Example 1 with AuthHandlerManager
use of io.pravega.shared.rest.security.AuthHandlerManager in project pravega by pravega.
the class RESTAuthHelperTest method testAuthIsEnabledWhenPravegaAuthManagerIsNonNull.
@Test
public void testAuthIsEnabledWhenPravegaAuthManagerIsNonNull() {
RESTAuthHelper sut = new RESTAuthHelper(new AuthHandlerManager(null));
assertTrue(sut.isAuthEnabled());
}
Also used :
RESTAuthHelper(io.pravega.shared.rest.security.RESTAuthHelper)
AuthHandlerManager(io.pravega.shared.rest.security.AuthHandlerManager)
Test(org.junit.Test)
Example 2 with AuthHandlerManager
use of io.pravega.shared.rest.security.AuthHandlerManager in project pravega by pravega.
the class StreamMetaDataAuthFocusedTests method initializer.
// region Test class initializer and cleanup
@BeforeClass
public static void initializer() throws IOException, InvalidKeySpecException, NoSuchAlgorithmException {
passwordHandlerInputFile = File.createTempFile("AuthFocusedTests", ".txt");
StrongPasswordProcessor passwordEncryptor = StrongPasswordProcessor.builder().build();
try (FileWriter writer = new FileWriter(passwordHandlerInputFile.getAbsolutePath())) {
String encryptedPassword = passwordEncryptor.encryptPassword(DEFAULT_PASSWORD);
// This user can do anything in the system.
writer.write(credentialsAndAclAsString(USER_PRIVILEGED, encryptedPassword, "prn::*,READ_UPDATE"));
writer.write(credentialsAndAclAsString(USER_SCOPE_CREATOR, encryptedPassword, "prn::/,READ_UPDATE"));
// This user can list scopes and upon listing will see all scopes (/*).
writer.write(credentialsAndAclAsString(USER_SCOPE_LISTER, encryptedPassword, "prn::/,READ;prn::/*,READ"));
// This user can list, read, update, delete all scopes. Upon listing scopes, this user will see all scopes.
writer.write(credentialsAndAclAsString(USER_SCOPE_MANAGER, encryptedPassword, "prn::/,READ_UPDATE;prn::/*,READ_UPDATE"));
// This user can create, update, delete all child objects of a scope (streams, reader groups, etc.)
writer.write(credentialsAndAclAsString(USER_STREAMS_IN_A_SCOPE_CREATOR, encryptedPassword, "prn::/scope:sisc-scope,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_USER1, encryptedPassword, "prn::/,READ_UPDATE;prn::/scope:scope1,READ_UPDATE;prn::/scope:scope2,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_WITH_NO_ROOT_ACCESS, encryptedPassword, "prn::/scope:scope1,READ_UPDATE;prn::/scope:scope2,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_UNAUTHORIZED, encryptedPassword, "prn::/,READ_UPDATE;prn::/scope:scope1,READ_UPDATE;prn::/scope:scope2,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_ACCESS_TO_SUBSET_OF_SCOPES, encryptedPassword, "prn::/,READ;prn::/scope:scope3,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_WITH_NO_AUTHORIZATIONS, encryptedPassword, ";"));
writer.write(credentialsAndAclAsString(USER_WITH_READ_UPDATE_ROOT, encryptedPassword, "prn::/scope:scopeToDelete,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_ACCESS_TO_SCOPES_BUT_NOSTREAMS, encryptedPassword, "prn::/scope:myscope,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_ACCESS_TO_SCOPES_READ_ALLSTREAMS, encryptedPassword, "prn::/scope:myscope,READ_UPDATE;prn::/scope:myscope/*,READ;"));
writer.write(credentialsAndAclAsString(USER_ACCESS_TO_SCOPES_READUPDATE_ALLSTREAMS, encryptedPassword, "prn::/scope:myscope,READ_UPDATE;prn::/scope:myscope/*,READ_UPDATE;"));
writer.write(credentialsAndAclAsString(USER_ACCESS_TO_SCOPE_WRITE_SPECIFIC_STREAM, encryptedPassword, "prn::/scope:myscope,READ_UPDATE;prn::/scope:myscope/stream:stream1,READ_UPDATE;"));
}
AuthHandlerManager authManager = new AuthHandlerManager(GRPCServerConfigImpl.builder().authorizationEnabled(true).userPasswordFile(passwordHandlerInputFile.getAbsolutePath()).port(1000).build());
ServerBuilder<?> server = ServerBuilder.forPort(TestUtils.getAvailableListenPort());
GrpcAuthHelper.registerInterceptors(authManager.getHandlerMap(), server);
mockControllerService = mock(ControllerService.class);
serverConfig = RESTServerConfigImpl.builder().host("localhost").port(TestUtils.getAvailableListenPort()).build();
LocalController controller = new LocalController(mockControllerService, false, "");
connectionFactory = new SocketConnectionFactoryImpl(ClientConfig.builder().controllerURI(URI.create("tcp://localhost")).build());
restServer = new RESTServer(serverConfig, Set.of(new StreamMetadataResourceImpl(controller, mockControllerService, authManager, connectionFactory, ClientConfig.builder().build())));
restServer.startAsync();
restServer.awaitRunning();
client = ClientBuilder.newClient();
}
Also used :
StrongPasswordProcessor(io.pravega.shared.security.crypto.StrongPasswordProcessor)
LocalController(io.pravega.controller.server.eventProcessor.LocalController)
FileWriter(java.io.FileWriter)
AuthHandlerManager(io.pravega.shared.rest.security.AuthHandlerManager)
StreamMetadataResourceImpl(io.pravega.controller.server.rest.resources.StreamMetadataResourceImpl)
AuthFileUtils.credentialsAndAclAsString(io.pravega.auth.AuthFileUtils.credentialsAndAclAsString)
RESTServer(io.pravega.shared.rest.RESTServer)
SocketConnectionFactoryImpl(io.pravega.client.connection.impl.SocketConnectionFactoryImpl)
ControllerService(io.pravega.controller.server.ControllerService)
BeforeClass(org.junit.BeforeClass)
Example 3 with AuthHandlerManager
use of io.pravega.shared.rest.security.AuthHandlerManager in project pravega by pravega.
the class SecureStreamMetaDataTests method setup.
@Override
@Before
public void setup() throws Exception {
File file = File.createTempFile("SecureStreamMetaDataTests", ".txt");
StrongPasswordProcessor passwordEncryptor = StrongPasswordProcessor.builder().build();
try (FileWriter writer = new FileWriter(file.getAbsolutePath())) {
String passwd = passwordEncryptor.encryptPassword("1111_aaaa");
// Admin has READ_WRITE permission to everything
addAuthFileEntry(writer, "admin", passwd, Collections.singletonList("prn::*,READ_UPDATE"));
// User "user1" can:
// - list, create and delete scopes
// - Create and delete streams within scopes "scope1" and "scope2". Also if "user1" lists scopes,
// she'll see those scopes, but not "scope3".
addAuthFileEntry(writer, "user1", passwd, Arrays.asList("prn::/,READ_UPDATE", "prn::/scope:scope1,READ_UPDATE", "prn::/scope:scope1/*,READ_UPDATE", "prn::/scope:scope2,READ_UPDATE", "prn::/scope:scope2/*,READ_UPDATE\n"));
addAuthFileEntry(writer, "user2", passwd, Arrays.asList("prn::/,READ", "prn::/scope:scope3,READ_UPDATE"));
}
this.authManager = new AuthHandlerManager(GRPCServerConfigImpl.builder().authorizationEnabled(true).tlsCertFile(SecurityConfigDefaults.TLS_SERVER_CERT_PATH).tlsKeyFile(SecurityConfigDefaults.TLS_SERVER_PRIVATE_KEY_PATH).userPasswordFile(file.getAbsolutePath()).port(1000).build());
super.setup();
}
Also used :
StrongPasswordProcessor(io.pravega.shared.security.crypto.StrongPasswordProcessor)
FileWriter(java.io.FileWriter)
AuthHandlerManager(io.pravega.shared.rest.security.AuthHandlerManager)
File(java.io.File)
Before(org.junit.Before)
Example 4 with AuthHandlerManager
use of io.pravega.shared.rest.security.AuthHandlerManager in project pravega by pravega.
the class ServiceStarter method start.
// endregion
// region Service Operation
public void start() throws Exception {
Exceptions.checkNotClosed(this.closed, this);
healthServiceManager = new HealthServiceManager(serviceConfig.getHealthCheckInterval());
healthServiceManager.start();
log.info("Initializing HealthService ...");
MetricsConfig metricsConfig = builderConfig.getConfig(MetricsConfig::builder);
if (metricsConfig.isEnableStatistics()) {
log.info("Initializing metrics provider ...");
MetricsProvider.initialize(metricsConfig);
statsProvider = MetricsProvider.getMetricsProvider();
statsProvider.start();
}
log.info("Initializing ZooKeeper Client ...");
this.zkClient = createZKClient();
log.info("Initializing Service Builder ...");
this.serviceBuilder.initialize();
log.info("Creating StreamSegmentService ...");
StreamSegmentStore service = this.serviceBuilder.createStreamSegmentService();
log.info("Creating TableStoreService ...");
TableStore tableStoreService = this.serviceBuilder.createTableStoreService();
log.info("Creating Segment Stats recorder ...");
autoScaleMonitor = new AutoScaleMonitor(service, builderConfig.getConfig(AutoScalerConfig::builder));
AutoScalerConfig autoScalerConfig = builderConfig.getConfig(AutoScalerConfig::builder);
TokenVerifierImpl tokenVerifier = null;
if (autoScalerConfig.isAuthEnabled()) {
tokenVerifier = new TokenVerifierImpl(autoScalerConfig.getTokenSigningKey());
}
// Log the configuration
log.info(serviceConfig.toString());
log.info(autoScalerConfig.toString());
this.listener = new PravegaConnectionListener(this.serviceConfig.isEnableTls(), this.serviceConfig.isEnableTlsReload(), this.serviceConfig.getListeningIPAddress(), this.serviceConfig.getListeningPort(), service, tableStoreService, autoScaleMonitor.getStatsRecorder(), autoScaleMonitor.getTableSegmentStatsRecorder(), tokenVerifier, this.serviceConfig.getCertFile(), this.serviceConfig.getKeyFile(), this.serviceConfig.isReplyWithStackTraceOnError(), serviceBuilder.getLowPriorityExecutor(), this.serviceConfig.getTlsProtocolVersion(), healthServiceManager);
this.listener.startListening();
log.info("PravegaConnectionListener started successfully.");
if (serviceConfig.isEnableAdminGateway()) {
this.adminListener = new AdminConnectionListener(this.serviceConfig.isEnableTls(), this.serviceConfig.isEnableTlsReload(), this.serviceConfig.getListeningIPAddress(), this.serviceConfig.getAdminGatewayPort(), service, tableStoreService, tokenVerifier, this.serviceConfig.getCertFile(), this.serviceConfig.getKeyFile(), this.serviceConfig.getTlsProtocolVersion(), healthServiceManager);
this.adminListener.startListening();
log.info("AdminConnectionListener started successfully.");
}
log.info("StreamSegmentService started.");
healthServiceManager.register(new ZKHealthContributor(zkClient));
healthServiceManager.register(new CacheManagerHealthContributor(serviceBuilder.getCacheManager()));
healthServiceManager.register(new SegmentContainerRegistryHealthContributor(serviceBuilder.getSegmentContainerRegistry()));
if (this.serviceConfig.isRestServerEnabled()) {
log.info("Initializing RESTServer ...");
List<Object> resources = new ArrayList<>();
resources.add(new HealthImpl(new AuthHandlerManager(serviceConfig.getRestServerConfig()), healthServiceManager.getEndpoint()));
MetricsProvider.getMetricsProvider().prometheusResource().ifPresent(resources::add);
restServer = new RESTServer(serviceConfig.getRestServerConfig(), Set.copyOf(resources));
restServer.startAsync();
restServer.awaitRunning();
}
}
Also used :
HealthServiceManager(io.pravega.shared.health.HealthServiceManager)
AutoScaleMonitor(io.pravega.segmentstore.server.host.stat.AutoScaleMonitor)
AdminConnectionListener(io.pravega.segmentstore.server.host.handler.AdminConnectionListener)
AutoScalerConfig(io.pravega.segmentstore.server.host.stat.AutoScalerConfig)
ArrayList(java.util.ArrayList)
ZKHealthContributor(io.pravega.segmentstore.server.host.health.ZKHealthContributor)
PravegaConnectionListener(io.pravega.segmentstore.server.host.handler.PravegaConnectionListener)
MetricsConfig(io.pravega.shared.metrics.MetricsConfig)
TableStore(io.pravega.segmentstore.contracts.tables.TableStore)
StreamSegmentStore(io.pravega.segmentstore.contracts.StreamSegmentStore)
HealthImpl(io.pravega.shared.health.bindings.resources.HealthImpl)
SegmentContainerRegistryHealthContributor(io.pravega.segmentstore.server.host.health.SegmentContainerRegistryHealthContributor)
AuthHandlerManager(io.pravega.shared.rest.security.AuthHandlerManager)
CacheManagerHealthContributor(io.pravega.segmentstore.server.CacheManager.CacheManagerHealthContributor)
TokenVerifierImpl(io.pravega.segmentstore.server.host.delegationtoken.TokenVerifierImpl)
RESTServer(io.pravega.shared.rest.RESTServer)
Example 5 with AuthHandlerManager
use of io.pravega.shared.rest.security.AuthHandlerManager in project pravega by pravega.
the class RESTAuthHelperTest method init.
@Before
public void init() {
RESTServerConfig config = RESTServerConfigImpl.builder().host("localhost").port(TestUtils.getAvailableListenPort()).authorizationEnabled(true).userPasswordFile("passwd").tlsEnabled(false).build();
AuthHandlerManager authManager = new AuthHandlerManager(config);
authManager.registerHandler(new FakeAuthHandler());
authHelper = new RESTAuthHelper(authManager);
}
Also used :
RESTAuthHelper(io.pravega.shared.rest.security.RESTAuthHelper)
AuthHandlerManager(io.pravega.shared.rest.security.AuthHandlerManager)
FakeAuthHandler(io.pravega.auth.FakeAuthHandler)
RESTServerConfig(io.pravega.shared.rest.RESTServerConfig)
Before(org.junit.Before)
Aggregations
AuthHandlerManager (io.pravega.shared.rest.security.AuthHandlerManager)6
Before (org.junit.Before)3
RESTServer (io.pravega.shared.rest.RESTServer)2
RESTAuthHelper (io.pravega.shared.rest.security.RESTAuthHelper)2
StrongPasswordProcessor (io.pravega.shared.security.crypto.StrongPasswordProcessor)2
FileWriter (java.io.FileWriter)2
AuthFileUtils.credentialsAndAclAsString (io.pravega.auth.AuthFileUtils.credentialsAndAclAsString)1
FakeAuthHandler (io.pravega.auth.FakeAuthHandler)1
SocketConnectionFactoryImpl (io.pravega.client.connection.impl.SocketConnectionFactoryImpl)1
ControllerService (io.pravega.controller.server.ControllerService)1
LocalController (io.pravega.controller.server.eventProcessor.LocalController)1
StreamMetadataResourceImpl (io.pravega.controller.server.rest.resources.StreamMetadataResourceImpl)1
StreamSegmentStore (io.pravega.segmentstore.contracts.StreamSegmentStore)1
TableStore (io.pravega.segmentstore.contracts.tables.TableStore)1
CacheManagerHealthContributor (io.pravega.segmentstore.server.CacheManager.CacheManagerHealthContributor)1
TokenVerifierImpl (io.pravega.segmentstore.server.host.delegationtoken.TokenVerifierImpl)1
AdminConnectionListener (io.pravega.segmentstore.server.host.handler.AdminConnectionListener)1
PravegaConnectionListener (io.pravega.segmentstore.server.host.handler.PravegaConnectionListener)1
SegmentContainerRegistryHealthContributor (io.pravega.segmentstore.server.host.health.SegmentContainerRegistryHealthContributor)1
ZKHealthContributor (io.pravega.segmentstore.server.host.health.ZKHealthContributor)1
