Search in sources :

Example 51 with ClusterData

use of org.apache.pulsar.common.policies.data.ClusterData in project incubator-pulsar by apache.

the class NamespacesTest method setup.

@Override
@BeforeMethod
public void setup() throws Exception {
    super.internalSetup();
    namespaces = spy(new Namespaces());
    namespaces.setServletContext(new MockServletContext());
    namespaces.setPulsar(pulsar);
    doReturn(mockZookKeeper).when(namespaces).globalZk();
    doReturn(mockZookKeeper).when(namespaces).localZk();
    doReturn(pulsar.getConfigurationCache().propertiesCache()).when(namespaces).propertiesCache();
    doReturn(pulsar.getConfigurationCache().policiesCache()).when(namespaces).policiesCache();
    doReturn(false).when(namespaces).isRequestHttps();
    doReturn("test").when(namespaces).clientAppId();
    doReturn(Sets.newTreeSet(Lists.newArrayList("use", "usw", "usc", "global"))).when(namespaces).clusters();
    doNothing().when(namespaces).validateAdminAccessOnProperty("my-property");
    doNothing().when(namespaces).validateAdminAccessOnProperty("other-property");
    doNothing().when(namespaces).validateAdminAccessOnProperty("new-property");
    admin.clusters().createCluster("use", new ClusterData("http://broker-use.com:" + BROKER_WEBSERVICE_PORT));
    admin.clusters().createCluster("usw", new ClusterData("http://broker-usw.com:" + BROKER_WEBSERVICE_PORT));
    admin.clusters().createCluster("usc", new ClusterData("http://broker-usc.com:" + BROKER_WEBSERVICE_PORT));
    admin.properties().createProperty(this.testProperty, new PropertyAdmin(Lists.newArrayList("role1", "role2"), Sets.newHashSet("use", "usc", "usw")));
    createTestNamespaces(this.testProperty, this.testLocalNamespaces, new BundlesData());
    createGlobalTestNamespaces(this.testProperty, this.testGlobalNamespaces.get(0).getLocalName(), new BundlesData());
    nsSvc = pulsar.getNamespaceService();
}
Also used : Namespaces(org.apache.pulsar.broker.admin.v1.Namespaces) ClusterData(org.apache.pulsar.common.policies.data.ClusterData) PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) BundlesData(org.apache.pulsar.common.policies.data.BundlesData) BeforeMethod(org.testng.annotations.BeforeMethod)

Example 52 with ClusterData

use of org.apache.pulsar.common.policies.data.ClusterData in project incubator-pulsar by apache.

the class AuthorizationTest method simple.

@Test
void simple() throws Exception {
    AuthorizationService auth = pulsar.getBrokerService().getAuthorizationService();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), false);
    admin.clusters().createCluster("c1", new ClusterData());
    admin.properties().createProperty("p1", new PropertyAdmin(Lists.newArrayList("role1"), Sets.newHashSet("c1")));
    waitForChange();
    admin.namespaces().createNamespace("p1/c1/ns1");
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.of(AuthAction.produce));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    admin.persistentTopics().grantPermission("persistent://p1/c1/ns1/ds2", "other-role", EnumSet.of(AuthAction.consume));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", null, null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds2"), "no-access-role", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "no-access-role", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.allOf(AuthAction.class));
    waitForChange();
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", null, null), true);
    // test for wildcard
    // namespace prefix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my.role.*", EnumSet.of(AuthAction.produce));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    // namespace suffix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "*.role.my", EnumSet.of(AuthAction.consume));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    // revoke for next test
    admin.namespaces().revokePermissionsOnNamespace("p1/c1/ns1", "my.role.*");
    admin.namespaces().revokePermissionsOnNamespace("p1/c1/ns1", "*.role.my");
    waitForChange();
    // topic prefix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.2", null), false);
    admin.persistentTopics().grantPermission("persistent://p1/c1/ns1/ds1", "my.*", EnumSet.of(AuthAction.produce));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.1", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.2", null), false);
    // topic suffix match
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), false);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "2.role.my", null), false);
    admin.persistentTopics().grantPermission("persistent://p1/c1/ns1/ds1", "*.my", EnumSet.of(AuthAction.consume));
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", null), true);
    assertEquals(auth.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null), false);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", null, null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "1.role.my", null), false);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "2.role.my", null), false);
    admin.persistentTopics().revokePermissions("persistent://p1/c1/ns1/ds1", "my.*");
    admin.persistentTopics().revokePermissions("persistent://p1/c1/ns1/ds1", "*.my");
    // tests for subscription auth mode
    admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "*", EnumSet.of(AuthAction.consume));
    admin.namespaces().setSubscriptionAuthMode("p1/c1/ns1", SubscriptionAuthMode.Prefix);
    waitForChange();
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null), true);
    assertEquals(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null), true);
    try {
        assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null, "sub1"), false);
        fail();
    } catch (Exception e) {
    }
    try {
        assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null, "sub2"), false);
        fail();
    } catch (Exception e) {
    }
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null, "role1-sub1"), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null, "role2-sub2"), true);
    assertEquals(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "pulsar.super_user", null, "role3-sub1"), true);
    admin.namespaces().deleteNamespace("p1/c1/ns1");
    admin.properties().deleteProperty("p1");
    admin.clusters().deleteCluster("c1");
}
Also used : ClusterData(org.apache.pulsar.common.policies.data.ClusterData) PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) AuthorizationService(org.apache.pulsar.broker.authorization.AuthorizationService) AuthAction(org.apache.pulsar.common.policies.data.AuthAction) Test(org.testng.annotations.Test)

Example 53 with ClusterData

use of org.apache.pulsar.common.policies.data.ClusterData in project flink by apache.

the class PulsarEmbeddedRuntime method startPulsarService.

private void startPulsarService() throws Exception {
    ServiceConfiguration config;
    try (FileInputStream inputStream = new FileInputStream(CONFIG_FILE_PATH)) {
        config = PulsarConfigurationLoader.create(inputStream, ServiceConfiguration.class);
    } catch (IOException e) {
        throw new IllegalStateException(e);
    }
    // Use runtime dynamic ports for broker.
    config.setAdvertisedAddress("127.0.0.1");
    config.setClusterName("standalone");
    // Use random port.
    config.setBrokerServicePort(Optional.of(0));
    config.setWebServicePort(Optional.of(0));
    // Select available port for bookkeeper and zookeeper.
    int zkPort = getZkPort();
    String zkConnect = "127.0.0.1" + ":" + zkPort;
    config.setZookeeperServers(zkConnect);
    config.setConfigurationStoreServers(zkConnect);
    config.setRunningStandalone(true);
    this.pulsarService = new PulsarService(config);
    // Start Pulsar Broker.
    pulsarService.start();
    // Create sample data environment.
    String webServiceUrl = getWebServiceUrl();
    String brokerUrl = getBrokerUrl();
    try (PulsarAdmin admin = PulsarAdmin.builder().serviceHttpUrl(webServiceUrl).build()) {
        ClusterData clusterData = ClusterData.builder().serviceUrl(webServiceUrl).brokerServiceUrl(brokerUrl).build();
        String cluster = config.getClusterName();
        createSampleNameSpace(admin, clusterData, cluster);
        // Create default namespace
        createNameSpace(admin, cluster, TopicName.PUBLIC_TENANT, TopicName.PUBLIC_TENANT + "/" + TopicName.DEFAULT_NAMESPACE);
        // Create Pulsar system namespace
        createNameSpace(admin, cluster, SYSTEM_NAMESPACE.getTenant(), SYSTEM_NAMESPACE.toString());
        // Enable transaction
        if (config.isTransactionCoordinatorEnabled() && !admin.namespaces().getTopics(SYSTEM_NAMESPACE.toString()).contains(TRANSACTION_COORDINATOR_ASSIGN.getPartition(0).toString())) {
            admin.topics().createPartitionedTopic(TRANSACTION_COORDINATOR_ASSIGN.toString(), 1);
        }
    }
}
Also used : ClusterData(org.apache.pulsar.common.policies.data.ClusterData) ServiceConfiguration(org.apache.pulsar.broker.ServiceConfiguration) PulsarService(org.apache.pulsar.broker.PulsarService) PulsarAdmin(org.apache.pulsar.client.admin.PulsarAdmin) IOException(java.io.IOException) FileInputStream(java.io.FileInputStream)

Aggregations

ClusterData (org.apache.pulsar.common.policies.data.ClusterData)53 PropertyAdmin (org.apache.pulsar.common.policies.data.PropertyAdmin)30 Test (org.testng.annotations.Test)23 PulsarAdminException (org.apache.pulsar.client.admin.PulsarAdminException)13 BeforeMethod (org.testng.annotations.BeforeMethod)13 MockedPulsarServiceBaseTest (org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest)11 PulsarAdmin (org.apache.pulsar.client.admin.PulsarAdmin)10 URL (java.net.URL)9 PulsarService (org.apache.pulsar.broker.PulsarService)9 RestException (org.apache.pulsar.broker.web.RestException)8 KeeperException (org.apache.zookeeper.KeeperException)8 IOException (java.io.IOException)7 ServiceConfiguration (org.apache.pulsar.broker.ServiceConfiguration)7 URI (java.net.URI)6 AuthenticationTls (org.apache.pulsar.client.impl.auth.AuthenticationTls)6 Authentication (org.apache.pulsar.client.api.Authentication)5 Field (java.lang.reflect.Field)4 ExecutionException (java.util.concurrent.ExecutionException)4 AuthAction (org.apache.pulsar.common.policies.data.AuthAction)4 Policies (org.apache.pulsar.common.policies.data.Policies)4