Example 1 with AclOperation
use of org.apache.kafka.common.acl.AclOperation in project kafka by apache.
the class StandardAuthorizerTest method testFindResultImplication.
@Test
public void testFindResultImplication() throws Exception {
// These permissions all imply DESCRIBE.
for (AclOperation op : asList(DESCRIBE, READ, WRITE, DELETE, ALTER)) {
assertEquals(ALLOWED, findResult(newAction(DESCRIBE, TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(), newFooAcl(op, ALLOW)));
}
// CREATE does not imply DESCRIBE
assertEquals(null, findResult(newAction(DESCRIBE, TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(), newFooAcl(CREATE, ALLOW)));
// Deny ACLs don't do "implication".
for (AclOperation op : asList(READ, WRITE, DELETE, ALTER)) {
assertEquals(null, findResult(newAction(DESCRIBE, TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(), newFooAcl(op, DENY)));
}
// Exact match
assertEquals(DENIED, findResult(newAction(DESCRIBE, TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(), newFooAcl(DESCRIBE, DENY)));
// These permissions all imply DESCRIBE_CONFIGS.
for (AclOperation op : asList(DESCRIBE_CONFIGS, ALTER_CONFIGS)) {
assertEquals(ALLOWED, findResult(newAction(DESCRIBE_CONFIGS, TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(), newFooAcl(op, ALLOW)));
}
// Deny ACLs don't do "implication".
assertEquals(null, findResult(newAction(DESCRIBE_CONFIGS, TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(), newFooAcl(ALTER_CONFIGS, DENY)));
// Exact match
assertEquals(DENIED, findResult(newAction(ALTER_CONFIGS, TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(), newFooAcl(ALTER_CONFIGS, DENY)));
}
Also used :
AclOperation(org.apache.kafka.common.acl.AclOperation)
KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal)
Test(org.junit.jupiter.api.Test)
Example 2 with AclOperation
use of org.apache.kafka.common.acl.AclOperation in project ksql by confluentinc.
the class EmbeddedSingleNodeKafkaCluster method addUserAcl.
/**
* Writes the supplied ACL information to ZK, where it will be picked up by the brokes authorizer.
*
* @param username the who.
* @param permission the allow|deny.
* @param resource the thing
* @param ops the what.
*/
public void addUserAcl(final String username, final AclPermissionType permission, final Resource resource, final Set<AclOperation> ops) {
final KafkaPrincipal principal = new KafkaPrincipal("User", username);
final PermissionType scalaPermission = PermissionType$.MODULE$.fromJava(permission);
final Set<Acl> javaAcls = ops.stream().map(Operation$.MODULE$::fromJava).map(op -> new Acl(principal, scalaPermission, "*", op)).collect(Collectors.toSet());
final scala.collection.immutable.Set<Acl> scalaAcls = JavaConversions.asScalaSet(javaAcls).toSet();
kafka.security.auth.ResourceType scalaResType = ResourceType$.MODULE$.fromJava(resource.resourceType());
final kafka.security.auth.Resource scalaResource = new kafka.security.auth.Resource(scalaResType, resource.name());
authorizer.addAcls(scalaAcls, scalaResource);
addedAcls.add(scalaResource);
}
Also used :
Arrays(java.util.Arrays)
Credentials(io.confluent.ksql.testutils.secure.Credentials)
AclPermissionType(org.apache.kafka.common.acl.AclPermissionType)
LoggerFactory(org.slf4j.LoggerFactory)
HashMap(java.util.HashMap)
ServerKeyStore(io.confluent.ksql.testutils.secure.ServerKeyStore)
JaasUtils(org.apache.kafka.common.security.JaasUtils)
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
HashSet(java.util.HashSet)
ImmutableList(com.google.common.collect.ImmutableList)
Resource(org.apache.kafka.common.resource.Resource)
Files(com.google.common.io.Files)
Operation$(kafka.security.auth.Operation$)
SimpleAclAuthorizer(kafka.security.auth.SimpleAclAuthorizer)
SASL_SSL(org.apache.kafka.common.security.auth.SecurityProtocol.SASL_SSL)
Map(java.util.Map)
PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule)
KafkaConfig(kafka.server.KafkaConfig)
ZKConfig(kafka.utils.ZKConfig)
JavaConversions(scala.collection.JavaConversions)
Logger(org.slf4j.Logger)
Properties(java.util.Properties)
ClientTrustStore(io.confluent.ksql.testutils.secure.ClientTrustStore)
ImmutableMap(com.google.common.collect.ImmutableMap)
TestUtils(org.apache.kafka.test.TestUtils)
SecureKafkaHelper(io.confluent.ksql.testutils.secure.SecureKafkaHelper)
Set(java.util.Set)
ConsumerConfig(org.apache.kafka.clients.consumer.ConsumerConfig)
IOException(java.io.IOException)
AclOperation(org.apache.kafka.common.acl.AclOperation)
Collectors(java.util.stream.Collectors)
File(java.io.File)
StandardCharsets(java.nio.charset.StandardCharsets)
PermissionType(kafka.security.auth.PermissionType)
PermissionType$(kafka.security.auth.PermissionType$)
Acl(kafka.security.auth.Acl)
List(java.util.List)
ExternalResource(org.junit.rules.ExternalResource)
Stream(java.util.stream.Stream)
ResourceType$(kafka.security.auth.ResourceType$)
KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal)
Collections(java.util.Collections)
TemporaryFolder(org.junit.rules.TemporaryFolder)
AclPermissionType(org.apache.kafka.common.acl.AclPermissionType)
PermissionType(kafka.security.auth.PermissionType)
Resource(org.apache.kafka.common.resource.Resource)
ExternalResource(org.junit.rules.ExternalResource)
KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal)
Acl(kafka.security.auth.Acl)
Example 3 with AclOperation
use of org.apache.kafka.common.acl.AclOperation in project kafka by apache.
the class DescribeConsumerGroupsHandler method handleResponse.
@Override
public ApiResult<CoordinatorKey, ConsumerGroupDescription> handleResponse(Node coordinator, Set<CoordinatorKey> groupIds, AbstractResponse abstractResponse) {
final DescribeGroupsResponse response = (DescribeGroupsResponse) abstractResponse;
final Map<CoordinatorKey, ConsumerGroupDescription> completed = new HashMap<>();
final Map<CoordinatorKey, Throwable> failed = new HashMap<>();
final Set<CoordinatorKey> groupsToUnmap = new HashSet<>();
for (DescribedGroup describedGroup : response.data().groups()) {
CoordinatorKey groupIdKey = CoordinatorKey.byGroupId(describedGroup.groupId());
Errors error = Errors.forCode(describedGroup.errorCode());
if (error != Errors.NONE) {
handleError(groupIdKey, error, failed, groupsToUnmap);
continue;
}
final String protocolType = describedGroup.protocolType();
if (protocolType.equals(ConsumerProtocol.PROTOCOL_TYPE) || protocolType.isEmpty()) {
final List<DescribedGroupMember> members = describedGroup.members();
final List<MemberDescription> memberDescriptions = new ArrayList<>(members.size());
final Set<AclOperation> authorizedOperations = validAclOperations(describedGroup.authorizedOperations());
for (DescribedGroupMember groupMember : members) {
Set<TopicPartition> partitions = Collections.emptySet();
if (groupMember.memberAssignment().length > 0) {
final Assignment assignment = ConsumerProtocol.deserializeAssignment(ByteBuffer.wrap(groupMember.memberAssignment()));
partitions = new HashSet<>(assignment.partitions());
}
memberDescriptions.add(new MemberDescription(groupMember.memberId(), Optional.ofNullable(groupMember.groupInstanceId()), groupMember.clientId(), groupMember.clientHost(), new MemberAssignment(partitions)));
}
final ConsumerGroupDescription consumerGroupDescription = new ConsumerGroupDescription(groupIdKey.idValue, protocolType.isEmpty(), memberDescriptions, describedGroup.protocolData(), ConsumerGroupState.parse(describedGroup.groupState()), coordinator, authorizedOperations);
completed.put(groupIdKey, consumerGroupDescription);
} else {
failed.put(groupIdKey, new IllegalArgumentException(String.format("GroupId %s is not a consumer group (%s).", groupIdKey.idValue, protocolType)));
}
}
return new ApiResult<>(completed, failed, new ArrayList<>(groupsToUnmap));
}
Also used :
HashMap(java.util.HashMap)
MemberDescription(org.apache.kafka.clients.admin.MemberDescription)
ArrayList(java.util.ArrayList)
AclOperation(org.apache.kafka.common.acl.AclOperation)
DescribedGroup(org.apache.kafka.common.message.DescribeGroupsResponseData.DescribedGroup)
Assignment(org.apache.kafka.clients.consumer.ConsumerPartitionAssignor.Assignment)
MemberAssignment(org.apache.kafka.clients.admin.MemberAssignment)
MemberAssignment(org.apache.kafka.clients.admin.MemberAssignment)
DescribedGroupMember(org.apache.kafka.common.message.DescribeGroupsResponseData.DescribedGroupMember)
DescribeGroupsResponse(org.apache.kafka.common.requests.DescribeGroupsResponse)
HashSet(java.util.HashSet)
ConsumerGroupDescription(org.apache.kafka.clients.admin.ConsumerGroupDescription)
Errors(org.apache.kafka.common.protocol.Errors)
TopicPartition(org.apache.kafka.common.TopicPartition)
Aggregations
AclOperation (org.apache.kafka.common.acl.AclOperation)3
HashMap (java.util.HashMap)2
HashSet (java.util.HashSet)2
ImmutableList (com.google.common.collect.ImmutableList)1
ImmutableMap (com.google.common.collect.ImmutableMap)1
Files (com.google.common.io.Files)1
ClientTrustStore (io.confluent.ksql.testutils.secure.ClientTrustStore)1
Credentials (io.confluent.ksql.testutils.secure.Credentials)1
SecureKafkaHelper (io.confluent.ksql.testutils.secure.SecureKafkaHelper)1
ServerKeyStore (io.confluent.ksql.testutils.secure.ServerKeyStore)1
File (java.io.File)1
IOException (java.io.IOException)1
StandardCharsets (java.nio.charset.StandardCharsets)1
ArrayList (java.util.ArrayList)1
Arrays (java.util.Arrays)1
Collections (java.util.Collections)1
List (java.util.List)1
Map (java.util.Map)1
Properties (java.util.Properties)1
Set (java.util.Set)1
