Search in sources :

Example 1 with AuthenticationTls

use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.

the class ProxyWithAuthorizationTest method createPulsarClient.

@SuppressWarnings("deprecation")
private PulsarClient createPulsarClient(String proxyServiceUrl, ClientBuilder clientBuilder) throws PulsarClientException {
    Map<String, String> authParams = Maps.newHashMap();
    authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
    authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
    Authentication authTls = new AuthenticationTls();
    authTls.configure(authParams);
    return clientBuilder.serviceUrl(proxyServiceUrl).statsInterval(0, TimeUnit.SECONDS).tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true).authentication(authTls).enableTls(true).build();
}
Also used : AuthenticationTls(org.apache.pulsar.client.impl.auth.AuthenticationTls) Authentication(org.apache.pulsar.client.api.Authentication)

Example 2 with AuthenticationTls

use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.

the class ProxyWithoutServiceDiscoveryTest method testDiscoveryService.

/**
 * <pre>
 * It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker>
 *
 * 1. client connects to proxy over tls and pass auth-data
 * 2. proxy authenticate client and retrieve client-role
 *    and send it to broker as originalPrincipal over tls
 * 3. client creates producer/consumer via proxy
 * 4. broker authorize producer/consumer create request using originalPrincipal
 *
 * </pre>
 *
 * @throws Exception
 */
@Test
public void testDiscoveryService() throws Exception {
    log.info("-- Starting {} test --", methodName);
    final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
    Map<String, String> authParams = Maps.newHashMap();
    authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
    authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
    Authentication authTls = new AuthenticationTls();
    authTls.configure(authParams);
    // create a client which connects to proxy over tls and pass authData
    PulsarClient proxyClient = createPulsarClient(authTls, proxyServiceUrl);
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("without-service-discovery")));
    admin.namespaces().createNamespace("my-property/without-service-discovery/my-ns");
    Consumer<byte[]> consumer = proxyClient.newConsumer().topic("persistent://my-property/without-service-discovery/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
    Producer<byte[]> producer = proxyClient.newProducer().topic("persistent://my-property/without-service-discovery/my-ns/my-topic1").create();
    final int msgs = 10;
    for (int i = 0; i < msgs; i++) {
        String message = "my-message-" + i;
        producer.send(message.getBytes());
    }
    Message<byte[]> msg = null;
    Set<String> messageSet = Sets.newHashSet();
    int count = 0;
    for (int i = 0; i < 10; i++) {
        msg = consumer.receive(5, TimeUnit.SECONDS);
        String receivedMessage = new String(msg.getData());
        log.debug("Received message: [{}]", receivedMessage);
        String expectedMessage = "my-message-" + i;
        testMessageOrderAndDuplicates(messageSet, receivedMessage, expectedMessage);
        count++;
    }
    // Acknowledge the consumption of all messages at once
    Assert.assertEquals(msgs, count);
    consumer.acknowledgeCumulative(msg);
    consumer.close();
    log.info("-- Exiting {} test --", methodName);
}
Also used : AuthenticationTls(org.apache.pulsar.client.impl.auth.AuthenticationTls) PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) Authentication(org.apache.pulsar.client.api.Authentication) PulsarClient(org.apache.pulsar.client.api.PulsarClient) Test(org.testng.annotations.Test)

Example 3 with AuthenticationTls

use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.

the class AuthenticatedProducerConsumerTest method testAnonymousSyncProducerAndConsumer.

@Test(dataProvider = "batch")
public void testAnonymousSyncProducerAndConsumer(int batchMessageDelayMs) throws Exception {
    log.info("-- Starting {} test --", methodName);
    Map<String, String> authParams = new HashMap<>();
    authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
    authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
    Authentication authTls = new AuthenticationTls();
    authTls.configure(authParams);
    internalSetup(authTls);
    admin.clusters().createCluster("use", new ClusterData(brokerUrl.toString(), brokerUrlTls.toString(), "pulsar://localhost:" + BROKER_PORT, "pulsar+ssl://localhost:" + BROKER_PORT_TLS));
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("anonymousUser"), Sets.newHashSet("use")));
    // make a PulsarAdmin instance as "anonymousUser" for http request
    admin.close();
    ClientConfiguration clientConf = new ClientConfiguration();
    clientConf.setOperationTimeout(1, TimeUnit.SECONDS);
    admin = spy(new PulsarAdmin(brokerUrl, clientConf));
    admin.namespaces().createNamespace("my-property/use/my-ns");
    admin.persistentTopics().grantPermission("persistent://my-property/use/my-ns/my-topic", "anonymousUser", EnumSet.allOf(AuthAction.class));
    // setup the client
    pulsarClient.close();
    pulsarClient = PulsarClient.builder().serviceUrl("pulsar://localhost:" + BROKER_PORT).operationTimeout(1, TimeUnit.SECONDS).build();
    // unauthorized topic test
    Exception pulsarClientException = null;
    try {
        pulsarClient.newConsumer().topic("persistent://my-property/use/my-ns/other-topic").subscriptionName("my-subscriber-name").subscribe();
    } catch (Exception e) {
        pulsarClientException = e;
    }
    Assert.assertTrue(pulsarClientException instanceof PulsarClientException);
    testSyncProducerAndConsumer(batchMessageDelayMs);
    log.info("-- Exiting {} test --", methodName);
}
Also used : AuthenticationTls(org.apache.pulsar.client.impl.auth.AuthenticationTls) ClusterData(org.apache.pulsar.common.policies.data.ClusterData) PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) PulsarAdmin(org.apache.pulsar.client.admin.PulsarAdmin) PulsarAdminException(org.apache.pulsar.client.admin.PulsarAdminException) InternalServerErrorException(javax.ws.rs.InternalServerErrorException) AuthAction(org.apache.pulsar.common.policies.data.AuthAction) Test(org.testng.annotations.Test)

Example 4 with AuthenticationTls

use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.

the class BrokerServiceLookupTest method testDiscoveryLookupTls.

/**
 * Verify discovery-service binary-proto lookup using tls
 *
 * @throws Exception
 */
@SuppressWarnings("deprecation")
@Test
public void testDiscoveryLookupTls() throws Exception {
    final String TLS_SERVER_CERT_FILE_PATH = "./src/test/resources/certificate/server.crt";
    final String TLS_SERVER_KEY_FILE_PATH = "./src/test/resources/certificate/server.key";
    final String TLS_CLIENT_CERT_FILE_PATH = "./src/test/resources/certificate/client.crt";
    final String TLS_CLIENT_KEY_FILE_PATH = "./src/test/resources/certificate/client.key";
    // (1) restart broker1 with tls enabled
    conf.setTlsAllowInsecureConnection(true);
    conf.setTlsEnabled(true);
    conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
    conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
    stopBroker();
    startBroker();
    // (2) start discovery service
    ServiceConfig config = new ServiceConfig();
    config.setServicePort(nextFreePort());
    config.setServicePortTls(nextFreePort());
    config.setTlsEnabled(true);
    config.setBindOnLocalhost(true);
    config.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
    config.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
    DiscoveryService discoveryService = spy(new DiscoveryService(config));
    doReturn(mockZooKeeperClientFactory).when(discoveryService).getZooKeeperClientFactory();
    discoveryService.start();
    // (3) lookup using discovery service
    final String discoverySvcUrl = discoveryService.getServiceUrlTls();
    Map<String, String> authParams = new HashMap<>();
    authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
    authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
    Authentication auth = new AuthenticationTls();
    auth.configure(authParams);
    PulsarClient pulsarClient2 = PulsarClient.builder().serviceUrl(discoverySvcUrl).authentication(auth).enableTls(true).allowTlsInsecureConnection(true).build();
    Consumer<byte[]> consumer = pulsarClient2.newConsumer().topic("persistent://my-property2/use2/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
    Producer<byte[]> producer = pulsarClient2.newProducer().topic("persistent://my-property2/use2/my-ns/my-topic1").create();
    for (int i = 0; i < 10; i++) {
        String message = "my-message-" + i;
        producer.send(message.getBytes());
    }
    Message<byte[]> msg = null;
    Set<String> messageSet = Sets.newHashSet();
    for (int i = 0; i < 10; i++) {
        msg = consumer.receive(5, TimeUnit.SECONDS);
        String receivedMessage = new String(msg.getData());
        log.debug("Received message: [{}]", receivedMessage);
        String expectedMessage = "my-message-" + i;
        testMessageOrderAndDuplicates(messageSet, receivedMessage, expectedMessage);
    }
    // Acknowledge the consumption of all messages at once
    consumer.acknowledgeCumulative(msg);
    consumer.close();
    producer.close();
}
Also used : HashMap(java.util.HashMap) AuthenticationTls(org.apache.pulsar.client.impl.auth.AuthenticationTls) ServiceConfig(org.apache.pulsar.discovery.service.server.ServiceConfig) DiscoveryService(org.apache.pulsar.discovery.service.DiscoveryService) Test(org.testng.annotations.Test)

Example 5 with AuthenticationTls

use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.

the class BrokerServiceTest method testTlsAuthDisallowInsecure.

@SuppressWarnings("deprecation")
@Test
public void testTlsAuthDisallowInsecure() throws Exception {
    final String topicName = "persistent://prop/usw/my-ns/newTopic";
    final String subName = "newSub";
    Authentication auth;
    Set<String> providers = new HashSet<>();
    providers.add("org.apache.pulsar.broker.authentication.AuthenticationProviderTls");
    conf.setAuthenticationEnabled(true);
    conf.setAuthenticationProviders(providers);
    conf.setTlsEnabled(true);
    conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
    conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
    conf.setTlsAllowInsecureConnection(false);
    restartBroker();
    Map<String, String> authParams = new HashMap<>();
    authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
    authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
    PulsarClient pulsarClient = null;
    // Case 1: Access without client certificate
    try {
        pulsarClient = PulsarClient.builder().serviceUrl(brokerUrlTls.toString()).enableTls(true).allowTlsInsecureConnection(true).statsInterval(0, TimeUnit.SECONDS).build();
        @Cleanup Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName).subscriptionName(subName).subscribe();
        fail("should fail");
    } catch (Exception e) {
        assertTrue(e.getMessage().contains("Authentication required"));
    } finally {
        pulsarClient.close();
    }
    // Case 2: Access with client certificate
    try {
        auth = new AuthenticationTls();
        auth.configure(authParams);
        pulsarClient = PulsarClient.builder().authentication(auth).serviceUrl(brokerUrlTls.toString()).enableTls(true).allowTlsInsecureConnection(true).statsInterval(0, TimeUnit.SECONDS).build();
        @Cleanup Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName).subscriptionName(subName).subscribe();
        fail("should fail");
    } catch (Exception e) {
        assertTrue(e.getMessage().contains("Authentication required"));
    } finally {
        pulsarClient.close();
    }
}
Also used : AuthenticationTls(org.apache.pulsar.client.impl.auth.AuthenticationTls) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) Authentication(org.apache.pulsar.client.api.Authentication) PulsarClient(org.apache.pulsar.client.api.PulsarClient) Cleanup(lombok.Cleanup) TimeoutException(java.util.concurrent.TimeoutException) ManagedLedgerException(org.apache.bookkeeper.mledger.ManagedLedgerException) IOException(java.io.IOException) PersistenceException(org.apache.pulsar.broker.service.BrokerServiceException.PersistenceException) ExecutionException(java.util.concurrent.ExecutionException) HashSet(java.util.HashSet) Test(org.testng.annotations.Test)

Aggregations

AuthenticationTls (org.apache.pulsar.client.impl.auth.AuthenticationTls)17 Authentication (org.apache.pulsar.client.api.Authentication)10 Test (org.testng.annotations.Test)10 HashMap (java.util.HashMap)7 PropertyAdmin (org.apache.pulsar.common.policies.data.PropertyAdmin)6 PulsarAdmin (org.apache.pulsar.client.admin.PulsarAdmin)5 PulsarClient (org.apache.pulsar.client.api.PulsarClient)5 ClusterData (org.apache.pulsar.common.policies.data.ClusterData)5 HashSet (java.util.HashSet)4 IOException (java.io.IOException)3 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)3 ExecutionException (java.util.concurrent.ExecutionException)3 TimeoutException (java.util.concurrent.TimeoutException)3 InternalServerErrorException (javax.ws.rs.InternalServerErrorException)3 Cleanup (lombok.Cleanup)3 ManagedLedgerException (org.apache.bookkeeper.mledger.ManagedLedgerException)3 PersistenceException (org.apache.pulsar.broker.service.BrokerServiceException.PersistenceException)3 PulsarAdminException (org.apache.pulsar.client.admin.PulsarAdminException)3 URI (java.net.URI)1 URL (java.net.URL)1