use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi by strimzi.
the class EntityUserOperatorTest method testAclsAdminApiSupported.
@ParallelTest
public void testAclsAdminApiSupported() {
testAclsAdminApiSupported(new KafkaAuthorizationSimple());
testAclsAdminApiSupported(new KafkaAuthorizationOpa());
testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(true).build());
testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(false).build());
testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(true).build());
testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(false).build());
}
use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi by strimzi.
the class KafkaBrokerConfigurationBuilder method configureAuthorization.
/**
* Configures authorization for the Kafka brokers. This method is used only internally.
*
* @param clusterName Name of the cluster
* @param superUsers Super users list who have all the rights on the cluster
* @param authorization The authorization configuration from the Kafka CR
*/
private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
if (KafkaAuthorizationSimple.TYPE_SIMPLE.equals(authorization.getType())) {
KafkaAuthorizationSimple simpleAuthz = (KafkaAuthorizationSimple) authorization;
writer.println("authorizer.class.name=" + KafkaAuthorizationSimple.AUTHORIZER_CLASS_NAME);
// User configured super users
if (simpleAuthz.getSuperUsers() != null && simpleAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(simpleAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
} else if (KafkaAuthorizationOpa.TYPE_OPA.equals(authorization.getType())) {
KafkaAuthorizationOpa opaAuthz = (KafkaAuthorizationOpa) authorization;
writer.println("authorizer.class.name=" + KafkaAuthorizationOpa.AUTHORIZER_CLASS_NAME);
writer.println(String.format("%s=%s", "opa.authorizer.url", opaAuthz.getUrl()));
writer.println(String.format("%s=%b", "opa.authorizer.allow.on.error", opaAuthz.isAllowOnError()));
writer.println(String.format("%s=%b", "opa.authorizer.metrics.enabled", opaAuthz.isEnableMetrics()));
writer.println(String.format("%s=%d", "opa.authorizer.cache.initial.capacity", opaAuthz.getInitialCacheCapacity()));
writer.println(String.format("%s=%d", "opa.authorizer.cache.maximum.size", opaAuthz.getMaximumCacheSize()));
writer.println(String.format("%s=%d", "opa.authorizer.cache.expire.after.seconds", Duration.ofMillis(opaAuthz.getExpireAfterMs()).getSeconds()));
// User configured super users
if (opaAuthz.getSuperUsers() != null && opaAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(opaAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
} else if (KafkaAuthorizationKeycloak.TYPE_KEYCLOAK.equals(authorization.getType())) {
KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
writer.println("authorizer.class.name=" + KafkaAuthorizationKeycloak.AUTHORIZER_CLASS_NAME);
writer.println("strimzi.authorization.token.endpoint.uri=" + keycloakAuthz.getTokenEndpointUri());
writer.println("strimzi.authorization.client.id=" + keycloakAuthz.getClientId());
writer.println("strimzi.authorization.delegate.to.kafka.acl=" + keycloakAuthz.isDelegateToKafkaAcls());
addOption(writer, "strimzi.authorization.grants.refresh.period.seconds", keycloakAuthz.getGrantsRefreshPeriodSeconds());
addOption(writer, "strimzi.authorization.grants.refresh.pool.size", keycloakAuthz.getGrantsRefreshPoolSize());
addOption(writer, "strimzi.authorization.connect.timeout.seconds", keycloakAuthz.getConnectTimeoutSeconds());
addOption(writer, "strimzi.authorization.read.timeout.seconds", keycloakAuthz.getReadTimeoutSeconds());
writer.println("strimzi.authorization.kafka.cluster.name=" + clusterName);
if (keycloakAuthz.getTlsTrustedCertificates() != null && keycloakAuthz.getTlsTrustedCertificates().size() > 0) {
writer.println("strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12");
writer.println("strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}");
writer.println("strimzi.authorization.ssl.truststore.type=PKCS12");
writer.println("strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG");
String endpointIdentificationAlgorithm = keycloakAuthz.isDisableTlsHostnameVerification() ? "" : "HTTPS";
writer.println("strimzi.authorization.ssl.endpoint.identification.algorithm=" + endpointIdentificationAlgorithm);
}
// User configured super users
if (keycloakAuthz.getSuperUsers() != null && keycloakAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(keycloakAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
} else if (KafkaAuthorizationCustom.TYPE_CUSTOM.equals(authorization.getType())) {
KafkaAuthorizationCustom customAuthz = (KafkaAuthorizationCustom) authorization;
writer.println("authorizer.class.name=" + customAuthz.getAuthorizerClass());
// User configured super users
if (customAuthz.getSuperUsers() != null && customAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(customAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
}
}
use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi-kafka-operator by strimzi.
the class KafkaBrokerConfigurationBuilder method configureAuthorization.
/**
* Configures authorization for the Kafka brokers. This method is used only internally.
*
* @param clusterName Name of the cluster
* @param superUsers Super users list who have all the rights on the cluster
* @param authorization The authorization configuration from the Kafka CR
*/
private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
if (KafkaAuthorizationSimple.TYPE_SIMPLE.equals(authorization.getType())) {
KafkaAuthorizationSimple simpleAuthz = (KafkaAuthorizationSimple) authorization;
writer.println("authorizer.class.name=" + KafkaAuthorizationSimple.AUTHORIZER_CLASS_NAME);
// User configured super users
if (simpleAuthz.getSuperUsers() != null && simpleAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(simpleAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
} else if (KafkaAuthorizationOpa.TYPE_OPA.equals(authorization.getType())) {
KafkaAuthorizationOpa opaAuthz = (KafkaAuthorizationOpa) authorization;
writer.println("authorizer.class.name=" + KafkaAuthorizationOpa.AUTHORIZER_CLASS_NAME);
writer.println(String.format("%s=%s", "opa.authorizer.url", opaAuthz.getUrl()));
writer.println(String.format("%s=%b", "opa.authorizer.allow.on.error", opaAuthz.isAllowOnError()));
writer.println(String.format("%s=%b", "opa.authorizer.metrics.enabled", opaAuthz.isEnableMetrics()));
writer.println(String.format("%s=%d", "opa.authorizer.cache.initial.capacity", opaAuthz.getInitialCacheCapacity()));
writer.println(String.format("%s=%d", "opa.authorizer.cache.maximum.size", opaAuthz.getMaximumCacheSize()));
writer.println(String.format("%s=%d", "opa.authorizer.cache.expire.after.seconds", Duration.ofMillis(opaAuthz.getExpireAfterMs()).getSeconds()));
// User configured super users
if (opaAuthz.getSuperUsers() != null && opaAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(opaAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
} else if (KafkaAuthorizationKeycloak.TYPE_KEYCLOAK.equals(authorization.getType())) {
KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
writer.println("authorizer.class.name=" + KafkaAuthorizationKeycloak.AUTHORIZER_CLASS_NAME);
writer.println("strimzi.authorization.token.endpoint.uri=" + keycloakAuthz.getTokenEndpointUri());
writer.println("strimzi.authorization.client.id=" + keycloakAuthz.getClientId());
writer.println("strimzi.authorization.delegate.to.kafka.acl=" + keycloakAuthz.isDelegateToKafkaAcls());
addOption(writer, "strimzi.authorization.grants.refresh.period.seconds", keycloakAuthz.getGrantsRefreshPeriodSeconds());
addOption(writer, "strimzi.authorization.grants.refresh.pool.size", keycloakAuthz.getGrantsRefreshPoolSize());
addOption(writer, "strimzi.authorization.connect.timeout.seconds", keycloakAuthz.getConnectTimeoutSeconds());
addOption(writer, "strimzi.authorization.read.timeout.seconds", keycloakAuthz.getReadTimeoutSeconds());
writer.println("strimzi.authorization.kafka.cluster.name=" + clusterName);
if (keycloakAuthz.getTlsTrustedCertificates() != null && keycloakAuthz.getTlsTrustedCertificates().size() > 0) {
writer.println("strimzi.authorization.ssl.truststore.location=/tmp/kafka/authz-keycloak.truststore.p12");
writer.println("strimzi.authorization.ssl.truststore.password=${CERTS_STORE_PASSWORD}");
writer.println("strimzi.authorization.ssl.truststore.type=PKCS12");
writer.println("strimzi.authorization.ssl.secure.random.implementation=SHA1PRNG");
String endpointIdentificationAlgorithm = keycloakAuthz.isDisableTlsHostnameVerification() ? "" : "HTTPS";
writer.println("strimzi.authorization.ssl.endpoint.identification.algorithm=" + endpointIdentificationAlgorithm);
}
// User configured super users
if (keycloakAuthz.getSuperUsers() != null && keycloakAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(keycloakAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
} else if (KafkaAuthorizationCustom.TYPE_CUSTOM.equals(authorization.getType())) {
KafkaAuthorizationCustom customAuthz = (KafkaAuthorizationCustom) authorization;
writer.println("authorizer.class.name=" + customAuthz.getAuthorizerClass());
// User configured super users
if (customAuthz.getSuperUsers() != null && customAuthz.getSuperUsers().size() > 0) {
superUsers.addAll(customAuthz.getSuperUsers().stream().map(e -> String.format("User:%s", e)).collect(Collectors.toList()));
}
}
}
use of io.strimzi.api.kafka.model.KafkaAuthorizationOpa in project strimzi-kafka-operator by strimzi.
the class EntityUserOperatorTest method testAclsAdminApiSupported.
@ParallelTest
public void testAclsAdminApiSupported() {
testAclsAdminApiSupported(new KafkaAuthorizationSimple());
testAclsAdminApiSupported(new KafkaAuthorizationOpa());
testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(true).build());
testAclsAdminApiSupported(new KafkaAuthorizationKeycloakBuilder().withDelegateToKafkaAcls(false).build());
testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(true).build());
testAclsAdminApiSupported(new KafkaAuthorizationCustomBuilder().withSupportsAdminApi(false).build());
}
Aggregations