Examples with KafkaAuthorizationKeycloak io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak used on opensource projects

Example 11 with KafkaAuthorizationKeycloak

use of io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak in project strimzi-kafka-operator by strimzi.

the class KafkaCluster method getVolumeMounts.

private List<VolumeMount> getVolumeMounts() {
    List<VolumeMount> volumeMountList = new ArrayList<>();
    volumeMountList.addAll(VolumeUtils.createVolumeMounts(storage, mountPath, false));
    volumeMountList.add(createTempDirVolumeMount());
    volumeMountList.add(VolumeUtils.createVolumeMount(CLUSTER_CA_CERTS_VOLUME, CLUSTER_CA_CERTS_VOLUME_MOUNT));
    volumeMountList.add(VolumeUtils.createVolumeMount(BROKER_CERTS_VOLUME, BROKER_CERTS_VOLUME_MOUNT));
    volumeMountList.add(VolumeUtils.createVolumeMount(CLIENT_CA_CERTS_VOLUME, CLIENT_CA_CERTS_VOLUME_MOUNT));
    volumeMountList.add(VolumeUtils.createVolumeMount(logAndMetricsConfigVolumeName, logAndMetricsConfigMountPath));
    volumeMountList.add(VolumeUtils.createVolumeMount("ready-files", "/var/opt/kafka"));
    if (rack != null || isExposedWithNodePort()) {
        volumeMountList.add(VolumeUtils.createVolumeMount(INIT_VOLUME_NAME, INIT_VOLUME_MOUNT));
    }
    for (GenericKafkaListener listener : listeners) {
        String identifier = ListenersUtils.identifier(listener);
        if (listener.isTls() && listener.getConfiguration() != null && listener.getConfiguration().getBrokerCertChainAndKey() != null) {
            volumeMountList.add(VolumeUtils.createVolumeMount("custom-" + identifier + "-certs", "/opt/kafka/certificates/custom-" + identifier + "-certs"));
        }
        if (isListenerWithOAuth(listener)) {
            KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth();
            volumeMountList.addAll(AuthenticationUtils.configureOauthCertificateVolumeMounts("oauth-" + identifier, oauth.getTlsTrustedCertificates(), OAUTH_TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/oauth-" + identifier + "-certs"));
        }
        if (isListenerWithCustomAuth(listener)) {
            KafkaListenerAuthenticationCustom custom = (KafkaListenerAuthenticationCustom) listener.getAuth();
            volumeMountList.addAll(AuthenticationUtils.configureGenericSecretVolumeMounts("custom-listener-" + identifier, custom.getSecrets(), CUSTOM_AUTHN_SECRETS_VOLUME_MOUNT + "/custom-listener-" + identifier));
        }
    }
    if (authorization instanceof KafkaAuthorizationKeycloak) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        volumeMountList.addAll(AuthenticationUtils.configureOauthCertificateVolumeMounts("authz-keycloak", keycloakAuthz.getTlsTrustedCertificates(), OAUTH_TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/authz-keycloak-certs"));
    }
    return volumeMountList;
}

Example 12 with KafkaAuthorizationKeycloak

use of io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak in project strimzi-kafka-operator by strimzi.

the class OauthAuthorizationIsolatedST method testSuperUserWithOauthAuthorization.

@Description("As a superuser of team A and team B, i am able to break defined authorization rules")
@ParallelTest
@Order(6)
void testSuperUserWithOauthAuthorization(ExtensionContext extensionContext) {
    String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
    String userName = mapWithTestUsers.get(extensionContext.getDisplayName());
    String teamAProducerName = TEAM_A_PRODUCER_NAME + "-" + clusterName;
    String teamAConsumerName = TEAM_A_CONSUMER_NAME + "-" + clusterName;
    String teamBProducerName = TEAM_B_PRODUCER_NAME + "-" + clusterName;
    String teamBConsumerName = TEAM_B_CONSUMER_NAME + "-" + clusterName;
    // only write means that Team A can not create new topic 'x-.*'
    String topicXName = TOPIC_X + mapWithTestTopics.get(extensionContext.getDisplayName());
    LabelSelector kafkaSelector = KafkaResource.getLabelSelector(oauthClusterName, KafkaResources.kafkaStatefulSetName(oauthClusterName));
    resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(oauthClusterName, topicXName, clusterOperator.getDeploymentNamespace()).build());
    LOGGER.info("Verifying that team B is not able write to topic starting with 'x-' because in kafka cluster" + "does not have super-users to break authorization rules");
    resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(clusterOperator.getDeploymentNamespace(), oauthClusterName, userName).build());
    KafkaOauthClients teamBOauthClientJob = new KafkaOauthClientsBuilder().withNamespaceName(clusterOperator.getDeploymentNamespace()).withProducerName(teamBProducerName).withConsumerName(teamBConsumerName).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(oauthClusterName)).withTopicName(topicXName).withMessageCount(MESSAGE_COUNT).withConsumerGroup("x-consumer_group_b-" + clusterName).withOauthClientId(TEAM_B_CLIENT).withOauthClientSecret(TEAM_B_CLIENT_SECRET).withOauthTokenEndpointUri(keycloakInstance.getOauthTokenEndpointUri()).withClientUserName(userName).build();
    resourceManager.createResource(extensionContext, teamBOauthClientJob.producerStrimziOauthTls(oauthClusterName));
    JobUtils.waitForJobFailure(teamBProducerName, clusterOperator.getDeploymentNamespace(), 30_000);
    JobUtils.deleteJobWithWait(clusterOperator.getDeploymentNamespace(), teamBProducerName);
    LOGGER.info("Verifying that team A is not able read to topic starting with 'x-' because in kafka cluster" + "does not have super-users to break authorization rules");
    KafkaOauthClients teamAOauthClientJob = new KafkaOauthClientsBuilder().withNamespaceName(clusterOperator.getDeploymentNamespace()).withProducerName(teamAProducerName).withConsumerName(teamAConsumerName).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(oauthClusterName)).withTopicName(topicXName).withMessageCount(MESSAGE_COUNT).withConsumerGroup("x-consumer_group_b1-" + clusterName).withOauthClientId(TEAM_A_CLIENT).withOauthClientSecret(TEAM_A_CLIENT_SECRET).withOauthTokenEndpointUri(keycloakInstance.getOauthTokenEndpointUri()).withClientUserName(userName).build();
    resourceManager.createResource(extensionContext, teamAOauthClientJob.consumerStrimziOauthTls(oauthClusterName));
    JobUtils.waitForJobFailure(teamAConsumerName, clusterOperator.getDeploymentNamespace(), 30_000);
    JobUtils.deleteJobWithWait(clusterOperator.getDeploymentNamespace(), teamAConsumerName);
    Map<String, String> kafkaPods = PodUtils.podSnapshot(clusterOperator.getDeploymentNamespace(), kafkaSelector);
    KafkaResource.replaceKafkaResourceInSpecificNamespace(oauthClusterName, kafka -> {
        List<String> superUsers = new ArrayList<>(2);
        superUsers.add("service-account-" + TEAM_A_CLIENT);
        superUsers.add("service-account-" + TEAM_B_CLIENT);
        ((KafkaAuthorizationKeycloak) kafka.getSpec().getKafka().getAuthorization()).setSuperUsers(superUsers);
    }, clusterOperator.getDeploymentNamespace());
    RollingUpdateUtils.waitTillComponentHasRolled(clusterOperator.getDeploymentNamespace(), kafkaSelector, 1, kafkaPods);
    LOGGER.info("Verifying that team B is able to write to topic starting with 'x-' and break authorization rule");
    resourceManager.createResource(extensionContext, teamBOauthClientJob.producerStrimziOauthTls(oauthClusterName));
    ClientUtils.waitForClientSuccess(teamBProducerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
    LOGGER.info("Verifying that team A is able to write to topic starting with 'x-' and break authorization rule");
    teamAOauthClientJob = new KafkaOauthClientsBuilder(teamAOauthClientJob).withConsumerGroup("x-consumer_group_b2-" + clusterName).withTopicName(topicXName).build();
    resourceManager.createResource(extensionContext, teamAOauthClientJob.consumerStrimziOauthTls(oauthClusterName));
    ClientUtils.waitForClientSuccess(teamAConsumerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
}

Example 13 with KafkaAuthorizationKeycloak

use of io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak in project strimzi-kafka-operator by strimzi.

the class KafkaCluster method getNonDataVolumes.

/**
 * Generates list of non-data volumes used by Kafka Pods. This includes tmp volumes, mounted secrets and config
 * maps.
 *
 * @param isOpenShift   Indicates whether we are on OpenShift or not
 *
 * @return              List of nondata volumes used by the ZooKeeper pods
 */
private List<Volume> getNonDataVolumes(boolean isOpenShift) {
    List<Volume> volumeList = new ArrayList<>();
    if (rack != null || isExposedWithNodePort()) {
        volumeList.add(VolumeUtils.createEmptyDirVolume(INIT_VOLUME_NAME, "1Mi", "Memory"));
    }
    volumeList.add(createTempDirVolume());
    volumeList.add(VolumeUtils.createSecretVolume(CLUSTER_CA_CERTS_VOLUME, AbstractModel.clusterCaCertSecretName(cluster), isOpenShift));
    volumeList.add(VolumeUtils.createSecretVolume(BROKER_CERTS_VOLUME, KafkaCluster.brokersSecretName(cluster), isOpenShift));
    volumeList.add(VolumeUtils.createSecretVolume(CLIENT_CA_CERTS_VOLUME, KafkaCluster.clientsCaCertSecretName(cluster), isOpenShift));
    volumeList.add(VolumeUtils.createConfigMapVolume(logAndMetricsConfigVolumeName, ancillaryConfigMapName));
    volumeList.add(VolumeUtils.createEmptyDirVolume("ready-files", "1Ki", "Memory"));
    for (GenericKafkaListener listener : listeners) {
        if (listener.isTls() && listener.getConfiguration() != null && listener.getConfiguration().getBrokerCertChainAndKey() != null) {
            CertAndKeySecretSource secretSource = listener.getConfiguration().getBrokerCertChainAndKey();
            Map<String, String> items = new HashMap<>(2);
            items.put(secretSource.getKey(), "tls.key");
            items.put(secretSource.getCertificate(), "tls.crt");
            volumeList.add(VolumeUtils.createSecretVolume("custom-" + ListenersUtils.identifier(listener) + "-certs", secretSource.getSecretName(), items, isOpenShift));
        }
        if (isListenerWithOAuth(listener)) {
            KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth();
            volumeList.addAll(AuthenticationUtils.configureOauthCertificateVolumes("oauth-" + ListenersUtils.identifier(listener), oauth.getTlsTrustedCertificates(), isOpenShift));
        }
        if (isListenerWithCustomAuth(listener)) {
            KafkaListenerAuthenticationCustom custom = (KafkaListenerAuthenticationCustom) listener.getAuth();
            volumeList.addAll(AuthenticationUtils.configureGenericSecretVolumes("custom-listener-" + ListenersUtils.identifier(listener), custom.getSecrets(), isOpenShift));
        }
    }
    if (authorization instanceof KafkaAuthorizationKeycloak) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        volumeList.addAll(AuthenticationUtils.configureOauthCertificateVolumes("authz-keycloak", keycloakAuthz.getTlsTrustedCertificates(), isOpenShift));
    }
    return volumeList;
}

Example 14 with KafkaAuthorizationKeycloak

use of io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilder method configureAuthorization.

/**
 * Configures authorization for the Kafka brokers. This method is used only internally.
 *
 * @param clusterName Name of the cluster
 * @param superUsers Super users list who have all the rights on the cluster
 * @param authorization The authorization configuration from the Kafka CR
 */
private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
    if (KafkaAuthorizationSimple.TYPE_SIMPLE.equals(authorization.getType())) {
        KafkaAuthorizationSimple simpleAuthz = (KafkaAuthorizationSimple) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationSimple.AUTHORIZER_CLASS_NAME);
        // User configured super users
        if (simpleAuthz.getSuperUsers() != null && simpleAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(simpleAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationOpa.TYPE_OPA.equals(authorization.getType())) {
        KafkaAuthorizationOpa opaAuthz = (KafkaAuthorizationOpa) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationOpa.AUTHORIZER_CLASS_NAME);
        writer.println(String.format("%s=%s", "opa.authorizer.url", opaAuthz.getUrl()));
        writer.println(String.format("%s=%b", "opa.authorizer.allow.on.error", opaAuthz.isAllowOnError()));
        writer.println(String.format("%s=%b", "opa.authorizer.metrics.enabled", opaAuthz.isEnableMetrics()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.initial.capacity", opaAuthz.getInitialCacheCapacity()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.maximum.size", opaAuthz.getMaximumCacheSize()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.expire.after.seconds", Duration.ofMillis(opaAuthz.getExpireAfterMs()).getSeconds()));
        // User configured super users
        if (opaAuthz.getSuperUsers() != null && opaAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(opaAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationKeycloak.TYPE_KEYCLOAK.equals(authorization.getType())) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationKeycloak.AUTHORIZER_CLASS_NAME);
        writer.println("strimzi.authorization.token.endpoint.uri=" + keycloakAuthz.getTokenEndpointUri());
        writer.println("strimzi.authorization.client.id=" + keycloakAuthz.getClientId());
        writer.println("strimzi.authorization.delegate.to.kafka.acl=" + keycloakAuthz.isDelegateToKafkaAcls());
        addOption(writer, "strimzi.authorization.grants.refresh.period.seconds", keycloakAuthz.getGrantsRefreshPeriodSeconds());
        addOption(writer, "strimzi.authorization.grants.refresh.pool.size", keycloakAuthz.getGrantsRefreshPoolSize());
        addOption(writer, "strimzi.authorization.connect.timeout.seconds", keycloakAuthz.getConnectTimeoutSeconds());
        addOption(writer, "strimzi.authorization.read.timeout.seconds", keycloakAuthz.getReadTimeoutSeconds());
        writer.println("strimzi.authorization.kafka.cluster.name=" + clusterName);
        if (keycloakAuthz.getTlsTrustedCertificates() != null && keycloakAuthz.getTlsTrustedCertificates().size() > 0) {
            writer.println("strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12");
            writer.println("strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}");
            writer.println("strimzi.authorization.ssl.truststore.type=PKCS12");
            writer.println("strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG");
            String endpointIdentificationAlgorithm = keycloakAuthz.isDisableTlsHostnameVerification() ? "" : "HTTPS";
            writer.println("strimzi.authorization.ssl.endpoint.identification.algorithm=" + endpointIdentificationAlgorithm);
        }
        // User configured super users
        if (keycloakAuthz.getSuperUsers() != null && keycloakAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(keycloakAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationCustom.TYPE_CUSTOM.equals(authorization.getType())) {
        KafkaAuthorizationCustom customAuthz = (KafkaAuthorizationCustom) authorization;
        writer.println("authorizer.class.name=" + customAuthz.getAuthorizerClass());
        // User configured super users
        if (customAuthz.getSuperUsers() != null && customAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(customAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    }
}

Example 15 with KafkaAuthorizationKeycloak

use of io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak in project strimzi by strimzi.

the class KafkaBrokerConfigurationBuilder method configureAuthorization.

/**
 * Configures authorization for the Kafka brokers. This method is used only internally.
 *
 * @param clusterName Name of the cluster
 * @param superUsers Super users list who have all the rights on the cluster
 * @param authorization The authorization configuration from the Kafka CR
 */
private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
    if (KafkaAuthorizationSimple.TYPE_SIMPLE.equals(authorization.getType())) {
        KafkaAuthorizationSimple simpleAuthz = (KafkaAuthorizationSimple) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationSimple.AUTHORIZER_CLASS_NAME);
        // User configured super users
        if (simpleAuthz.getSuperUsers() != null && simpleAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(simpleAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationOpa.TYPE_OPA.equals(authorization.getType())) {
        KafkaAuthorizationOpa opaAuthz = (KafkaAuthorizationOpa) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationOpa.AUTHORIZER_CLASS_NAME);
        writer.println(String.format("%s=%s", "opa.authorizer.url", opaAuthz.getUrl()));
        writer.println(String.format("%s=%b", "opa.authorizer.allow.on.error", opaAuthz.isAllowOnError()));
        writer.println(String.format("%s=%b", "opa.authorizer.metrics.enabled", opaAuthz.isEnableMetrics()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.initial.capacity", opaAuthz.getInitialCacheCapacity()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.maximum.size", opaAuthz.getMaximumCacheSize()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.expire.after.seconds", Duration.ofMillis(opaAuthz.getExpireAfterMs()).getSeconds()));
        // User configured super users
        if (opaAuthz.getSuperUsers() != null && opaAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(opaAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationKeycloak.TYPE_KEYCLOAK.equals(authorization.getType())) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationKeycloak.AUTHORIZER_CLASS_NAME);
        writer.println("strimzi.authorization.token.endpoint.uri=" + keycloakAuthz.getTokenEndpointUri());
        writer.println("strimzi.authorization.client.id=" + keycloakAuthz.getClientId());
        writer.println("strimzi.authorization.delegate.to.kafka.acl=" + keycloakAuthz.isDelegateToKafkaAcls());
        addOption(writer, "strimzi.authorization.grants.refresh.period.seconds", keycloakAuthz.getGrantsRefreshPeriodSeconds());
        addOption(writer, "strimzi.authorization.grants.refresh.pool.size", keycloakAuthz.getGrantsRefreshPoolSize());
        addOption(writer, "strimzi.authorization.connect.timeout.seconds", keycloakAuthz.getConnectTimeoutSeconds());
        addOption(writer, "strimzi.authorization.read.timeout.seconds", keycloakAuthz.getReadTimeoutSeconds());
        writer.println("strimzi.authorization.kafka.cluster.name=" + clusterName);
        if (keycloakAuthz.getTlsTrustedCertificates() != null && keycloakAuthz.getTlsTrustedCertificates().size() > 0) {
            writer.println("strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12");
            writer.println("strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}");
            writer.println("strimzi.authorization.ssl.truststore.type=PKCS12");
            writer.println("strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG");
            String endpointIdentificationAlgorithm = keycloakAuthz.isDisableTlsHostnameVerification() ? "" : "HTTPS";
            writer.println("strimzi.authorization.ssl.endpoint.identification.algorithm=" + endpointIdentificationAlgorithm);
        }
        // User configured super users
        if (keycloakAuthz.getSuperUsers() != null && keycloakAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(keycloakAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationCustom.TYPE_CUSTOM.equals(authorization.getType())) {
        KafkaAuthorizationCustom customAuthz = (KafkaAuthorizationCustom) authorization;
        writer.println("authorizer.class.name=" + customAuthz.getAuthorizerClass());
        // User configured super users
        if (customAuthz.getSuperUsers() != null && customAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(customAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    }
}