHashSet(cluster)));
}
if (!admin.namespaces().getNamespaces(property).contains(namespace)) {
admin.namespaces().createNamespace(namespace);
}
} catch (PulsarAdminException e) {
log.info(e.getMessage());
}
log.debug("--- setup completed ---");
}
use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.
the class AdminApiTest method properties.
@Test(enabled = true)
public void properties() throws PulsarAdminException {
Set<String> allowedClusters = Sets.newHashSet("use");
PropertyAdmin propertyAdmin = new PropertyAdmin(Lists.newArrayList("role1", "role2"), allowedClusters);
admin.properties().updateProperty("prop-xyz", propertyAdmin);
assertEquals(admin.properties().getProperties(), Lists.newArrayList("prop-xyz"));
assertEquals(admin.properties().getPropertyAdmin("prop-xyz"), propertyAdmin);
PropertyAdmin newPropertyAdmin = new PropertyAdmin(Lists.newArrayList("role3", "role4"), allowedClusters);
admin.properties().updateProperty("prop-xyz", newPropertyAdmin);
assertEquals(admin.properties().getPropertyAdmin("prop-xyz"), newPropertyAdmin);
admin.namespaces().deleteNamespace("prop-xyz/use/ns1");
admin.properties().deleteProperty("prop-xyz");
assertEquals(admin.properties().getProperties(), Lists.newArrayList());
// Check name validation
try {
admin.properties().createProperty("prop-xyz&", propertyAdmin);
fail("should have failed");
} catch (PulsarAdminException e) {
assertTrue(e instanceof PreconditionFailedException);
}
}
use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.
the class AdminApiTest method namespaces.
@Test(invocationCount = 1)
public void namespaces() throws PulsarAdminException, PulsarServerException, Exception {
admin.clusters().createCluster("usw", new ClusterData());
PropertyAdmin propertyAdmin = new PropertyAdmin(Lists.newArrayList("role1", "role2"), Sets.newHashSet("use", "usw"));
admin.properties().updateProperty("prop-xyz", propertyAdmin);
assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns1").bundles, Policies.defaultBundle());
admin.namespaces().createNamespace("prop-xyz/use/ns2");
admin.namespaces().createNamespace("prop-xyz/use/ns3", 4);
assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns3").bundles.numBundles, 4);
assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns3").bundles.boundaries.size(), 5);
admin.namespaces().deleteNamespace("prop-xyz/use/ns3");
try {
admin.namespaces().createNamespace("non-existing/usw/ns1");
fail("Should not have passed");
} catch (NotFoundException e) {
// Ok
}
assertEquals(admin.namespaces().getNamespaces("prop-xyz"), Lists.newArrayList("prop-xyz/use/ns1", "prop-xyz/use/ns2"));
assertEquals(admin.namespaces().getNamespaces("prop-xyz", "use"), Lists.newArrayList("prop-xyz/use/ns1", "prop-xyz/use/ns2"));
try {
admin.namespaces().createNamespace("prop-xyz/usc/ns1");
fail("Should not have passed");
} catch (NotAuthorizedException e) {
// Ok, got the non authorized exception since usc cluster is not in the allowed clusters list.
}
admin.namespaces().grantPermissionOnNamespace("prop-xyz/use/ns1", "my-role", EnumSet.allOf(AuthAction.class));
Policies policies = new Policies();
policies.auth_policies.namespace_auth.put("my-role", EnumSet.allOf(AuthAction.class));
assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns1"), policies);
assertEquals(admin.namespaces().getPermissions("prop-xyz/use/ns1"), policies.auth_policies.namespace_auth);
assertEquals(admin.namespaces().getDestinations("prop-xyz/use/ns1"), Lists.newArrayList());
admin.namespaces().revokePermissionsOnNamespace("prop-xyz/use/ns1", "my-role");
policies.auth_policies.namespace_auth.remove("my-role");
assertEquals(admin.namespaces().getPolicies("prop-xyz/use/ns1"), policies);
assertEquals(admin.namespaces().getPersistence("prop-xyz/use/ns1"), new PersistencePolicies(1, 1, 1, 0.0));
admin.namespaces().setPersistence("prop-xyz/use/ns1", new PersistencePolicies(3, 2, 1, 10.0));
assertEquals(admin.namespaces().getPersistence("prop-xyz/use/ns1"), new PersistencePolicies(3, 2, 1, 10.0));
// Force topic creation and namespace being loaded
Producer producer = pulsarClient.createProducer("persistent://prop-xyz/use/ns1/my-topic");
producer.close();
admin.persistentTopics().delete("persistent://prop-xyz/use/ns1/my-topic");
admin.namespaces().unloadNamespaceBundle("prop-xyz/use/ns1", "0x00000000_0xffffffff");
NamespaceName ns = new NamespaceName("prop-xyz/use/ns1");
// Now, w/ bundle policies, we will use default bundle
NamespaceBundle defaultBundle = bundleFactory.getFullBundle(ns);
int i = 0;
for (; i < 10; i++) {
Optional<NamespaceEphemeralData> data1 = pulsar.getNamespaceService().getOwnershipCache().getOwnerAsync(defaultBundle).get();
if (!data1.isPresent()) {
// Already unloaded
break;
}
LOG.info("Waiting for unload namespace {} to complete. Current service unit isDisabled: {}", defaultBundle, data1.get().isDisabled());
Thread.sleep(1000);
}
assertTrue(i < 10);
admin.namespaces().deleteNamespace("prop-xyz/use/ns1");
assertEquals(admin.namespaces().getNamespaces("prop-xyz", "use"), Lists.newArrayList("prop-xyz/use/ns2"));
try {
admin.namespaces().unload("prop-xyz/use/ns1");
fail("should have raised exception");
} catch (Exception e) {
// OK excepted
}
// Force topic creation and namespace being loaded
producer = pulsarClient.createProducer("persistent://prop-xyz/use/ns2/my-topic");
producer.close();
admin.persistentTopics().delete("persistent://prop-xyz/use/ns2/my-topic");
// both unload and delete should succeed for ns2 on other broker with a redirect
// otheradmin.namespaces().unload("prop-xyz/use/ns2");
}
use of com.yahoo.pulsar.common.policies.data.PropertyAdmin in project pulsar by yahoo.
the class AdminApiTest method testObjectWithUnknowProperties.
@Test
public void testObjectWithUnknowProperties() {
class CustomPropertyAdmin extends PropertyAdmin {
@SuppressWarnings("unused")
public int newProperty;
}
PropertyAdmin pa = new PropertyAdmin(Lists.newArrayList("test_appid1", "test_appid2"), Sets.newHashSet("use"));
CustomPropertyAdmin cpa = new CustomPropertyAdmin();
cpa.setAdminRoles(pa.getAdminRoles());
cpa.setAllowedClusters(pa.getAllowedClusters());
cpa.newProperty = 100;
try {
admin.properties().createProperty("test-property", cpa);
} catch (Exception e) {
fail("Should not happen.");
}
}
Aggregations