use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class ProxyTest method testPartitions.
@Test
public void testPartitions() throws Exception {
admin.properties().createProperty("sample", new PropertyAdmin());
PulsarClient client = PulsarClient.builder().serviceUrl("pulsar://localhost:" + proxyConfig.getServicePort()).build();
admin.persistentTopics().createPartitionedTopic("persistent://sample/test/local/partitioned-topic", 2);
Producer<byte[]> producer = client.newProducer().topic("persistent://sample/test/local/partitioned-topic").messageRoutingMode(MessageRoutingMode.RoundRobinPartition).create();
// Create a consumer directly attached to broker
Consumer<byte[]> consumer = pulsarClient.newConsumer().topic("persistent://sample/test/local/partitioned-topic").subscriptionName("my-sub").subscribe();
for (int i = 0; i < 10; i++) {
producer.send("test".getBytes());
}
for (int i = 0; i < 10; i++) {
Message<byte[]> msg = consumer.receive(1, TimeUnit.SECONDS);
checkNotNull(msg);
}
client.close();
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class ProxyWithAuthorizationNegTest method testProxyAuthorization.
/**
* <pre>
* It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker>
*
* 1. client connects to proxy over tls and pass auth-data
* 2. proxy authenticate client and retrieve client-role
* and send it to broker as originalPrincipal over tls
* 3. client creates producer/consumer via proxy
* 4. broker authorize producer/consumer create request using originalPrincipal
*
* </pre>
*
* @throws Exception
*/
@Test
public void testProxyAuthorization() throws Exception {
log.info("-- Starting {} test --", methodName);
createAdminClient();
final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
// create a client which connects to proxy over tls and pass authData
PulsarClient proxyClient = createPulsarClient(proxyServiceUrl);
String namespaceName = "my-property/proxy-authorization-neg/my-ns";
admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization-neg")));
admin.namespaces().createNamespace(namespaceName);
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.produce));
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
Consumer<byte[]> consumer;
try {
consumer = proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
} catch (Exception ex) {
// expected
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume));
log.info("-- Admin permissions {} ---", admin.namespaces().getPermissions(namespaceName));
consumer = proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
}
Producer<byte[]> producer;
try {
producer = proxyClient.newProducer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").create();
} catch (Exception ex) {
// expected
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.produce, AuthAction.consume));
producer = proxyClient.newProducer().topic("persistent://my-property/proxy-authorization-neg/my-ns/my-topic1").create();
}
final int msgs = 10;
for (int i = 0; i < msgs; i++) {
String message = "my-message-" + i;
producer.send(message.getBytes());
}
Message<byte[]> msg = null;
Set<String> messageSet = Sets.newHashSet();
int count = 0;
for (int i = 0; i < 10; i++) {
msg = consumer.receive(5, TimeUnit.SECONDS);
String receivedMessage = new String(msg.getData());
log.debug("Received message: [{}]", receivedMessage);
String expectedMessage = "my-message-" + i;
testMessageOrderAndDuplicates(messageSet, receivedMessage, expectedMessage);
count++;
}
// Acknowledge the consumption of all messages at once
Assert.assertEquals(msgs, count);
consumer.acknowledgeCumulative(msg);
consumer.close();
log.info("-- Exiting {} test --", methodName);
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class ProxyWithAuthorizationTest method tlsCiphersAndProtocols.
/*
* This test verifies whether the Client and Proxy honor the protocols and ciphers specified. Details description of
* test cases can be found in protocolsCiphersProviderCodecProvider
*/
@Test(dataProvider = "protocolsCiphersProvider", timeOut = 5000)
public void tlsCiphersAndProtocols(Set<String> tlsCiphers, Set<String> tlsProtocols, boolean expectFailure) throws Exception {
log.info("-- Starting {} test --", methodName);
String namespaceName = "my-property/proxy-authorization/my-ns";
createAdminClient();
admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
ProxyConfiguration proxyConfig = new ProxyConfiguration();
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setAuthorizationEnabled(false);
proxyConfig.setBrokerServiceURL("pulsar://localhost:" + BROKER_PORT);
proxyConfig.setBrokerServiceURLTLS("pulsar://localhost:" + BROKER_PORT_TLS);
proxyConfig.setServicePort(PortManager.nextFreePort());
proxyConfig.setServicePortTls(PortManager.nextFreePort());
proxyConfig.setWebServicePort(PortManager.nextFreePort());
proxyConfig.setWebServicePortTls(PortManager.nextFreePort());
proxyConfig.setTlsEnabledInProxy(true);
proxyConfig.setTlsEnabledWithBroker(true);
// enable tls and auth&auth at proxy
proxyConfig.setTlsCertificateFilePath(TLS_PROXY_CERT_FILE_PATH);
proxyConfig.setTlsKeyFilePath(TLS_PROXY_KEY_FILE_PATH);
proxyConfig.setTlsTrustCertsFilePath(TLS_CLIENT_TRUST_CERT_FILE_PATH);
proxyConfig.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
proxyConfig.setBrokerClientAuthenticationParameters("tlsCertFile:" + TLS_PROXY_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_PROXY_KEY_FILE_PATH);
proxyConfig.setBrokerClientTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH);
Set<String> providers = new HashSet<>();
providers.add(AuthenticationProviderTls.class.getName());
conf.setAuthenticationProviders(providers);
proxyConfig.setAuthenticationProviders(providers);
proxyConfig.setTlsProtocols(tlsProtocols);
proxyConfig.setTlsCiphers(tlsCiphers);
ProxyService proxyService = Mockito.spy(new ProxyService(proxyConfig));
proxyService.start();
org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest.retryStrategically((test) -> {
try {
return admin.namespaces().getPermissions(namespaceName).containsKey("Proxy") && admin.namespaces().getPermissions(namespaceName).containsKey("Client");
} catch (PulsarAdminException e) {
return false;
}
}, 3, 1000);
try {
final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
PulsarClient proxyClient = createPulsarClient(proxyServiceUrl, PulsarClient.builder());
Consumer<byte[]> consumer = proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
if (expectFailure) {
Assert.fail("Failure expected for this test case");
}
consumer.close();
proxyClient.close();
} catch (Exception ex) {
if (!expectFailure) {
Assert.fail("This test case should not fail");
}
}
admin.close();
log.info("-- Exiting {} test --", methodName);
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class ProxyWithAuthorizationTest method testTlsHostVerificationProxyToBroker.
/**
* It verifies hostname verification at proxy when proxy tries to connect with broker. Proxy performs hostname
* verification when broker sends its certs over tls .
*
* <pre>
* 1. Broker sends certs back to proxy with CN="Broker" however, proxy tries to connect with hostname=localhost
* 2. so, client fails to create consumer if proxy is enabled with hostname verification
* </pre>
*
* @param hostnameVerificationEnabled
* @throws Exception
*/
@Test(dataProvider = "hostnameVerification")
public void testTlsHostVerificationProxyToBroker(boolean hostnameVerificationEnabled) throws Exception {
log.info("-- Starting {} test --", methodName);
proxyConfig.setTlsHostnameVerificationEnabled(hostnameVerificationEnabled);
startProxy();
createAdminClient();
final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
// create a client which connects to proxy over tls and pass authData
PulsarClient proxyClient = createPulsarClient(proxyServiceUrl, PulsarClient.builder().operationTimeout(1, TimeUnit.SECONDS));
String namespaceName = "my-property/proxy-authorization/my-ns";
admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
}
} catch (PulsarClientException e) {
if (!hostnameVerificationEnabled) {
Assert.fail("Consumer should be created because hostnameverification is disabled");
}
}
log.info("-- Exiting {} test --", methodName);
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class ProxyWithAuthorizationTest method testTlsHostVerificationProxyToClient.
@Test(dataProvider = "hostnameVerification")
public void testTlsHostVerificationProxyToClient(boolean hostnameVerificationEnabled) throws Exception {
log.info("-- Starting {} test --", methodName);
startProxy();
createAdminClient();
final String proxyServiceUrl = "pulsar://localhost:" + proxyConfig.getServicePortTls();
// create a client which connects to proxy over tls and pass authData
PulsarClient proxyClient = createPulsarClient(proxyServiceUrl, PulsarClient.builder().enableTlsHostnameVerification(hostnameVerificationEnabled));
String namespaceName = "my-property/proxy-authorization/my-ns";
admin.properties().createProperty("my-property", new PropertyAdmin(Lists.newArrayList("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Proxy", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
admin.namespaces().grantPermissionOnNamespace(namespaceName, "Client", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
}
} catch (PulsarClientException e) {
if (!hostnameVerificationEnabled) {
Assert.fail("Consumer should be created because hostnameverification is disabled");
}
}
log.info("-- Exiting {} test --", methodName);
}
Aggregations