Example 26 with KafkaListenerAuthenticationTls
use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls in project strimzi-kafka-operator by strimzi.
the class SecurityST method testAclRuleReadAndWrite.
@ParallelNamespaceTest
@Tag(NODEPORT_SUPPORTED)
@Tag(EXTERNAL_CLIENTS_USED)
void testAclRuleReadAndWrite(ExtensionContext extensionContext) {
final String namespaceName = StUtils.getNamespaceBasedOnRbac(namespace, extensionContext);
final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
final String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
final String kafkaUserWrite = "kafka-user-write";
final String kafkaUserRead = "kafka-user-read";
final int numberOfMessages = 500;
final String consumerGroupName = "consumer-group-name-1";
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(clusterName, 3, 1).editSpec().editKafka().withNewKafkaAuthorizationSimple().endKafkaAuthorizationSimple().withListeners(new GenericKafkaListenerBuilder().withName(Constants.EXTERNAL_LISTENER_DEFAULT_NAME).withPort(9094).withType(KafkaListenerType.NODEPORT).withTls(true).withAuth(new KafkaListenerAuthenticationTls()).build()).endKafka().endSpec().build());
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(clusterName, topicName).build());
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(clusterName, kafkaUserWrite).editSpec().withNewKafkaUserAuthorizationSimple().addNewAcl().withNewAclRuleTopicResource().withName(topicName).endAclRuleTopicResource().withOperation(AclOperation.WRITE).endAcl().addNewAcl().withNewAclRuleTopicResource().withName(topicName).endAclRuleTopicResource().withOperation(// describe is for that user can find out metadata
AclOperation.DESCRIBE).endAcl().endKafkaUserAuthorizationSimple().endSpec().build());
LOGGER.info("Checking KafkaUser {} that is able to send messages to topic '{}'", kafkaUserWrite, topicName);
ExternalKafkaClient externalKafkaClient = new ExternalKafkaClient.Builder().withTopicName(topicName).withNamespaceName(namespaceName).withClusterName(clusterName).withKafkaUsername(kafkaUserWrite).withMessageCount(numberOfMessages).withSecurityProtocol(SecurityProtocol.SSL).withListenerName(Constants.EXTERNAL_LISTENER_DEFAULT_NAME).build();
assertThat(externalKafkaClient.sendMessagesTls(), is(numberOfMessages));
assertThrows(GroupAuthorizationException.class, externalKafkaClient::receiveMessagesTls);
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(clusterName, kafkaUserRead).editSpec().withNewKafkaUserAuthorizationSimple().addNewAcl().withNewAclRuleTopicResource().withName(topicName).endAclRuleTopicResource().withOperation(AclOperation.READ).endAcl().addNewAcl().withNewAclRuleGroupResource().withName(consumerGroupName).endAclRuleGroupResource().withOperation(AclOperation.READ).endAcl().addNewAcl().withNewAclRuleTopicResource().withName(topicName).endAclRuleTopicResource().withOperation(// s describe is for that user can find out metadata
AclOperation.DESCRIBE).endAcl().endKafkaUserAuthorizationSimple().endSpec().build());
ExternalKafkaClient newExternalKafkaClient = externalKafkaClient.toBuilder().withKafkaUsername(kafkaUserRead).withConsumerGroupName(consumerGroupName).build();
assertThat(newExternalKafkaClient.receiveMessagesTls(), is(numberOfMessages));
LOGGER.info("Checking KafkaUser {} that is not able to send messages to topic '{}'", kafkaUserRead, topicName);
assertThrows(Exception.class, newExternalKafkaClient::sendMessagesTls);
}
Also used :
ExternalKafkaClient(io.strimzi.systemtest.kafkaclients.externalClients.ExternalKafkaClient)
KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
Matchers.containsString(org.hamcrest.Matchers.containsString)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Tag(org.junit.jupiter.api.Tag)
Aggregations
KafkaListenerAuthenticationTls (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls)26
GenericKafkaListenerBuilder (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)22
ParallelNamespaceTest (io.strimzi.systemtest.annotations.ParallelNamespaceTest)20
SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)16
Tag (org.junit.jupiter.api.Tag)16
Matchers.containsString (org.hamcrest.Matchers.containsString)14
CertSecretSource (io.strimzi.api.kafka.model.CertSecretSource)10
KafkaUser (io.strimzi.api.kafka.model.KafkaUser)10
InternalKafkaClient (io.strimzi.systemtest.kafkaclients.clients.InternalKafkaClient)10
ResourceRequirementsBuilder (io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)8
ExternalKafkaClient (io.strimzi.systemtest.kafkaclients.externalClients.ExternalKafkaClient)8
JobBuilder (io.fabric8.kubernetes.api.model.batch.v1.JobBuilder)6
KafkaMirrorMaker2ClusterSpec (io.strimzi.api.kafka.model.KafkaMirrorMaker2ClusterSpec)6
KafkaMirrorMaker2ClusterSpecBuilder (io.strimzi.api.kafka.model.KafkaMirrorMaker2ClusterSpecBuilder)6
KafkaClientsBuilder (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)6
CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)6
CertSecretSourceBuilder (io.strimzi.api.kafka.model.CertSecretSourceBuilder)4
CertificateAuthorityBuilder (io.strimzi.api.kafka.model.CertificateAuthorityBuilder)4
ContainerEnvVarBuilder (io.strimzi.api.kafka.model.ContainerEnvVarBuilder)4
KafkaListenerAuthenticationScramSha512 (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512)4
