Search in sources :

Example 1 with KafkaAuthorizationOpa

use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi by strimzi.

the class EntityUserOperatorTest method testAclsAdminApiSupported.

@ParallelTest
public void testAclsAdminApiSupported() {
    testAclsAdminApiSupported(new KafkaAuthorizationSimple());
    testAclsAdminApiSupported(new KafkaAuthorizationOpa());
    testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(true).build());
    testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(false).build());
    testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(true).build());
    testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(false).build());
}
Also used : KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) KafkaAuthorizationKeycloakBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder) KafkaAuthorizationCustomBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationCustomBuilder) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 2 with KafkaAuthorizationOpa

use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi by strimzi.

the class KafkaBrokerConfigurationBuilder method configureAuthorization.

/**
 * Configures authorization for the Kafka brokers. This method is used only internally.
 *
 * @param clusterName Name of the cluster
 * @param superUsers Super users list who have all the rights on the cluster
 * @param authorization The authorization configuration from the Kafka CR
 */
private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
    if (KafkaAuthorizationSimple.TYPE_SIMPLE.equals(authorization.getType())) {
        KafkaAuthorizationSimple simpleAuthz = (KafkaAuthorizationSimple) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationSimple.AUTHORIZER_CLASS_NAME);
        // User configured super users
        if (simpleAuthz.getSuperUsers() != null && simpleAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(simpleAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationOpa.TYPE_OPA.equals(authorization.getType())) {
        KafkaAuthorizationOpa opaAuthz = (KafkaAuthorizationOpa) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationOpa.AUTHORIZER_CLASS_NAME);
        writer.println(String.format("%s=%s", "opa.authorizer.url", opaAuthz.getUrl()));
        writer.println(String.format("%s=%b", "opa.authorizer.allow.on.error", opaAuthz.isAllowOnError()));
        writer.println(String.format("%s=%b", "opa.authorizer.metrics.enabled", opaAuthz.isEnableMetrics()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.initial.capacity", opaAuthz.getInitialCacheCapacity()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.maximum.size", opaAuthz.getMaximumCacheSize()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.expire.after.seconds", Duration.ofMillis(opaAuthz.getExpireAfterMs()).getSeconds()));
        // User configured super users
        if (opaAuthz.getSuperUsers() != null && opaAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(opaAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationKeycloak.TYPE_KEYCLOAK.equals(authorization.getType())) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationKeycloak.AUTHORIZER_CLASS_NAME);
        writer.println("strimzi.authorization.token.endpoint.uri=" + keycloakAuthz.getTokenEndpointUri());
        writer.println("strimzi.authorization.client.id=" + keycloakAuthz.getClientId());
        writer.println("strimzi.authorization.delegate.to.kafka.acl=" + keycloakAuthz.isDelegateToKafkaAcls());
        addOption(writer, "strimzi.authorization.grants.refresh.period.seconds", keycloakAuthz.getGrantsRefreshPeriodSeconds());
        addOption(writer, "strimzi.authorization.grants.refresh.pool.size", keycloakAuthz.getGrantsRefreshPoolSize());
        addOption(writer, "strimzi.authorization.connect.timeout.seconds", keycloakAuthz.getConnectTimeoutSeconds());
        addOption(writer, "strimzi.authorization.read.timeout.seconds", keycloakAuthz.getReadTimeoutSeconds());
        writer.println("strimzi.authorization.kafka.cluster.name=" + clusterName);
        if (keycloakAuthz.getTlsTrustedCertificates() != null && keycloakAuthz.getTlsTrustedCertificates().size() > 0) {
            writer.println("strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12");
            writer.println("strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}");
            writer.println("strimzi.authorization.ssl.truststore.type=PKCS12");
            writer.println("strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG");
            String endpointIdentificationAlgorithm = keycloakAuthz.isDisableTlsHostnameVerification() ? "" : "HTTPS";
            writer.println("strimzi.authorization.ssl.endpoint.identification.algorithm=" + endpointIdentificationAlgorithm);
        }
        // User configured super users
        if (keycloakAuthz.getSuperUsers() != null && keycloakAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(keycloakAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationCustom.TYPE_CUSTOM.equals(authorization.getType())) {
        KafkaAuthorizationCustom customAuthz = (KafkaAuthorizationCustom) authorization;
        writer.println("authorizer.class.name=" + customAuthz.getAuthorizerClass());
        // User configured super users
        if (customAuthz.getSuperUsers() != null && customAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(customAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    }
}
Also used : VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) Rack(io.strimzi.api.kafka.model.Rack) KafkaListenerAuthentication(io.strimzi.api.kafka.model.listener.KafkaListenerAuthentication) ArrayList(java.util.ArrayList) KafkaAuthorizationCustom(io.strimzi.api.kafka.model.KafkaAuthorizationCustom) KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls) KafkaAuthorization(io.strimzi.api.kafka.model.KafkaAuthorization) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) GenericKafkaListenerConfiguration(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfiguration) Locale(java.util.Locale) Duration(java.time.Duration) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa) KafkaListenerAuthenticationScramSha512(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512) PrintWriter(java.io.PrintWriter) CertAndKeySecretSource(io.strimzi.api.kafka.model.CertAndKeySecretSource) CruiseControlConfigurationParameters(io.strimzi.operator.cluster.operator.resource.cruisecontrol.CruiseControlConfigurationParameters) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaListenerAuthenticationCustom(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom) StringWriter(java.io.StringWriter) ServerPlainConfig(io.strimzi.kafka.oauth.server.plain.ServerPlainConfig) ServerConfig(io.strimzi.kafka.oauth.server.ServerConfig) Collectors(java.util.stream.Collectors) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) Reconciliation(io.strimzi.operator.common.Reconciliation) List(java.util.List) CruiseControlSpec(io.strimzi.api.kafka.model.CruiseControlSpec) KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) KafkaAuthorizationCustom(io.strimzi.api.kafka.model.KafkaAuthorizationCustom) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa)

Example 3 with KafkaAuthorizationOpa

use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilder method configureAuthorization.

/**
 * Configures authorization for the Kafka brokers. This method is used only internally.
 *
 * @param clusterName Name of the cluster
 * @param superUsers Super users list who have all the rights on the cluster
 * @param authorization The authorization configuration from the Kafka CR
 */
private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
    if (KafkaAuthorizationSimple.TYPE_SIMPLE.equals(authorization.getType())) {
        KafkaAuthorizationSimple simpleAuthz = (KafkaAuthorizationSimple) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationSimple.AUTHORIZER_CLASS_NAME);
        // User configured super users
        if (simpleAuthz.getSuperUsers() != null && simpleAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(simpleAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationOpa.TYPE_OPA.equals(authorization.getType())) {
        KafkaAuthorizationOpa opaAuthz = (KafkaAuthorizationOpa) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationOpa.AUTHORIZER_CLASS_NAME);
        writer.println(String.format("%s=%s", "opa.authorizer.url", opaAuthz.getUrl()));
        writer.println(String.format("%s=%b", "opa.authorizer.allow.on.error", opaAuthz.isAllowOnError()));
        writer.println(String.format("%s=%b", "opa.authorizer.metrics.enabled", opaAuthz.isEnableMetrics()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.initial.capacity", opaAuthz.getInitialCacheCapacity()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.maximum.size", opaAuthz.getMaximumCacheSize()));
        writer.println(String.format("%s=%d", "opa.authorizer.cache.expire.after.seconds", Duration.ofMillis(opaAuthz.getExpireAfterMs()).getSeconds()));
        // User configured super users
        if (opaAuthz.getSuperUsers() != null && opaAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(opaAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationKeycloak.TYPE_KEYCLOAK.equals(authorization.getType())) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        writer.println("authorizer.class.name=" + KafkaAuthorizationKeycloak.AUTHORIZER_CLASS_NAME);
        writer.println("strimzi.authorization.token.endpoint.uri=" + keycloakAuthz.getTokenEndpointUri());
        writer.println("strimzi.authorization.client.id=" + keycloakAuthz.getClientId());
        writer.println("strimzi.authorization.delegate.to.kafka.acl=" + keycloakAuthz.isDelegateToKafkaAcls());
        addOption(writer, "strimzi.authorization.grants.refresh.period.seconds", keycloakAuthz.getGrantsRefreshPeriodSeconds());
        addOption(writer, "strimzi.authorization.grants.refresh.pool.size", keycloakAuthz.getGrantsRefreshPoolSize());
        addOption(writer, "strimzi.authorization.connect.timeout.seconds", keycloakAuthz.getConnectTimeoutSeconds());
        addOption(writer, "strimzi.authorization.read.timeout.seconds", keycloakAuthz.getReadTimeoutSeconds());
        writer.println("strimzi.authorization.kafka.cluster.name=" + clusterName);
        if (keycloakAuthz.getTlsTrustedCertificates() != null && keycloakAuthz.getTlsTrustedCertificates().size() > 0) {
            writer.println("strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12");
            writer.println("strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}");
            writer.println("strimzi.authorization.ssl.truststore.type=PKCS12");
            writer.println("strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG");
            String endpointIdentificationAlgorithm = keycloakAuthz.isDisableTlsHostnameVerification() ? "" : "HTTPS";
            writer.println("strimzi.authorization.ssl.endpoint.identification.algorithm=" + endpointIdentificationAlgorithm);
        }
        // User configured super users
        if (keycloakAuthz.getSuperUsers() != null && keycloakAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(keycloakAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    } else if (KafkaAuthorizationCustom.TYPE_CUSTOM.equals(authorization.getType())) {
        KafkaAuthorizationCustom customAuthz = (KafkaAuthorizationCustom) authorization;
        writer.println("authorizer.class.name=" + customAuthz.getAuthorizerClass());
        // User configured super users
        if (customAuthz.getSuperUsers() != null && customAuthz.getSuperUsers().size() > 0) {
            superUsers.addAll(customAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
        }
    }
}
Also used : VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) Rack(io.strimzi.api.kafka.model.Rack) KafkaListenerAuthentication(io.strimzi.api.kafka.model.listener.KafkaListenerAuthentication) ArrayList(java.util.ArrayList) KafkaAuthorizationCustom(io.strimzi.api.kafka.model.KafkaAuthorizationCustom) KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls) KafkaAuthorization(io.strimzi.api.kafka.model.KafkaAuthorization) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) GenericKafkaListenerConfiguration(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfiguration) Locale(java.util.Locale) Duration(java.time.Duration) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa) KafkaListenerAuthenticationScramSha512(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512) PrintWriter(java.io.PrintWriter) CertAndKeySecretSource(io.strimzi.api.kafka.model.CertAndKeySecretSource) CruiseControlConfigurationParameters(io.strimzi.operator.cluster.operator.resource.cruisecontrol.CruiseControlConfigurationParameters) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaListenerAuthenticationCustom(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom) StringWriter(java.io.StringWriter) ServerPlainConfig(io.strimzi.kafka.oauth.server.plain.ServerPlainConfig) ServerConfig(io.strimzi.kafka.oauth.server.ServerConfig) Collectors(java.util.stream.Collectors) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) Reconciliation(io.strimzi.operator.common.Reconciliation) List(java.util.List) CruiseControlSpec(io.strimzi.api.kafka.model.CruiseControlSpec) KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) KafkaAuthorizationCustom(io.strimzi.api.kafka.model.KafkaAuthorizationCustom) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa)

Example 4 with KafkaAuthorizationOpa

use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi-kafka-operator by strimzi.

the class EntityUserOperatorTest method testAclsAdminApiSupported.

@ParallelTest
public void testAclsAdminApiSupported() {
    testAclsAdminApiSupported(new KafkaAuthorizationSimple());
    testAclsAdminApiSupported(new KafkaAuthorizationOpa());
    testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(true).build());
    testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(false).build());
    testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(true).build());
    testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(false).build());
}
Also used : KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) KafkaAuthorizationKeycloakBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder) KafkaAuthorizationCustomBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationCustomBuilder) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Aggregations

KafkaAuthorizationOpa (io.strimzi.api.kafka.model.KafkaAuthorizationOpa)4 KafkaAuthorizationSimple (io.strimzi.api.kafka.model.KafkaAuthorizationSimple)4 VolumeMount (io.fabric8.kubernetes.api.model.VolumeMount)2 CertAndKeySecretSource (io.strimzi.api.kafka.model.CertAndKeySecretSource)2 CruiseControlSpec (io.strimzi.api.kafka.model.CruiseControlSpec)2 KafkaAuthorization (io.strimzi.api.kafka.model.KafkaAuthorization)2 KafkaAuthorizationCustom (io.strimzi.api.kafka.model.KafkaAuthorizationCustom)2 KafkaAuthorizationCustomBuilder (io.strimzi.api.kafka.model.KafkaAuthorizationCustomBuilder)2 KafkaAuthorizationKeycloak (io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak)2 KafkaAuthorizationKeycloakBuilder (io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder)2 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)2 Rack (io.strimzi.api.kafka.model.Rack)2 KafkaListenerAuthentication (io.strimzi.api.kafka.model.listener.KafkaListenerAuthentication)2 KafkaListenerAuthenticationCustom (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom)2 KafkaListenerAuthenticationOAuth (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)2 KafkaListenerAuthenticationScramSha512 (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512)2 KafkaListenerAuthenticationTls (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls)2 GenericKafkaListener (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener)2 GenericKafkaListenerConfiguration (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfiguration)2 ServerConfig (io.strimzi.kafka.oauth.server.ServerConfig)2