Examples with PropertyAdmin org.apache.pulsar.common.policies.data.PropertyAdmin used on opensource projects

Example 46 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyAuthenticatedProducerConsumerTest method testTlsSyncProducerAndConsumer.

/**
 * <pre>
 * It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker>
 *
 * 1. client connects to proxy over tls and pass auth-data
 * 2. proxy authenticate client and retrieve client-role
 *    and send it to broker as originalPrincipal over tls
 * 3. client creates producer/consumer via proxy
 * 4. broker authorize producer/consumer create request using originalPrincipal
 *
 * </pre>
 *
 * @throws Exception
 */
@SuppressWarnings("deprecation")
@Test
public void testTlsSyncProducerAndConsumer() throws Exception {
    log.info("-- Starting {} test --", methodName);
    final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
    Map<String, String> authParams = Maps.newHashMap();
    authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
    authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
    Authentication authTls = new AuthenticationTls();
    authTls.configure(authParams);
    // create a client which connects to proxy over tls and pass authData
    PulsarClient proxyClient = createPulsarClient(authTls, proxyServiceUrl);
    admin.clusters().createCluster(configClusterName, new ClusterData(brokerUrl.toString(), brokerUrlTls.toString(), "pulsar://localhost:" + BROKER_PORT, "pulsar+ssl://localhost:" + BROKER_PORT_TLS));
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("use")));
    admin.namespaces().createNamespace("my-property/use/my-ns");
    Consumer<byte[]> consumer = proxyClient.newConsumer().topic("persistent://my-property/use/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
    Producer<byte[]> producer = proxyClient.newProducer().topic("persistent://my-property/use/my-ns/my-topic1").create();
    final int msgs = 10;
    for (int i = 0; i < msgs; i++) {
        String message = "my-message-" + i;
        producer.send(message.getBytes());
    }
    Message<byte[]> msg = null;
    Set<String> messageSet = Sets.newHashSet();
    int count = 0;
    for (int i = 0; i < 10; i++) {
        msg = consumer.receive(5, TimeUnit.SECONDS);
        String receivedMessage = new String(msg.getData());
        log.debug("Received message: [{}]", receivedMessage);
        String expectedMessage = "my-message-" + i;
        testMessageOrderAndDuplicates(messageSet, receivedMessage, expectedMessage);
        count++;
    }
    // Acknowledge the consumption of all messages at once
    Assert.assertEquals(msgs, count);
    consumer.acknowledgeCumulative(msg);
    consumer.close();
    log.info("-- Exiting {} test --", methodName);
}

Example 47 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyRolesEnforcementTest method testIncorrectRoles.

@Test
void testIncorrectRoles() throws Exception {
    log.info("-- Starting {} test --", methodName);
    // Step 1: Create Admin Client
    createAdminClient();
    final String proxyServiceUrl = "pulsar://localhost:" + servicePort;
    // create a client which connects to proxy and pass authData
    String namespaceName = "my-property/use/my-ns";
    String topicName = "persistent://my-property/use/my-ns/my-topic1";
    String subscriptionName = "my-subscriber-name";
    String clientAuthParams = "authParam:client";
    String proxyAuthParams = "authParam:proxy";
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("use")));
    admin.namespaces().createNamespace(namespaceName);
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    // Step 2: Try to use proxy Client as a normal Client - expect exception
    PulsarClient proxyClient = createPulsarClient("pulsar://localhost:" + BROKER_PORT, proxyAuthParams);
    boolean exceptionOccured = false;
    try {
        proxyClient.newConsumer().topic(topicName).subscriptionName(subscriptionName).subscribe();
    } catch (Exception ex) {
        exceptionOccured = true;
    }
    Assert.assertTrue(exceptionOccured);
    // Step 3: Run Pulsar Proxy and pass proxy params as client params - expect exception
    ProxyConfiguration proxyConfig = new ProxyConfiguration();
    proxyConfig.setAuthenticationEnabled(true);
    proxyConfig.setServicePort(servicePort);
    proxyConfig.setWebServicePort(webServicePort);
    proxyConfig.setBrokerServiceURL("pulsar://localhost:" + BROKER_PORT);
    proxyConfig.setBrokerClientAuthenticationPlugin(BasicAuthentication.class.getName());
    proxyConfig.setBrokerClientAuthenticationParameters(proxyAuthParams);
    Set<String> providers = new HashSet<>();
    providers.add(BasicAuthenticationProvider.class.getName());
    proxyConfig.setAuthenticationProviders(providers);
    ProxyService proxyService = new ProxyService(proxyConfig);
    proxyService.start();
    proxyClient = createPulsarClient(proxyServiceUrl, proxyAuthParams);
    exceptionOccured = false;
    try {
        proxyClient.newConsumer().topic(topicName).subscriptionName(subscriptionName).subscribe();
    } catch (Exception ex) {
        exceptionOccured = true;
    }
    Assert.assertTrue(exceptionOccured);
    // Step 4: Pass correct client params
    proxyClient = createPulsarClient(proxyServiceUrl, clientAuthParams);
    proxyClient.newConsumer().topic(topicName).subscriptionName(subscriptionName).subscribe();
    proxyClient.close();
    proxyService.close();
}

Example 48 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyTlsTest method testPartitions.

@Test
public void testPartitions() throws Exception {
    PulsarClient client = PulsarClient.builder().serviceUrl("pulsar+ssl://localhost:" + proxyConfig.getServicePortTls()).enableTls(true).allowTlsInsecureConnection(false).tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).build();
    admin.properties().createProperty("sample", new PropertyAdmin());
    admin.persistentTopics().createPartitionedTopic("persistent://sample/test/local/partitioned-topic", 2);
    Producer<byte[]> producer = client.newProducer().topic("persistent://sample/test/local/partitioned-topic").messageRoutingMode(MessageRoutingMode.RoundRobinPartition).create();
    // Create a consumer directly attached to broker
    Consumer<byte[]> consumer = pulsarClient.newConsumer().topic("persistent://sample/test/local/partitioned-topic").subscriptionName("my-sub").subscribe();
    for (int i = 0; i < 10; i++) {
        producer.send("test".getBytes());
    }
    for (int i = 0; i < 10; i++) {
        Message<byte[]> msg = consumer.receive(1, TimeUnit.SECONDS);
        checkNotNull(msg);
    }
    client.close();
}

Example 49 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyWithAuthorizationTest method testProxyAuthorization.

/**
 * <pre>
 * It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker)
 *
 * 1. client connects to proxy over tls and pass auth-data
 * 2. proxy authenticate client and retrieve client-role
 *    and send it to broker as originalPrincipal over tls
 * 3. client creates producer/consumer via proxy
 * 4. broker authorize producer/consumer create request using originalPrincipal
 *
 * </pre>
 *
 * @throws Exception
 */
@Test
public void testProxyAuthorization() throws Exception {
    log.info("-- Starting {} test --", methodName);
    startProxy();
    createAdminClient();
    final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
    // create a client which connects to proxy over tls and pass authData
    PulsarClient proxyClient = createPulsarClient(proxyServiceUrl, PulsarClient.builder());
    String namespaceName = "my-property/proxy-authorization/my-ns";
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
    admin.namespaces().createNamespace(namespaceName);
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    Consumer<byte[]> consumer = proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
    Producer<byte[]> producer = proxyClient.newProducer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").create();
    final int msgs = 10;
    for (int i = 0; i < msgs; i++) {
        String message = "my-message-" + i;
        producer.send(message.getBytes());
    }
    Message<byte[]> msg = null;
    Set<String> messageSet = Sets.newHashSet();
    int count = 0;
    for (int i = 0; i < 10; i++) {
        msg = consumer.receive(5, TimeUnit.SECONDS);
        String receivedMessage = new String(msg.getData());
        log.debug("Received message: [{}]", receivedMessage);
        String expectedMessage = "my-message-" + i;
        testMessageOrderAndDuplicates(messageSet, receivedMessage, expectedMessage);
        count++;
    }
    // Acknowledge the consumption of all messages at once
    Assert.assertEquals(msgs, count);
    consumer.acknowledgeCumulative(msg);
    consumer.close();
    log.info("-- Exiting {} test --", methodName);
}

Example 50 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class BrokerDiscoveryProvider method checkAuthorization.

protected static void checkAuthorization(ProxyService service, TopicName topicName, String role, AuthenticationDataSource authenticationData) throws Exception {
    if (!service.getConfiguration().isAuthorizationEnabled() || service.getConfiguration().getSuperUserRoles().contains(role)) {
        // No enforcing of authorization policies
        return;
    }
    // get zk policy manager
    if (!service.getAuthorizationService().canLookup(topicName, role, authenticationData)) {
        LOG.warn("[{}] Role {} is not allowed to lookup topic", topicName, role);
        // check namespace authorization
        PropertyAdmin propertyAdmin;
        try {
            propertyAdmin = service.getConfigurationCacheService().propertiesCache().get(path(POLICIES, topicName.getProperty())).orElseThrow(() -> new IllegalAccessException("Property does not exist"));
        } catch (KeeperException.NoNodeException e) {
            LOG.warn("Failed to get property admin data for non existing property {}", topicName.getProperty());
            throw new IllegalAccessException("Property does not exist");
        } catch (Exception e) {
            LOG.error("Failed to get property admin data for property");
            throw new IllegalAccessException(String.format("Failed to get property %s admin data due to %s", topicName.getProperty(), e.getMessage()));
        }
        if (!propertyAdmin.getAdminRoles().contains(role)) {
            throw new IllegalAccessException("Don't have permission to administrate resources on this property");
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Successfully authorized {} on property {}", role, topicName.getProperty());
    }
}