Search in sources :

Example 16 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyTest method testPartitions.

@Test
public void testPartitions() throws Exception {
    admin.properties().createProperty("sample", new PropertyAdmin());
    PulsarClient client = PulsarClient.builder().serviceUrl("pulsar://localhost:" + proxyConfig.getServicePort()).build();
    admin.persistentTopics().createPartitionedTopic("persistent://sample/test/local/partitioned-topic", 2);
    Producer<byte[]> producer = client.newProducer().topic("persistent://sample/test/local/partitioned-topic").messageRoutingMode(MessageRoutingMode.RoundRobinPartition).create();
    // Create a consumer directly attached to broker
    Consumer<byte[]> consumer = pulsarClient.newConsumer().topic("persistent://sample/test/local/partitioned-topic").subscriptionName("my-sub").subscribe();
    for (int i = 0; i < 10; i++) {
        producer.send("test".getBytes());
    }
    for (int i = 0; i < 10; i++) {
        Message<byte[]> msg = consumer.receive(1, TimeUnit.SECONDS);
        checkNotNull(msg);
    }
    client.close();
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) PulsarClient(org.apache.pulsar.client.api.PulsarClient) Test(org.testng.annotations.Test) MockedPulsarServiceBaseTest(org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest)

Example 17 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyWithAuthorizationNegTest method testProxyAuthorization.

/**
 * <pre>
 * It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker>
 *
 * 1. client connects to proxy over tls and pass auth-data
 * 2. proxy authenticate client and retrieve client-role
 *    and send it to broker as originalPrincipal over tls
 * 3. client creates producer/consumer via proxy
 * 4. broker authorize producer/consumer create request using originalPrincipal
 *
 * </pre>
 *
 * @throws Exception
 */
@Test
public void testProxyAuthorization() throws Exception {
    log.info("-- Starting {} test --", methodName);
    createAdminClient();
    final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
    // create a client which connects to proxy over tls and pass authData
    PulsarClient proxyClient = createPulsarClient(proxyServiceUrl);
    String namespaceName = "my-property/proxy-authorization-neg/my-ns";
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization-neg")));
    admin.namespaces().createNamespace(namespaceName);
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.produce));
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    Consumer<byte[]> consumer;
    try {
        consumer = proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
    } catch (Exception ex) {
        // expected
        admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume));
        log.info("-- Admin permissions {} ---", admin.namespaces().getPermissions(namespaceName));
        consumer = proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
    }
    Producer<byte[]> producer;
    try {
        producer = proxyClient.newProducer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").create();
    } catch (Exception ex) {
        // expected
        admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.produce, AuthAction.consume));
        producer = proxyClient.newProducer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").create();
    }
    final int msgs = 10;
    for (int i = 0; i < msgs; i++) {
        String message = "my-message-" + i;
        producer.send(message.getBytes());
    }
    Message<byte[]> msg = null;
    Set<String> messageSet = Sets.newHashSet();
    int count = 0;
    for (int i = 0; i < 10; i++) {
        msg = consumer.receive(5, TimeUnit.SECONDS);
        String receivedMessage = new String(msg.getData());
        log.debug("Received message: [{}]", receivedMessage);
        String expectedMessage = "my-message-" + i;
        testMessageOrderAndDuplicates(messageSet, receivedMessage, expectedMessage);
        count++;
    }
    // Acknowledge the consumption of all messages at once
    Assert.assertEquals(msgs, count);
    consumer.acknowledgeCumulative(msg);
    consumer.close();
    log.info("-- Exiting {} test --", methodName);
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) PulsarClient(org.apache.pulsar.client.api.PulsarClient) PulsarClientException(org.apache.pulsar.client.api.PulsarClientException) Test(org.testng.annotations.Test)

Example 18 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyWithAuthorizationTest method tlsCiphersAndProtocols.

/*
     * This test verifies whether the Client and Proxy honor the protocols and ciphers specified. Details description of
     * test cases can be found in protocolsCiphersProviderCodecProvider
     */
@Test(dataProvider = "protocolsCiphersProvider", timeOut = 5000)
public void tlsCiphersAndProtocols(Set<String> tlsCiphers, Set<String> tlsProtocols, boolean expectFailure) throws Exception {
    log.info("-- Starting {} test --", methodName);
    String namespaceName = "my-property/proxy-authorization/my-ns";
    createAdminClient();
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
    admin.namespaces().createNamespace(namespaceName);
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    ProxyConfiguration proxyConfig = new ProxyConfiguration();
    proxyConfig.setAuthenticationEnabled(true);
    proxyConfig.setAuthorizationEnabled(false);
    proxyConfig.setBrokerServiceURL("pulsar://localhost:" + BROKER_PORT);
    proxyConfig.setBrokerServiceURLTLS("pulsar://localhost:" + BROKER_PORT_TLS);
    proxyConfig.setServicePort(PortManager.nextFreePort());
    proxyConfig.setServicePortTls(PortManager.nextFreePort());
    proxyConfig.setWebServicePort(PortManager.nextFreePort());
    proxyConfig.setWebServicePortTls(PortManager.nextFreePort());
    proxyConfig.setTlsEnabledInProxy(true);
    proxyConfig.setTlsEnabledWithBroker(true);
    // enable tls and auth&auth at proxy
    proxyConfig.setTlsCertificateFilePath(TLS_PROXY_CERT_FILE_PATH);
    proxyConfig.setTlsKeyFilePath(TLS_PROXY_KEY_FILE_PATH);
    proxyConfig.setTlsTrustCertsFilePath(TLS_CLIENT_TRUST_CERT_FILE_PATH);
    proxyConfig.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
    proxyConfig.setBrokerClientAuthenticationParameters("tlsCertFile:" + TLS_PROXY_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_PROXY_KEY_FILE_PATH);
    proxyConfig.setBrokerClientTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH);
    Set<String> providers = new HashSet<>();
    providers.add(AuthenticationProviderTls.class.getName());
    conf.setAuthenticationProviders(providers);
    proxyConfig.setAuthenticationProviders(providers);
    proxyConfig.setTlsProtocols(tlsProtocols);
    proxyConfig.setTlsCiphers(tlsCiphers);
    ProxyService proxyService = Mockito.spy(new ProxyService(proxyConfig));
    proxyService.start();
    org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest.retryStrategically((test) -> {
        try {
            return admin.namespaces().getPermissions(namespaceName).containsKey("Proxy") && admin.namespaces().getPermissions(namespaceName).containsKey("Client");
        } catch (PulsarAdminException e) {
            return false;
        }
    }, 3, 1000);
    try {
        final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
        PulsarClient proxyClient = createPulsarClient(proxyServiceUrl, PulsarClient.builder());
        Consumer<byte[]> consumer = proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
        if (expectFailure) {
            Assert.fail("Failure expected for this test case");
        }
        consumer.close();
        proxyClient.close();
    } catch (Exception ex) {
        if (!expectFailure) {
            Assert.fail("This test case should not fail");
        }
    }
    admin.close();
    log.info("-- Exiting {} test --", methodName);
}
Also used : AuthenticationTls(org.apache.pulsar.client.impl.auth.AuthenticationTls) PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) PulsarAdminException(org.apache.pulsar.client.admin.PulsarAdminException) PulsarClient(org.apache.pulsar.client.api.PulsarClient) PulsarClientException(org.apache.pulsar.client.api.PulsarClientException) PulsarAdminException(org.apache.pulsar.client.admin.PulsarAdminException) HashSet(java.util.HashSet) AuthenticationProviderTls(org.apache.pulsar.broker.authentication.AuthenticationProviderTls) Test(org.testng.annotations.Test)

Example 19 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyWithAuthorizationTest method testTlsHostVerificationProxyToBroker.

/**
 * It verifies hostname verification at proxy when proxy tries to connect with broker. Proxy performs hostname
 * verification when broker sends its certs over tls .
 *
 * <pre>
 * 1. Broker sends certs back to proxy with CN="Broker" however, proxy tries to connect with hostname=localhost
 * 2. so, client fails to create consumer if proxy is enabled with hostname verification
 * </pre>
 *
 * @param hostnameVerificationEnabled
 * @throws Exception
 */
@Test(dataProvider = "hostnameVerification")
public void testTlsHostVerificationProxyToBroker(boolean hostnameVerificationEnabled) throws Exception {
    log.info("-- Starting {} test --", methodName);
    proxyConfig.setTlsHostnameVerificationEnabled(hostnameVerificationEnabled);
    startProxy();
    createAdminClient();
    final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
    // create a client which connects to proxy over tls and pass authData
    PulsarClient proxyClient = createPulsarClient(proxyServiceUrl, PulsarClient.builder().operationTimeout(1, TimeUnit.SECONDS));
    String namespaceName = "my-property/proxy-authorization/my-ns";
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
    admin.namespaces().createNamespace(namespaceName);
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    try {
        proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
        if (hostnameVerificationEnabled) {
            Assert.fail("Connection should be failed due to hostnameVerification enabled");
        }
    } catch (PulsarClientException e) {
        if (!hostnameVerificationEnabled) {
            Assert.fail("Consumer should be created because hostnameverification is disabled");
        }
    }
    log.info("-- Exiting {} test --", methodName);
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) PulsarClientException(org.apache.pulsar.client.api.PulsarClientException) PulsarClient(org.apache.pulsar.client.api.PulsarClient) Test(org.testng.annotations.Test)

Example 20 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class ProxyWithAuthorizationTest method testTlsHostVerificationProxyToClient.

@Test(dataProvider = "hostnameVerification")
public void testTlsHostVerificationProxyToClient(boolean hostnameVerificationEnabled) throws Exception {
    log.info("-- Starting {} test --", methodName);
    startProxy();
    createAdminClient();
    final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
    // create a client which connects to proxy over tls and pass authData
    PulsarClient proxyClient = createPulsarClient(proxyServiceUrl, PulsarClient.builder().enableTlsHostnameVerification(hostnameVerificationEnabled));
    String namespaceName = "my-property/proxy-authorization/my-ns";
    admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
    admin.namespaces().createNamespace(namespaceName);
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
    try {
        proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
        if (hostnameVerificationEnabled) {
            Assert.fail("Connection should be failed due to hostnameVerification enabled");
        }
    } catch (PulsarClientException e) {
        if (!hostnameVerificationEnabled) {
            Assert.fail("Consumer should be created because hostnameverification is disabled");
        }
    }
    log.info("-- Exiting {} test --", methodName);
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) PulsarClientException(org.apache.pulsar.client.api.PulsarClientException) PulsarClient(org.apache.pulsar.client.api.PulsarClient) Test(org.testng.annotations.Test)

Aggregations

PropertyAdmin (org.apache.pulsar.common.policies.data.PropertyAdmin)83 Test (org.testng.annotations.Test)60 ClusterData (org.apache.pulsar.common.policies.data.ClusterData)29 MockedPulsarServiceBaseTest (org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest)13 PulsarClient (org.apache.pulsar.client.api.PulsarClient)12 BeforeMethod (org.testng.annotations.BeforeMethod)12 PulsarAdmin (org.apache.pulsar.client.admin.PulsarAdmin)11 PulsarAdminException (org.apache.pulsar.client.admin.PulsarAdminException)9 PulsarClientException (org.apache.pulsar.client.api.PulsarClientException)9 AuthenticationTls (org.apache.pulsar.client.impl.auth.AuthenticationTls)8 HashSet (java.util.HashSet)6 URI (java.net.URI)5 URL (java.net.URL)5 Pattern (java.util.regex.Pattern)5 PulsarService (org.apache.pulsar.broker.PulsarService)5 RestException (org.apache.pulsar.broker.web.RestException)5 Authentication (org.apache.pulsar.client.api.Authentication)5 AuthAction (org.apache.pulsar.common.policies.data.AuthAction)5 KeeperException (org.apache.zookeeper.KeeperException)5 PulsarServerException (org.apache.pulsar.broker.PulsarServerException)4