Search in sources :

Example 6 with AclRuleBuilder

use of io.strimzi.api.kafka.model.AclRuleBuilder in project strimzi-kafka-operator by strimzi.

the class UserST method testTlsExternalUser.

@ParallelNamespaceTest
void testTlsExternalUser(ExtensionContext extensionContext) {
    final String namespaceName = StUtils.getNamespaceBasedOnRbac(namespace, extensionContext);
    final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
    final String userName = mapWithTestUsers.get(extensionContext.getDisplayName());
    final String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
    final AclRule writeRule = new AclRuleBuilder().withNewAclRuleTopicResource().withName(topicName).endAclRuleTopicResource().withOperation(AclOperation.WRITE).build();
    final AclRule describeRule = new AclRuleBuilder().withNewAclRuleTopicResource().withName(topicName).endAclRuleTopicResource().withOperation(AclOperation.DESCRIBE).build();
    // exercise (a) - create Kafka cluster with support for authorization
    resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(clusterName, 1, 1).editSpec().editKafka().withNewKafkaAuthorizationSimple().endKafkaAuthorizationSimple().endKafka().endSpec().build());
    // quotas configuration
    final int prodRate = 1212;
    final int consRate = 2121;
    final int requestPerc = 21;
    final double mutRate = 5d;
    final KafkaUser tlsExternalUserWithQuotasAndAcls = KafkaUserTemplates.tlsExternalUser(namespaceName, clusterName, userName).editSpec().withNewKafkaUserAuthorizationSimple().addToAcls(writeRule, describeRule).endKafkaUserAuthorizationSimple().withNewQuotas().withConsumerByteRate(consRate).withProducerByteRate(prodRate).withRequestPercentage(requestPerc).withControllerMutationRate(mutRate).endQuotas().endSpec().build();
    // exercise (b) - create the KafkaUser with tls external client authentication
    resourceManager.createResource(extensionContext, tlsExternalUserWithQuotasAndAcls);
    // verify (a) - that secrets are not generated and KafkaUser is created
    KafkaUserUtils.waitForKafkaUserReady(namespaceName, userName);
    assertThat(kubeClient().getSecret(namespaceName, userName), nullValue());
    // verify (b) -  if the operator has the right username in the status, that is what it also used in the ACLs and Quotas
    KafkaUser user = KafkaUserResource.kafkaUserClient().inNamespace(namespaceName).withName(userName).get();
    assertThat(user.getStatus().getUsername(), is("CN=" + userName));
}
Also used : AclRuleBuilder(io.strimzi.api.kafka.model.AclRuleBuilder) AclRule(io.strimzi.api.kafka.model.AclRule) KafkaUser(io.strimzi.api.kafka.model.KafkaUser) ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)

Aggregations

AclRule (io.strimzi.api.kafka.model.AclRule)6 AclRuleBuilder (io.strimzi.api.kafka.model.AclRuleBuilder)6 Test (org.junit.jupiter.api.Test)4 KafkaUser (io.strimzi.api.kafka.model.KafkaUser)2 ParallelNamespaceTest (io.strimzi.systemtest.annotations.ParallelNamespaceTest)2 AccessControlEntry (org.apache.kafka.common.acl.AccessControlEntry)2 AclBinding (org.apache.kafka.common.acl.AclBinding)2