use of org.apache.pulsar.client.impl.auth.AuthenticationToken in project pulsar by apache.
the class PulsarFunctionE2ESecurityTest method testAuthorization.
@Test
public void testAuthorization() throws Exception {
String token1 = AuthTokenUtils.createToken(secretKey, SUBJECT, Optional.empty());
String token2 = AuthTokenUtils.createToken(secretKey, "wrong-subject", Optional.empty());
final String replNamespace = TENANT + "/" + NAMESPACE;
final String sourceTopic = "persistent://" + replNamespace + "/my-topic1";
final String sinkTopic = "persistent://" + replNamespace + "/output";
final String propertyKey = "key";
final String propertyValue = "value";
final String functionName = "PulsarFunction-test";
final String subscriptionName = "test-sub";
// create user admin client
AuthenticationToken authToken1 = new AuthenticationToken();
authToken1.configure("token:" + token1);
AuthenticationToken authToken2 = new AuthenticationToken();
authToken2.configure("token:" + token2);
try (PulsarAdmin admin1 = spy(PulsarAdmin.builder().serviceHttpUrl(brokerServiceUrl).authentication(authToken1).build());
PulsarAdmin admin2 = spy(PulsarAdmin.builder().serviceHttpUrl(brokerServiceUrl).authentication(authToken2).build())) {
String jarFilePathUrl = getPulsarApiExamplesJar().toURI().toString();
FunctionConfig functionConfig = createFunctionConfig(TENANT, NAMESPACE, functionName, sourceTopic, sinkTopic, subscriptionName);
// creating function should fail since admin1 doesn't have permissions granted yet
try {
admin1.functions().createFunctionWithUrl(functionConfig, jarFilePathUrl);
fail("client admin shouldn't have permissions to create function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
// grant permissions to admin1
Set<AuthAction> actions = new HashSet<>();
actions.add(AuthAction.functions);
actions.add(AuthAction.produce);
actions.add(AuthAction.consume);
superUserAdmin.namespaces().grantPermissionOnNamespace(replNamespace, SUBJECT, actions);
// user should be able to create function now
admin1.functions().createFunctionWithUrl(functionConfig, jarFilePathUrl);
// admin2 should still fail
try {
admin2.functions().createFunctionWithUrl(functionConfig, jarFilePathUrl);
fail("client admin shouldn't have permissions to create function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
// creating on another tenant should also fail
try {
admin2.functions().createFunctionWithUrl(createFunctionConfig(TENANT2, NAMESPACE, functionName, sourceTopic, sinkTopic, subscriptionName), jarFilePathUrl);
fail("client admin shouldn't have permissions to create function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
assertTrue(retryStrategically((test) -> {
try {
return admin1.functions().getFunctionStatus(TENANT, NAMESPACE, functionName).getNumRunning() == 1 && admin1.topics().getStats(sourceTopic).getSubscriptions().size() == 1;
} catch (PulsarAdminException e) {
return false;
}
}, 50, 150));
// validate pulsar sink consumer has started on the topic
assertEquals(admin1.topics().getStats(sourceTopic).getSubscriptions().size(), 1);
// create a producer that creates a topic at broker
try (Producer<String> producer = pulsarClient.newProducer(Schema.STRING).topic(sourceTopic).create();
Consumer<String> consumer = pulsarClient.newConsumer(Schema.STRING).topic(sinkTopic).subscriptionName("sub").subscribe()) {
int totalMsgs = 5;
for (int i = 0; i < totalMsgs; i++) {
String data = "my-message-" + i;
producer.newMessage().property(propertyKey, propertyValue).value(data).send();
}
retryStrategically((test) -> {
try {
SubscriptionStats subStats = admin1.topics().getStats(sourceTopic).getSubscriptions().get(subscriptionName);
return subStats.getUnackedMessages() == 0;
} catch (PulsarAdminException e) {
return false;
}
}, 50, 150);
Message<String> msg = consumer.receive(5, TimeUnit.SECONDS);
String receivedPropertyValue = msg.getProperty(propertyKey);
assertEquals(propertyValue, receivedPropertyValue);
// validate pulsar-sink consumer has consumed all messages and delivered to Pulsar sink but unacked
// messages
// due to publish failure
assertNotEquals(admin1.topics().getStats(sourceTopic).getSubscriptions().values().iterator().next().getUnackedMessages(), totalMsgs);
}
// test update functions
functionConfig.setParallelism(2);
// admin2 should still fail
try {
admin2.functions().updateFunctionWithUrl(functionConfig, jarFilePathUrl);
fail("client admin shouldn't have permissions to update function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().updateFunctionWithUrl(functionConfig, jarFilePathUrl);
assertTrue(retryStrategically((test) -> {
try {
return admin1.functions().getFunctionStatus(TENANT, NAMESPACE, functionName).getNumRunning() == 2;
} catch (PulsarAdminException e) {
return false;
}
}, 50, 150));
// test getFunctionInfo
try {
admin2.functions().getFunction(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to get function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().getFunction(TENANT, NAMESPACE, functionName);
// test getFunctionInstanceStatus
try {
admin2.functions().getFunctionStatus(TENANT, NAMESPACE, functionName, 0);
fail("client admin shouldn't have permissions to get function status");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().getFunctionStatus(TENANT, NAMESPACE, functionName, 0);
// test getFunctionStatus
try {
admin2.functions().getFunctionStatus(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to get function status");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().getFunctionStatus(TENANT, NAMESPACE, functionName);
// test getFunctionStats
try {
admin2.functions().getFunctionStats(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to get function stats");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().getFunctionStats(TENANT, NAMESPACE, functionName);
// test getFunctionInstanceStats
try {
admin2.functions().getFunctionStats(TENANT, NAMESPACE, functionName, 0);
fail("client admin shouldn't have permissions to get function stats");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().getFunctionStats(TENANT, NAMESPACE, functionName, 0);
// test listFunctions
try {
admin2.functions().getFunctions(TENANT, NAMESPACE);
fail("client admin shouldn't have permissions to list functions");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().getFunctions(TENANT, NAMESPACE);
// test triggerFunction
try {
admin2.functions().triggerFunction(TENANT, NAMESPACE, functionName, sourceTopic, "foo", null);
fail("client admin shouldn't have permissions to trigger function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().triggerFunction(TENANT, NAMESPACE, functionName, sourceTopic, "foo", null);
// test restartFunctionInstance
try {
admin2.functions().restartFunction(TENANT, NAMESPACE, functionName, 0);
fail("client admin shouldn't have permissions to restart function instance");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().restartFunction(TENANT, NAMESPACE, functionName, 0);
// test restartFunctionInstances
try {
admin2.functions().restartFunction(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to restart function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().restartFunction(TENANT, NAMESPACE, functionName);
// test stopFunction instance
try {
admin2.functions().stopFunction(TENANT, NAMESPACE, functionName, 0);
fail("client admin shouldn't have permissions to stop function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().stopFunction(TENANT, NAMESPACE, functionName, 0);
// test stopFunction all instance
try {
admin2.functions().stopFunction(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to restart function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().stopFunction(TENANT, NAMESPACE, functionName);
// test startFunction instance
try {
admin2.functions().startFunction(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to restart function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().restartFunction(TENANT, NAMESPACE, functionName);
// test startFunction all instances
try {
admin2.functions().restartFunction(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to restart function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
admin1.functions().restartFunction(TENANT, NAMESPACE, functionName);
// admin2 should still fail
try {
admin2.functions().deleteFunction(TENANT, NAMESPACE, functionName);
fail("client admin shouldn't have permissions to delete function");
} catch (PulsarAdminException.NotAuthorizedException e) {
}
try {
admin1.functions().deleteFunction(TENANT, NAMESPACE, functionName);
} catch (PulsarAdminException e) {
// This happens because the request becomes outdated. Lets retry again
admin1.functions().deleteFunction(TENANT, NAMESPACE, functionName);
}
assertTrue(retryStrategically((test) -> {
try {
TopicStats stats = admin1.topics().getStats(sourceTopic);
boolean done = stats.getSubscriptions().size() == 0;
if (!done) {
log.info("Topic subscription is not cleaned up yet : {}", stats);
}
return done;
} catch (PulsarAdminException e) {
return false;
}
}, 50, 150));
}
}
use of org.apache.pulsar.client.impl.auth.AuthenticationToken in project mop by streamnative.
the class TokenAuthenticationConfig method afterSetup.
@Override
public void afterSetup() throws Exception {
AuthenticationToken authToken = new AuthenticationToken();
authToken.configure("token:" + token);
pulsarClient = PulsarClient.builder().serviceUrl(brokerUrl.toString()).authentication(authToken).statsInterval(0, TimeUnit.SECONDS).build();
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString()).authentication(authToken).build());
}
use of org.apache.pulsar.client.impl.auth.AuthenticationToken in project pulsar by yahoo.
the class PulsarFunctionE2ESecurityTest method setup.
@BeforeMethod
void setup(Method method) throws Exception {
log.info("--- Setting up method {} ---", method.getName());
// Start local bookkeeper ensemble
bkEnsemble = new LocalBookkeeperEnsemble(3, 0, () -> 0);
bkEnsemble.start();
config = spy(ServiceConfiguration.class);
config.setClusterName("use");
Set<String> superUsers = Sets.newHashSet(ADMIN_SUBJECT);
config.setSuperUserRoles(superUsers);
config.setWebServicePort(Optional.of(0));
config.setZookeeperServers("127.0.0.1" + ":" + bkEnsemble.getZookeeperPort());
config.setBrokerShutdownTimeoutMs(0L);
config.setLoadBalancerOverrideBrokerNicSpeedGbps(Optional.of(1.0d));
config.setBrokerServicePort(Optional.of(0));
config.setLoadManagerClassName(SimpleLoadManagerImpl.class.getName());
config.setAdvertisedAddress("localhost");
config.setAllowAutoTopicCreationType("non-partitioned");
Set<String> providers = new HashSet<>();
providers.add(AuthenticationProviderToken.class.getName());
config.setAuthenticationEnabled(true);
config.setAuthenticationProviders(providers);
config.setAuthorizationEnabled(true);
config.setAuthorizationProvider(PulsarAuthorizationProvider.class.getName());
config.setAnonymousUserRole(ANONYMOUS_ROLE);
secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
Properties properties = new Properties();
properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(secretKey));
config.setProperties(properties);
adminToken = AuthTokenUtils.createToken(secretKey, ADMIN_SUBJECT, Optional.empty());
config.setBrokerClientAuthenticationPlugin(AuthenticationToken.class.getName());
config.setBrokerClientAuthenticationParameters("token:" + adminToken);
functionsWorkerService = createPulsarFunctionWorker(config);
Optional<WorkerService> functionWorkerService = Optional.of(functionsWorkerService);
pulsar = new PulsarService(config, workerConfig, functionWorkerService, (exitCode) -> {
});
pulsar.start();
brokerServiceUrl = pulsar.getWebServiceAddress();
brokerWebServiceUrl = new URL(brokerServiceUrl);
AuthenticationToken authToken = new AuthenticationToken();
authToken.configure("token:" + adminToken);
superUserAdmin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerServiceUrl).authentication(authToken).build());
brokerStatsClient = superUserAdmin.brokerStats();
primaryHost = pulsar.getWebServiceAddress();
// update cluster metadata
ClusterData clusterData = ClusterData.builder().serviceUrl(brokerWebServiceUrl.toString()).build();
superUserAdmin.clusters().updateCluster(config.getClusterName(), clusterData);
ClientBuilder clientBuilder = PulsarClient.builder().serviceUrl(this.workerConfig.getPulsarServiceUrl()).operationTimeout(1000, TimeUnit.MILLISECONDS);
if (isNotBlank(workerConfig.getBrokerClientAuthenticationPlugin()) && isNotBlank(workerConfig.getBrokerClientAuthenticationParameters())) {
clientBuilder.authentication(workerConfig.getBrokerClientAuthenticationPlugin(), workerConfig.getBrokerClientAuthenticationParameters());
}
if (pulsarClient != null) {
pulsarClient.close();
}
pulsarClient = clientBuilder.build();
TenantInfo propAdmin = TenantInfo.builder().adminRoles(Collections.singleton(ADMIN_SUBJECT)).allowedClusters(Collections.singleton("use")).build();
superUserAdmin.tenants().updateTenant(TENANT, propAdmin);
final String replNamespace = TENANT + "/" + NAMESPACE;
superUserAdmin.namespaces().createNamespace(replNamespace);
Set<String> clusters = Sets.newHashSet(Lists.newArrayList("use"));
superUserAdmin.namespaces().setNamespaceReplicationClusters(replNamespace, clusters);
// create another test tenant and namespace
propAdmin = TenantInfo.builder().allowedClusters(Collections.singleton("use")).build();
superUserAdmin.tenants().createTenant(TENANT2, propAdmin);
superUserAdmin.namespaces().createNamespace(TENANT2 + "/" + NAMESPACE);
while (!functionsWorkerService.getLeaderService().isLeader()) {
Thread.sleep(1000);
}
}
use of org.apache.pulsar.client.impl.auth.AuthenticationToken in project pulsar by yahoo.
the class ClientConfigurationDataTest method testDoNotPrintSensitiveInfo.
@Test
public void testDoNotPrintSensitiveInfo() throws JsonProcessingException {
ClientConfigurationData clientConfigurationData = new ClientConfigurationData();
clientConfigurationData.setTlsTrustStorePassword("xxxx");
clientConfigurationData.setSocks5ProxyPassword("yyyy");
clientConfigurationData.setAuthentication(new AuthenticationToken("zzzz"));
String s = w.writeValueAsString(clientConfigurationData);
Assert.assertFalse(s.contains("Password"));
Assert.assertFalse(s.contains("xxxx"));
Assert.assertFalse(s.contains("yyyy"));
Assert.assertFalse(s.contains("zzzz"));
}
use of org.apache.pulsar.client.impl.auth.AuthenticationToken in project incubator-pulsar by apache.
the class ClearTextFunctionTokenAuthProviderTest method testClearTextAuth.
@Test
public void testClearTextAuth() throws Exception {
ClearTextFunctionTokenAuthProvider clearTextFunctionTokenAuthProvider = new ClearTextFunctionTokenAuthProvider();
Function.FunctionDetails funcDetails = Function.FunctionDetails.newBuilder().setTenant("test-tenant").setNamespace("test-ns").setName("test-func").build();
Optional<FunctionAuthData> functionAuthData = clearTextFunctionTokenAuthProvider.cacheAuthData(funcDetails, new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return "test-token";
}
});
Assert.assertTrue(functionAuthData.isPresent());
Assert.assertEquals(functionAuthData.get().getData(), "test-token".getBytes());
AuthenticationConfig authenticationConfig = AuthenticationConfig.builder().build();
clearTextFunctionTokenAuthProvider.configureAuthenticationConfig(authenticationConfig, functionAuthData);
Assert.assertEquals(authenticationConfig.getClientAuthenticationPlugin(), AuthenticationToken.class.getName());
Assert.assertEquals(authenticationConfig.getClientAuthenticationParameters(), "token:test-token");
AuthenticationToken authenticationToken = new AuthenticationToken();
authenticationToken.configure(authenticationConfig.getClientAuthenticationParameters());
Assert.assertEquals(authenticationToken.getAuthData().getCommandData(), "test-token");
}
Aggregations