use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.
the class BrokerServiceTest method testTlsAuthAllowInsecure.
@SuppressWarnings("deprecation")
@Test
public void testTlsAuthAllowInsecure() throws Exception {
final String topicName = "persistent://prop/usw/my-ns/newTopic";
final String subName = "newSub";
Authentication auth;
Set<String> providers = new HashSet<>();
providers.add("org.apache.pulsar.broker.authentication.AuthenticationProviderTls");
conf.setAuthenticationEnabled(true);
conf.setAuthenticationProviders(providers);
conf.setTlsEnabled(true);
conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
conf.setTlsAllowInsecureConnection(true);
restartBroker();
Map<String, String> authParams = new HashMap<>();
authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
PulsarClient pulsarClient = null;
// Case 1: Access without client certificate
try {
pulsarClient = PulsarClient.builder().serviceUrl(brokerUrlTls.toString()).enableTls(true).allowTlsInsecureConnection(true).statsInterval(0, TimeUnit.SECONDS).build();
@Cleanup Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName).subscriptionName(subName).subscribe();
fail("should fail");
} catch (Exception e) {
assertTrue(e.getMessage().contains("Authentication required"));
} finally {
pulsarClient.close();
}
// Case 2: Access with client certificate
try {
auth = new AuthenticationTls();
auth.configure(authParams);
pulsarClient = PulsarClient.builder().authentication(auth).serviceUrl(brokerUrlTls.toString()).enableTls(true).allowTlsInsecureConnection(true).statsInterval(0, TimeUnit.SECONDS).build();
@Cleanup Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName).subscriptionName(subName).subscribe();
} catch (Exception e) {
fail("should not fail");
} finally {
pulsarClient.close();
}
}
use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.
the class BrokerServiceTest method testTlsAuthUseTrustCert.
@SuppressWarnings("deprecation")
@Test
public void testTlsAuthUseTrustCert() throws Exception {
final String topicName = "persistent://prop/usw/my-ns/newTopic";
final String subName = "newSub";
Authentication auth;
Set<String> providers = new HashSet<>();
providers.add("org.apache.pulsar.broker.authentication.AuthenticationProviderTls");
conf.setAuthenticationEnabled(true);
conf.setAuthenticationProviders(providers);
conf.setTlsEnabled(true);
conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
conf.setTlsAllowInsecureConnection(false);
conf.setTlsTrustCertsFilePath(TLS_CLIENT_CERT_FILE_PATH);
restartBroker();
Map<String, String> authParams = new HashMap<>();
authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
PulsarClient pulsarClient = null;
// Case 1: Access without client certificate
try {
pulsarClient = PulsarClient.builder().serviceUrl(brokerUrlTls.toString()).enableTls(true).allowTlsInsecureConnection(true).statsInterval(0, TimeUnit.SECONDS).build();
@Cleanup Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName).subscriptionName(subName).subscribe();
fail("should fail");
} catch (Exception e) {
assertTrue(e.getMessage().contains("Authentication required"));
} finally {
pulsarClient.close();
}
// Case 2: Access with client certificate
try {
auth = new AuthenticationTls();
auth.configure(authParams);
pulsarClient = PulsarClient.builder().authentication(auth).serviceUrl(brokerUrlTls.toString()).enableTls(true).allowTlsInsecureConnection(true).statsInterval(0, TimeUnit.SECONDS).build();
@Cleanup Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName).subscriptionName(subName).subscribe();
} catch (Exception e) {
fail("should not fail");
} finally {
pulsarClient.close();
}
}
use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.
the class WebServiceTest method setupEnv.
private void setupEnv(boolean enableFilter, String minApiVersion, boolean allowUnversionedClients, boolean enableTls, boolean enableAuth, boolean allowInsecure) throws Exception {
Set<String> providers = new HashSet<>();
providers.add("org.apache.pulsar.broker.authentication.AuthenticationProviderTls");
Set<String> roles = new HashSet<>();
roles.add("client");
ServiceConfiguration config = new ServiceConfiguration();
config.setAdvertisedAddress("localhost");
config.setWebServicePort(BROKER_WEBSERVICE_PORT);
config.setWebServicePortTls(BROKER_WEBSERVICE_PORT_TLS);
config.setClientLibraryVersionCheckEnabled(enableFilter);
config.setAuthenticationEnabled(enableAuth);
config.setAuthenticationProviders(providers);
config.setAuthorizationEnabled(false);
config.setSuperUserRoles(roles);
config.setTlsEnabled(enableTls);
config.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
config.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
config.setTlsAllowInsecureConnection(allowInsecure);
config.setTlsTrustCertsFilePath(allowInsecure ? "" : TLS_CLIENT_CERT_FILE_PATH);
config.setClusterName("local");
// TLS certificate expects localhost
config.setAdvertisedAddress("localhost");
config.setZookeeperServers("localhost:2181");
pulsar = spy(new PulsarService(config));
doReturn(new MockedZooKeeperClientFactoryImpl()).when(pulsar).getZooKeeperClientFactory();
doReturn(new MockedBookKeeperClientFactory()).when(pulsar).getBookKeeperClientFactory();
pulsar.start();
try {
pulsar.getZkClient().delete("/minApiVersion", -1);
} catch (Exception ex) {
}
pulsar.getZkClient().create("/minApiVersion", minApiVersion.getBytes(), null, CreateMode.PERSISTENT);
String serviceUrl = BROKER_URL_BASE;
ClientConfiguration clientConfig = new ClientConfiguration();
if (enableTls && enableAuth) {
serviceUrl = BROKER_URL_BASE_TLS;
Map<String, String> authParams = new HashMap<>();
authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
Authentication auth = new AuthenticationTls();
auth.configure(authParams);
clientConfig.setAuthentication(auth);
clientConfig.setUseTls(true);
clientConfig.setTlsAllowInsecureConnection(true);
}
PulsarAdmin pulsarAdmin = new PulsarAdmin(new URL(serviceUrl), clientConfig);
try {
pulsarAdmin.clusters().createCluster(config.getClusterName(), new ClusterData(pulsar.getWebServiceAddress()));
} catch (ConflictException ce) {
// This is OK.
} finally {
pulsarAdmin.close();
}
}
use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project athenz by yahoo.
the class AthenzPulsarClient method getClientConfiguration.
private static ClientConfigurationData getClientConfiguration(TlsConfig tlsConfig) {
ClientConfigurationData config = new ClientConfigurationData();
AuthenticationTls authenticationTls = new AuthenticationTls();
Map<String, String> authParams = new HashMap<>();
authParams.put("tlsKeyFile", tlsConfig.tlsKeyFilePath);
authParams.put("tlsCertFile", tlsConfig.tlsCertFilePath);
authenticationTls.configure(authParams);
config.setAuthentication(authenticationTls);
config.setTlsAllowInsecureConnection(false);
config.setTlsHostnameVerificationEnable(true);
config.setTlsTrustCertsFilePath(tlsConfig.tlsTrustCertsFilePath);
config.setUseTls(true);
return config;
}
use of org.apache.pulsar.client.impl.auth.AuthenticationTls in project incubator-pulsar by apache.
the class ProxyAuthenticatedProducerConsumerTest method testTlsSyncProducerAndConsumer.
/**
* <pre>
* It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker>
*
* 1. client connects to proxy over tls and pass auth-data
* 2. proxy authenticate client and retrieve client-role
* and send it to broker as originalPrincipal over tls
* 3. client creates producer/consumer via proxy
* 4. broker authorize producer/consumer create request using originalPrincipal
*
* </pre>
*
* @throws Exception
*/
@SuppressWarnings("deprecation")
@Test
public void testTlsSyncProducerAndConsumer() throws Exception {
log.info("-- Starting {} test --", methodName);
final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
Map<String, String> authParams = Maps.newHashMap();
authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
// create a client which connects to proxy over tls and pass authData
PulsarClient proxyClient = createPulsarClient(authTls, proxyServiceUrl);
admin.clusters().createCluster(configClusterName, new ClusterData(brokerUrl.toString(), brokerUrlTls.toString(), "pulsar://localhost:" + BROKER_PORT, "pulsar+ssl://localhost:" + BROKER_PORT_TLS));
admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("use")));
admin.namespaces().createNamespace("my-property/use/my-ns");
Consumer<byte[]> consumer = proxyClient.newConsumer().topic("persistent://my-property/use/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
Producer<byte[]> producer = proxyClient.newProducer().topic("persistent://my-property/use/my-ns/my-topic1").create();
final int msgs = 10;
for (int i = 0; i < msgs; i++) {
String message = "my-message-" + i;
producer.send(message.getBytes());
}
Message<byte[]> msg = null;
Set<String> messageSet = Sets.newHashSet();
int count = 0;
for (int i = 0; i < 10; i++) {
msg = consumer.receive(5, TimeUnit.SECONDS);
String receivedMessage = new String(msg.getData());
log.debug("Received message: [{}]", receivedMessage);
String expectedMessage = "my-message-" + i;
testMessageOrderAndDuplicates(messageSet, receivedMessage, expectedMessage);
count++;
}
// Acknowledge the consumption of all messages at once
Assert.assertEquals(msgs, count);
consumer.acknowledgeCumulative(msg);
consumer.close();
log.info("-- Exiting {} test --", methodName);
}
Aggregations