Examples with KsqlSecurityContext io.confluent.ksql.security.KsqlSecurityContext used on opensource projects

Example 1 with KsqlSecurityContext

use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.

the class DistributingExecutor method checkAuthorization.

private void checkAuthorization(final ConfiguredStatement<?> configured, final KsqlSecurityContext userSecurityContext, final KsqlExecutionContext serverExecutionContext) {
    final Statement statement = configured.getStatement();
    final MetaStore metaStore = serverExecutionContext.getMetaStore();
    // Check the User will be permitted to execute this statement
    authorizationValidator.ifPresent(validator -> validator.checkAuthorization(userSecurityContext, metaStore, statement));
    try {
        // Check the KSQL service principal will be permitted too
        authorizationValidator.ifPresent(validator -> validator.checkAuthorization(new KsqlSecurityContext(Optional.empty(), serverExecutionContext.getServiceContext()), metaStore, statement));
    } catch (final Exception e) {
        throw new KsqlServerException("The KSQL server is not permitted to execute the command", e);
    }
}

Example 2 with KsqlSecurityContext

use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.

the class KsqlRestApplication method maybeCreateProcessingLogStream.

private static void maybeCreateProcessingLogStream(final ProcessingLogConfig processingLogConfig, final KsqlConfig ksqlConfig, final KsqlRestConfig restConfig, final KsqlResource ksqlResource, final ServiceContext serviceContext) {
    if (!processingLogConfig.getBoolean(ProcessingLogConfig.STREAM_AUTO_CREATE)) {
        return;
    }
    try {
        final SimpleKsqlClient internalClient = new ServerInternalKsqlClient(ksqlResource, new KsqlSecurityContext(Optional.empty(), serviceContext));
        final URI serverEndpoint = ServerUtil.getServerAddress(restConfig);
        final String processingLogStreamName = processingLogConfig.getString(ProcessingLogConfig.STREAM_NAME);
        if (!processingLogStreamExists(internalClient, serverEndpoint, processingLogStreamName)) {
            final RestResponse<KsqlEntityList> response = internalClient.makeKsqlRequest(serverEndpoint, ProcessingLogServerUtils.processingLogStreamCreateStatement(processingLogConfig, ksqlConfig), ImmutableMap.of());
            if (response.isSuccessful()) {
                log.info("Successfully created processing log stream.");
            }
        }
    } catch (final Exception e) {
        log.error("Error while sending processing log CreateStream request to KsqlResource: ", e);
    }
}

Example 3 with KsqlSecurityContext

use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.

the class KsqlRestApplicationTest method setUp.

@SuppressWarnings({ "unchecked", "rawtypes" })
@Before
public void setUp() {
    when(processingLogConfig.getBoolean(ProcessingLogConfig.STREAM_AUTO_CREATE)).thenReturn(true);
    when(processingLogConfig.getString(ProcessingLogConfig.STREAM_NAME)).thenReturn(LOG_STREAM_NAME);
    when(processingLogConfig.getString(ProcessingLogConfig.TOPIC_NAME)).thenReturn(LOG_TOPIC_NAME);
    when(processingLogConfig.getBoolean(ProcessingLogConfig.TOPIC_AUTO_CREATE)).thenReturn(true);
    when(processingLogContext.getConfig()).thenReturn(processingLogConfig);
    when(ksqlEngine.parse(any())).thenReturn(ImmutableList.of(parsedStatement));
    when(ksqlEngine.prepare(any())).thenReturn((PreparedStatement) preparedStatement);
    when(commandQueue.getCommandTopicName()).thenReturn(CMD_TOPIC_NAME);
    when(serviceContext.getTopicClient()).thenReturn(topicClient);
    when(topicClient.isTopicExists(CMD_TOPIC_NAME)).thenReturn(false);
    when(ksqlConfig.getString(KsqlConfig.KSQL_SERVICE_ID_CONFIG)).thenReturn("ksql-id");
    when(ksqlConfig.getKsqlStreamConfigProps()).thenReturn(ImmutableMap.of("state.dir", "/tmp/cat"));
    when(precondition1.checkPrecondition(any(), any(), any())).thenReturn(Optional.empty());
    when(precondition2.checkPrecondition(any(), any(), any())).thenReturn(Optional.empty());
    when(response.getStatus()).thenReturn(200);
    when(response.getEntity()).thenReturn(new KsqlEntityList(Collections.singletonList(new StreamsList(LIST_STREAMS_SQL, Collections.emptyList()))));
    when(ksqlResource.handleKsqlStatements(any(), any())).thenReturn(response);
    securityContext = new KsqlSecurityContext(Optional.empty(), serviceContext);
    logCreateStatement = ProcessingLogServerUtils.processingLogStreamCreateStatement(processingLogConfig, ksqlConfig);
    givenAppWithRestConfig(ImmutableMap.of(KsqlRestConfig.LISTENERS_CONFIG, "http://localhost:0"), new MetricCollectors());
}

Example 4 with KsqlSecurityContext

use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.

the class AuthTest method shouldAllowAccessWithPermissionCheck.

private void shouldAllowAccessWithPermissionCheck(final String expectedUser, final String expectedMethod, final String expectedPath, final ExceptionThrowingRunnable action) throws Exception {
    stopServer();
    stopClient();
    AtomicReference<Principal> principalAtomicReference = new AtomicReference<>();
    AtomicReference<String> methodAtomicReference = new AtomicReference<>();
    AtomicReference<String> pathAtomicReference = new AtomicReference<>();
    this.authorizationProvider = new KsqlAuthorizationProvider() {

        @Override
        public void checkEndpointAccess(final Principal user, final String method, final String path) {
            throwIfNullPrincipal(user);
            principalAtomicReference.set(user);
            methodAtomicReference.set(method);
            pathAtomicReference.set(path);
        }

        @Override
        public void checkPrivileges(final KsqlSecurityContext securityContext, final AuthObjectType objectType, final String objectName, final List<AclOperation> privileges) {
        // Not required for vert.x authX as it only authorizes endpoints
        }
    };
    createServer(createServerConfig());
    client = createClient();
    action.run();
    assertThat(principalAtomicReference.get().getName(), is(expectedUser));
    assertThat(methodAtomicReference.get(), is(expectedMethod));
    assertThat(pathAtomicReference.get(), is(expectedPath));
}

Example 5 with KsqlSecurityContext

use of io.confluent.ksql.security.KsqlSecurityContext in project ksql by confluentinc.

the class AuthTest method shouldAllowAccessWithoutAuthentication.

private void shouldAllowAccessWithoutAuthentication(final ExceptionThrowingRunnable action) throws Exception {
    stopServer();
    stopClient();
    AtomicReference<Boolean> authorizationCallReference = new AtomicReference<>(false);
    this.authorizationProvider = new KsqlAuthorizationProvider() {

        @Override
        public void checkEndpointAccess(final Principal user, final String method, final String path) {
            authorizationCallReference.set(true);
        }

        @Override
        public void checkPrivileges(final KsqlSecurityContext securityContext, final AuthObjectType objectType, final String objectName, final List<AclOperation> privileges) {
        // Not required for vert.x authX as it only authorizes endpoints
        }
    };
    createServer(createServerConfig());
    client = createClient();
    action.run();
    assertThat("Should not call authorization", authorizationCallReference.get(), is(false));
}