Search in sources :

Example 11 with AuthorizationService

use of org.apache.pulsar.broker.authorization.AuthorizationService in project incubator-pulsar by apache.

the class ServerCnxTest method testProducerCommandWithAuthorizationNegative.

public void testProducerCommandWithAuthorizationNegative() throws Exception {
    AuthorizationService authorizationService = mock(AuthorizationService.class);
    doReturn(CompletableFuture.completedFuture(false)).when(authorizationService).canProduceAsync(Mockito.any(), Mockito.any(), Mockito.any());
    doReturn(authorizationService).when(brokerService).getAuthorizationService();
    doReturn(true).when(brokerService).isAuthenticationEnabled();
    doReturn(true).when(brokerService).isAuthorizationEnabled();
    doReturn("prod1").when(brokerService).generateUniqueProducerName();
    resetChannel();
    setChannelConnected();
    ByteBuf clientCommand = Commands.newProducer(successTopicName, 1, /* producer id */
    1, /* request id */
    null, Collections.emptyMap());
    channel.writeInbound(clientCommand);
    assertTrue(getResponse() instanceof CommandError);
    channel.finish();
}
Also used : AuthorizationService(org.apache.pulsar.broker.authorization.AuthorizationService) CommandError(org.apache.pulsar.common.api.proto.PulsarApi.CommandError) ByteBuf(io.netty.buffer.ByteBuf)

Example 12 with AuthorizationService

use of org.apache.pulsar.broker.authorization.AuthorizationService in project incubator-pulsar by apache.

the class ServerCnxTest method testSubscribeCommandWithAuthorizationPositive.

@Test(timeOut = 30000)
public void testSubscribeCommandWithAuthorizationPositive() throws Exception {
    AuthorizationService authorizationService = mock(AuthorizationService.class);
    doReturn(CompletableFuture.completedFuture(true)).when(authorizationService).canConsumeAsync(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
    doReturn(authorizationService).when(brokerService).getAuthorizationService();
    doReturn(true).when(brokerService).isAuthenticationEnabled();
    doReturn(true).when(brokerService).isAuthorizationEnabled();
    resetChannel();
    setChannelConnected();
    // test SUBSCRIBE on topic and cursor creation success
    ByteBuf clientCommand = // 
    Commands.newSubscribe(// 
    successTopicName, successSubName, 1, /* consumer id */
    1, /* request id */
    SubType.Exclusive, 0, "test");
    channel.writeInbound(clientCommand);
    assertTrue(getResponse() instanceof CommandSuccess);
    channel.finish();
}
Also used : AuthorizationService(org.apache.pulsar.broker.authorization.AuthorizationService) CommandSuccess(org.apache.pulsar.common.api.proto.PulsarApi.CommandSuccess) ByteBuf(io.netty.buffer.ByteBuf) Test(org.testng.annotations.Test)

Example 13 with AuthorizationService

use of org.apache.pulsar.broker.authorization.AuthorizationService in project incubator-pulsar by apache.

the class ServerCnxTest method testNonExistentTopicSuperUserAccess.

@Test(timeOut = 30000)
public void testNonExistentTopicSuperUserAccess() throws Exception {
    AuthorizationService authorizationService = spy(new AuthorizationService(svcConfig, configCacheService));
    doReturn(authorizationService).when(brokerService).getAuthorizationService();
    doReturn(true).when(brokerService).isAuthorizationEnabled();
    Field providerField = AuthorizationService.class.getDeclaredField("provider");
    providerField.setAccessible(true);
    PulsarAuthorizationProvider authorizationProvider = spy(new PulsarAuthorizationProvider(svcConfig, configCacheService));
    providerField.set(authorizationService, authorizationProvider);
    doReturn(true).when(authorizationProvider).isSuperUser(Mockito.anyString());
    // Test producer creation
    resetChannel();
    setChannelConnected();
    ByteBuf newProducerCmd = Commands.newProducer(nonExistentTopicName, 1, /* producer id */
    1, /* request id */
    "prod-name", Collections.emptyMap());
    channel.writeInbound(newProducerCmd);
    assertTrue(getResponse() instanceof CommandProducerSuccess);
    PersistentTopic topicRef = (PersistentTopic) brokerService.getTopicReference(nonExistentTopicName);
    assertNotNull(topicRef);
    assertEquals(topicRef.getProducers().size(), 1);
    channel.finish();
    // Test consumer creation
    resetChannel();
    setChannelConnected();
    ByteBuf newSubscribeCmd = // 
    Commands.newSubscribe(// 
    nonExistentTopicName, successSubName, 1, /* consumer id */
    1, /* request id */
    SubType.Exclusive, 0, "test");
    channel.writeInbound(newSubscribeCmd);
    topicRef = (PersistentTopic) brokerService.getTopicReference(nonExistentTopicName);
    assertNotNull(topicRef);
    assertTrue(topicRef.getSubscriptions().containsKey(successSubName));
    assertTrue(topicRef.getSubscription(successSubName).getDispatcher().isConsumerConnected());
    assertTrue(getResponse() instanceof CommandSuccess);
}
Also used : Field(java.lang.reflect.Field) AuthorizationService(org.apache.pulsar.broker.authorization.AuthorizationService) CommandSuccess(org.apache.pulsar.common.api.proto.PulsarApi.CommandSuccess) PersistentTopic(org.apache.pulsar.broker.service.persistent.PersistentTopic) CommandProducerSuccess(org.apache.pulsar.common.api.proto.PulsarApi.CommandProducerSuccess) PulsarAuthorizationProvider(org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider) ByteBuf(io.netty.buffer.ByteBuf) Test(org.testng.annotations.Test)

Example 14 with AuthorizationService

use of org.apache.pulsar.broker.authorization.AuthorizationService in project incubator-pulsar by apache.

the class AuthorizationTest method simple.

@Test
void simple() throws Exception {
    AuthorizationService auth = pulsar.getBrokerService().getAuthorizationService();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), false);
    admin.clusters().createCluster("c1", new ClusterData());
    admin.properties().createProperty("p1", new PropertyAdmin(Lists.newArrayList("role1"), Sets.newHashSet("c1")));
    waitForChange();
    admin.namespaces().createNamespace("p1/c1/ns1");
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.of(AuthAction.produce));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    admin.persistentTopics().grantPermission("persistent://p1/c1/ns1/ds2", "other-role", EnumSet.of(AuthAction.consume));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", null, null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds2"), "no-access-role", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "no-access-role", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.allOf(AuthAction.class));
    waitForChange();
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null, null), true);
    // test for wildcard
    // namespace prefix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my.role.*", EnumSet.of(AuthAction.produce));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    // namespace suffix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "*.role.my", EnumSet.of(AuthAction.consume));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    // revoke for next test
    admin.namespaces().revokePermissionsOnNamespace("p1/c1/ns1", "my.role.*");
    admin.namespaces().revokePermissionsOnNamespace("p1/c1/ns1", "*.role.my");
    waitForChange();
    // topic prefix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.2", null), false);
    admin.persistentTopics().grantPermission("persistent://p1/c1/ns1/ds1", "my.*", EnumSet.of(AuthAction.produce));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.2", null), false);
    // topic suffix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "2.role.my", null), false);
    admin.persistentTopics().grantPermission("persistent://p1/c1/ns1/ds1", "*.my", EnumSet.of(AuthAction.consume));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "2.role.my", null), false);
    admin.persistentTopics().revokePermissions("persistent://p1/c1/ns1/ds1", "my.*");
    admin.persistentTopics().revokePermissions("persistent://p1/c1/ns1/ds1", "*.my");
    // tests for subscription auth mode
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "*", EnumSet.of(AuthAction.consume));
    admin.namespaces().setSubscriptionAuthMode("p1/c1/ns1", SubscriptionAuthMode.Prefix);
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null), true);
    try {
        assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null, "sub1"), false);
        fail();
    } catch (Exception e) {
    }
    try {
        assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null, "sub2"), false);
        fail();
    } catch (Exception e) {
    }
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null, "role1-sub1"), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null, "role2-sub2"), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "pulsar.super_user", null, "role3-sub1"), true);
    admin.namespaces().deleteNamespace("p1/c1/ns1");
    admin.properties().deleteProperty("p1");
    admin.clusters().deleteCluster("c1");
}
Also used : ClusterData(org.apache.pulsar.common.policies.data.ClusterData) PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) AuthorizationService(org.apache.pulsar.broker.authorization.AuthorizationService) AuthAction(org.apache.pulsar.common.policies.data.AuthAction) Test(org.testng.annotations.Test)

Aggregations

AuthorizationService (org.apache.pulsar.broker.authorization.AuthorizationService)14 Test (org.testng.annotations.Test)10 ByteBuf (io.netty.buffer.ByteBuf)7 ConfigurationCacheService (org.apache.pulsar.broker.cache.ConfigurationCacheService)4 CommandError (org.apache.pulsar.common.api.proto.PulsarApi.CommandError)4 Field (java.lang.reflect.Field)3 AuthenticationService (org.apache.pulsar.broker.authentication.AuthenticationService)3 PulsarAuthorizationProvider (org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider)3 TopicName (org.apache.pulsar.common.naming.TopicName)3 AuthAction (org.apache.pulsar.common.policies.data.AuthAction)3 ServiceConfiguration (org.apache.pulsar.broker.ServiceConfiguration)2 PersistentTopic (org.apache.pulsar.broker.service.persistent.PersistentTopic)2 CommandProducerSuccess (org.apache.pulsar.common.api.proto.PulsarApi.CommandProducerSuccess)2 CommandSuccess (org.apache.pulsar.common.api.proto.PulsarApi.CommandSuccess)2 ClusterData (org.apache.pulsar.common.policies.data.ClusterData)2 PropertyAdmin (org.apache.pulsar.common.policies.data.PropertyAdmin)2 ServerBootstrap (io.netty.bootstrap.ServerBootstrap)1 AdaptiveRecvByteBufAllocator (io.netty.channel.AdaptiveRecvByteBufAllocator)1 IOException (java.io.IOException)1 PulsarServerException (org.apache.pulsar.broker.PulsarServerException)1