Search in sources :

Example 11 with KafkaAuthorization

use of io.strimzi.api.kafka.model.KafkaAuthorization in project strimzi by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testKeycloakAuthorization.

@ParallelTest
public void testKeycloakAuthorization() {
    CertSecretSource cert = new CertSecretSourceBuilder().withSecretName("my-secret").withCertificate("my.crt").build();
    KafkaAuthorization auth = new KafkaAuthorizationKeycloakBuilder().withTokenEndpointUri("http://token-endpoint-uri").withClientId("my-client-id").withDelegateToKafkaAcls(false).withGrantsRefreshPeriodSeconds(120).withGrantsRefreshPoolSize(10).withTlsTrustedCertificates(cert).withDisableTlsHostnameVerification(true).addToSuperUsers("giada", "CN=paccu").withConnectTimeoutSeconds(30).build();
    String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withAuthorization("my-cluster", auth).build();
    assertThat(configuration, isEquivalent("authorizer.class.name=io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer\n" + "strimzi.authorization.token.endpoint.uri=http://token-endpoint-uri\n" + "strimzi.authorization.client.id=my-client-id\n" + "strimzi.authorization.delegate.to.kafka.acl=false\n" + "strimzi.authorization.kafka.cluster.name=my-cluster\n" + "strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12\n" + "strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}\n" + "strimzi.authorization.ssl.truststore.type=PKCS12\n" + "strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG\n" + "strimzi.authorization.ssl.endpoint.identification.algorithm=\n" + "strimzi.authorization.grants.refresh.period.seconds=120\n" + "strimzi.authorization.grants.refresh.pool.size=10\n" + "strimzi.authorization.connect.timeout.seconds=30\n" + "super.users=User:CN=my-cluster-kafka,O=io.strimzi;User:CN=my-cluster-entity-topic-operator,O=io.strimzi;User:CN=my-cluster-entity-user-operator,O=io.strimzi;User:CN=my-cluster-kafka-exporter,O=io.strimzi;User:CN=my-cluster-cruise-control,O=io.strimzi;User:CN=cluster-operator,O=io.strimzi;User:giada;User:CN=paccu"));
}
Also used : KafkaAuthorization(io.strimzi.api.kafka.model.KafkaAuthorization) CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder) KafkaAuthorizationKeycloakBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 12 with KafkaAuthorization

use of io.strimzi.api.kafka.model.KafkaAuthorization in project strimzi by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testSimpleAuthorizationWithSuperUsers.

@ParallelTest
public void testSimpleAuthorizationWithSuperUsers() {
    KafkaAuthorization auth = new KafkaAuthorizationSimpleBuilder().addToSuperUsers("jakub", "CN=kuba").build();
    String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withAuthorization("my-cluster", auth).build();
    assertThat(configuration, isEquivalent("authorizer.class.name=kafka.security.authorizer.AclAuthorizer\n" + "super.users=User:CN=my-cluster-kafka,O=io.strimzi;User:CN=my-cluster-entity-topic-operator,O=io.strimzi;User:CN=my-cluster-entity-user-operator,O=io.strimzi;User:CN=my-cluster-kafka-exporter,O=io.strimzi;User:CN=my-cluster-cruise-control,O=io.strimzi;User:CN=cluster-operator,O=io.strimzi;User:jakub;User:CN=kuba"));
}
Also used : KafkaAuthorization(io.strimzi.api.kafka.model.KafkaAuthorization) KafkaAuthorizationSimpleBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationSimpleBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 13 with KafkaAuthorization

use of io.strimzi.api.kafka.model.KafkaAuthorization in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilder method configureAuthorization.

/**
 * Configures authorization for the Kafka brokers. This method is used only internally.
 *
 * @param clusterName Name of the cluster
 * @param superUsers Super users list who have all the rights on the cluster
 * @param authorization The authorization configuration from the Kafka CR
 */
private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
    if (KafkaAuthorizationSimple.TYPE_SIMPLE.equals(authorization.getType())) {
        KafkaAuthorizationSimple simpleAuthz = (KafkaAuthorizationSimple) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationSimple.AUTHORIZER_CLASS_NAME);
        // User configured super users
        if (simpleAuthz.getSuperUsers() != null && simpleAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(simpleAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationOpa.TYPE_OPA.equals(authorization.getType())) {
        KafkaAuthorizationOpa opaAuthz = (KafkaAuthorizationOpa) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationOpa.AUTHORIZER_CLASS_NAME);
        writer.println(String.format("%s=%s", "opa.authorizer.url", opaAuthz.getUrl()));
        writer.println(String.format("%s=%b", "opa.authorizer.allow.on.error", opaAuthz.isAllowOnError()));
        writer.println(String.format("%s=%b", "opa.authorizer.metrics.enabled", opaAuthz.isEnableMetrics()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.initial.capacity", opaAuthz.getInitialCacheCapacity()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.maximum.size", opaAuthz.getMaximumCacheSize()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.expire.after.seconds", Duration.ofMillis(opaAuthz.getExpireAfterMs()).getSeconds()));
        // User configured super users
        if (opaAuthz.getSuperUsers() != null && opaAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(opaAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationKeycloak.TYPE_KEYCLOAK.equals(authorization.getType())) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationKeycloak.AUTHORIZER_CLASS_NAME);
        writer.println("strimzi.authorization.token.endpoint.uri=" + keycloakAuthz.getTokenEndpointUri());
        writer.println("strimzi.authorization.client.id=" + keycloakAuthz.getClientId());
        writer.println("strimzi.authorization.delegate.to.kafka.acl=" + keycloakAuthz.isDelegateToKafkaAcls());
        addOption(writer, "strimzi.authorization.grants.refresh.period.seconds", keycloakAuthz.getGrantsRefreshPeriodSeconds());
        addOption(writer, "strimzi.authorization.grants.refresh.pool.size", keycloakAuthz.getGrantsRefreshPoolSize());
        addOption(writer, "strimzi.authorization.connect.timeout.seconds", keycloakAuthz.getConnectTimeoutSeconds());
        addOption(writer, "strimzi.authorization.read.timeout.seconds", keycloakAuthz.getReadTimeoutSeconds());
        writer.println("strimzi.authorization.kafka.cluster.name=" + clusterName);
        if (keycloakAuthz.getTlsTrustedCertificates() != null && keycloakAuthz.getTlsTrustedCertificates().size() > 0) {
            writer.println("strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12");
            writer.println("strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}");
            writer.println("strimzi.authorization.ssl.truststore.type=PKCS12");
            writer.println("strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG");
            String endpointIdentificationAlgorithm = keycloakAuthz.isDisableTlsHostnameVerification() ? "" : "HTTPS";
            writer.println("strimzi.authorization.ssl.endpoint.identification.algorithm=" + endpointIdentificationAlgorithm);
        }
        // User configured super users
        if (keycloakAuthz.getSuperUsers() != null && keycloakAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(keycloakAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationCustom.TYPE_CUSTOM.equals(authorization.getType())) {
        KafkaAuthorizationCustom customAuthz = (KafkaAuthorizationCustom) authorization;
        writer.println("authorizer.class.name=" + customAuthz.getAuthorizerClass());
        // User configured super users
        if (customAuthz.getSuperUsers() != null && customAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(customAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    }
}
Also used : VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) Rack(io.strimzi.api.kafka.model.Rack) KafkaListenerAuthentication(io.strimzi.api.kafka.model.listener.KafkaListenerAuthentication) ArrayList(java.util.ArrayList) KafkaAuthorizationCustom(io.strimzi.api.kafka.model.KafkaAuthorizationCustom) KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls) KafkaAuthorization(io.strimzi.api.kafka.model.KafkaAuthorization) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) GenericKafkaListenerConfiguration(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfiguration) Locale(java.util.Locale) Duration(java.time.Duration) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa) KafkaListenerAuthenticationScramSha512(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512) PrintWriter(java.io.PrintWriter) CertAndKeySecretSource(io.strimzi.api.kafka.model.CertAndKeySecretSource) CruiseControlConfigurationParameters(io.strimzi.operator.cluster.operator.resource.cruisecontrol.CruiseControlConfigurationParameters) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaListenerAuthenticationCustom(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom) StringWriter(java.io.StringWriter) ServerPlainConfig(io.strimzi.kafka.oauth.server.plain.ServerPlainConfig) ServerConfig(io.strimzi.kafka.oauth.server.ServerConfig) Collectors(java.util.stream.Collectors) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) Reconciliation(io.strimzi.operator.common.Reconciliation) List(java.util.List) CruiseControlSpec(io.strimzi.api.kafka.model.CruiseControlSpec) KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) KafkaAuthorizationCustom(io.strimzi.api.kafka.model.KafkaAuthorizationCustom) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa)

Example 14 with KafkaAuthorization

use of io.strimzi.api.kafka.model.KafkaAuthorization in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testSimpleAuthorizationWithoutSuperUsers.

@ParallelTest
public void testSimpleAuthorizationWithoutSuperUsers() {
    KafkaAuthorization auth = new KafkaAuthorizationSimpleBuilder().build();
    String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withAuthorization("my-cluster", auth).build();
    assertThat(configuration, isEquivalent("authorizer.class.name=kafka.security.authorizer.AclAuthorizer\n" + "super.users=User:CN=my-cluster-kafka,O=io.strimzi;User:CN=my-cluster-entity-topic-operator,O=io.strimzi;User:CN=my-cluster-entity-user-operator,O=io.strimzi;User:CN=my-cluster-kafka-exporter,O=io.strimzi;User:CN=my-cluster-cruise-control,O=io.strimzi;User:CN=cluster-operator,O=io.strimzi"));
}
Also used : KafkaAuthorization(io.strimzi.api.kafka.model.KafkaAuthorization) KafkaAuthorizationSimpleBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationSimpleBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Aggregations

KafkaAuthorization (io.strimzi.api.kafka.model.KafkaAuthorization)14 ParallelTest (io.strimzi.test.annotations.ParallelTest)12 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)12 CertSecretSource (io.strimzi.api.kafka.model.CertSecretSource)4 CertSecretSourceBuilder (io.strimzi.api.kafka.model.CertSecretSourceBuilder)4 KafkaAuthorizationKeycloakBuilder (io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder)4 KafkaAuthorizationOpaBuilder (io.strimzi.api.kafka.model.KafkaAuthorizationOpaBuilder)4 KafkaAuthorizationSimpleBuilder (io.strimzi.api.kafka.model.KafkaAuthorizationSimpleBuilder)4 VolumeMount (io.fabric8.kubernetes.api.model.VolumeMount)2 CertAndKeySecretSource (io.strimzi.api.kafka.model.CertAndKeySecretSource)2 CruiseControlSpec (io.strimzi.api.kafka.model.CruiseControlSpec)2 KafkaAuthorizationCustom (io.strimzi.api.kafka.model.KafkaAuthorizationCustom)2 KafkaAuthorizationKeycloak (io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak)2 KafkaAuthorizationOpa (io.strimzi.api.kafka.model.KafkaAuthorizationOpa)2 KafkaAuthorizationSimple (io.strimzi.api.kafka.model.KafkaAuthorizationSimple)2 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)2 Rack (io.strimzi.api.kafka.model.Rack)2 KafkaListenerAuthentication (io.strimzi.api.kafka.model.listener.KafkaListenerAuthentication)2 KafkaListenerAuthenticationCustom (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom)2 KafkaListenerAuthenticationOAuth (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)2