use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.
the class DistributingExecutor method checkAuthorization.
private void checkAuthorization(final ConfiguredStatement<?> configured, final KsqlSecurityContext userSecurityContext, final KsqlExecutionContext serverExecutionContext) {
final Statement statement = configured.getStatement();
final MetaStore metaStore = serverExecutionContext.getMetaStore();
// Check the User will be permitted to execute this statement
authorizationValidator.ifPresent(validator -> validator.checkAuthorization(userSecurityContext, metaStore, statement));
try {
// Check the KSQL service principal will be permitted too
authorizationValidator.ifPresent(validator -> validator.checkAuthorization(new KsqlSecurityContext(Optional.empty(), serverExecutionContext.getServiceContext()), metaStore, statement));
} catch (final Exception e) {
throw new KsqlServerException("The KSQL server is not permitted to execute the command", e);
}
}
use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.
the class KsqlRestApplication method maybeCreateProcessingLogStream.
private static void maybeCreateProcessingLogStream(final ProcessingLogConfig processingLogConfig, final KsqlConfig ksqlConfig, final KsqlRestConfig restConfig, final KsqlResource ksqlResource, final ServiceContext serviceContext) {
if (!processingLogConfig.getBoolean(ProcessingLogConfig.STREAM_AUTO_CREATE)) {
return;
}
try {
final SimpleKsqlClient internalClient = new ServerInternalKsqlClient(ksqlResource, new KsqlSecurityContext(Optional.empty(), serviceContext));
final URI serverEndpoint = ServerUtil.getServerAddress(restConfig);
final String processingLogStreamName = processingLogConfig.getString(ProcessingLogConfig.STREAM_NAME);
if (!processingLogStreamExists(internalClient, serverEndpoint, processingLogStreamName)) {
final RestResponse<KsqlEntityList> response = internalClient.makeKsqlRequest(serverEndpoint, ProcessingLogServerUtils.processingLogStreamCreateStatement(processingLogConfig, ksqlConfig), ImmutableMap.of());
if (response.isSuccessful()) {
log.info("Successfully created processing log stream.");
}
}
} catch (final Exception e) {
log.error("Error while sending processing log CreateStream request to KsqlResource: ", e);
}
}
use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.
the class KsqlRestApplicationTest method setUp.
@SuppressWarnings({ "unchecked", "rawtypes" })
@Before
public void setUp() {
when(processingLogConfig.getBoolean(ProcessingLogConfig.STREAM_AUTO_CREATE)).thenReturn(true);
when(processingLogConfig.getString(ProcessingLogConfig.STREAM_NAME)).thenReturn(LOG_STREAM_NAME);
when(processingLogConfig.getString(ProcessingLogConfig.TOPIC_NAME)).thenReturn(LOG_TOPIC_NAME);
when(processingLogConfig.getBoolean(ProcessingLogConfig.TOPIC_AUTO_CREATE)).thenReturn(true);
when(processingLogContext.getConfig()).thenReturn(processingLogConfig);
when(ksqlEngine.parse(any())).thenReturn(ImmutableList.of(parsedStatement));
when(ksqlEngine.prepare(any())).thenReturn((PreparedStatement) preparedStatement);
when(commandQueue.getCommandTopicName()).thenReturn(CMD_TOPIC_NAME);
when(serviceContext.getTopicClient()).thenReturn(topicClient);
when(topicClient.isTopicExists(CMD_TOPIC_NAME)).thenReturn(false);
when(ksqlConfig.getString(KsqlConfig.KSQL_SERVICE_ID_CONFIG)).thenReturn("ksql-id");
when(ksqlConfig.getKsqlStreamConfigProps()).thenReturn(ImmutableMap.of("state.dir", "/tmp/cat"));
when(precondition1.checkPrecondition(any(), any(), any())).thenReturn(Optional.empty());
when(precondition2.checkPrecondition(any(), any(), any())).thenReturn(Optional.empty());
when(response.getStatus()).thenReturn(200);
when(response.getEntity()).thenReturn(new KsqlEntityList(Collections.singletonList(new StreamsList(LIST_STREAMS_SQL, Collections.emptyList()))));
when(ksqlResource.handleKsqlStatements(any(), any())).thenReturn(response);
securityContext = new KsqlSecurityContext(Optional.empty(), serviceContext);
logCreateStatement = ProcessingLogServerUtils.processingLogStreamCreateStatement(processingLogConfig, ksqlConfig);
givenAppWithRestConfig(ImmutableMap.of(KsqlRestConfig.LISTENERS_CONFIG, "http://localhost:0"), new MetricCollectors());
}
use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.
the class AuthTest method shouldAllowAccessWithPermissionCheck.
private void shouldAllowAccessWithPermissionCheck(final String expectedUser, final String expectedMethod, final String expectedPath, final ExceptionThrowingRunnable action) throws Exception {
stopServer();
stopClient();
AtomicReference<Principal> principalAtomicReference = new AtomicReference<>();
AtomicReference<String> methodAtomicReference = new AtomicReference<>();
AtomicReference<String> pathAtomicReference = new AtomicReference<>();
this.authorizationProvider = new KsqlAuthorizationProvider() {
@Override
public void checkEndpointAccess(final Principal user, final String method, final String path) {
throwIfNullPrincipal(user);
principalAtomicReference.set(user);
methodAtomicReference.set(method);
pathAtomicReference.set(path);
}
@Override
public void checkPrivileges(final KsqlSecurityContext securityContext, final AuthObjectType objectType, final String objectName, final List<AclOperation> privileges) {
// Not required for vert.x authX as it only authorizes endpoints
}
};
createServer(createServerConfig());
client = createClient();
action.run();
assertThat(principalAtomicReference.get().getName(), is(expectedUser));
assertThat(methodAtomicReference.get(), is(expectedMethod));
assertThat(pathAtomicReference.get(), is(expectedPath));
}
use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.
the class AuthTest method shouldAllowAccessWithoutAuthentication.
private void shouldAllowAccessWithoutAuthentication(final ExceptionThrowingRunnable action) throws Exception {
stopServer();
stopClient();
AtomicReference<Boolean> authorizationCallReference = new AtomicReference<>(false);
this.authorizationProvider = new KsqlAuthorizationProvider() {
@Override
public void checkEndpointAccess(final Principal user, final String method, final String path) {
authorizationCallReference.set(true);
}
@Override
public void checkPrivileges(final KsqlSecurityContext securityContext, final AuthObjectType objectType, final String objectName, final List<AclOperation> privileges) {
// Not required for vert.x authX as it only authorizes endpoints
}
};
createServer(createServerConfig());
client = createClient();
action.run();
assertThat("Should not call authorization", authorizationCallReference.get(), is(false));
}
Aggregations