use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class NamespacesTest method testGlobalNamespaceReplicationConfiguration.
@Test
public void testGlobalNamespaceReplicationConfiguration() throws Exception {
assertEquals(namespaces.getNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName()), Lists.newArrayList());
namespaces.setNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "usw"));
assertEquals(namespaces.getNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName()), Lists.newArrayList("use", "usw"));
try {
namespaces.setNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "invalid-cluster"));
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.FORBIDDEN.getStatusCode());
}
try {
namespaces.setNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "global"));
fail("should have failed");
} catch (RestException e) {
// Ok, global should not be allowed in the list of replication clusters
assertEquals(e.getResponse().getStatus(), Status.PRECONDITION_FAILED.getStatusCode());
}
try {
namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "invalid-cluster"));
fail("should have failed");
} catch (RestException e) {
// Ok, invalid-cluster is an invalid cluster id
assertEquals(e.getResponse().getStatus(), Status.FORBIDDEN.getStatusCode());
}
admin.properties().updateProperty(testProperty, new PropertyAdmin(Lists.newArrayList("role1", "role2"), Sets.newHashSet("use", "usc")));
try {
namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "usw"));
fail("should have failed");
} catch (RestException e) {
// Ok, usw was not configured in the list of allowed clusters
assertEquals(e.getResponse().getStatus(), Status.FORBIDDEN.getStatusCode());
}
// Sometimes watcher event consumes scheduled exception, so set to always fail to ensure exception is
// thrown for api call.
mockZookKeeper.setAlwaysFail(Code.SESSIONEXPIRED);
pulsar.getConfigurationCache().policiesCache().invalidate(AdminResource.path(POLICIES, this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName()));
try {
namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use"));
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
} finally {
mockZookKeeper.unsetAlwaysFail();
}
mockZookKeeper.failNow(Code.BADVERSION);
try {
namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use"));
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.CONFLICT.getStatusCode());
}
try {
namespaces.getNamespaceReplicationClusters(this.testProperty, "global", "non-existing-ns");
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.NOT_FOUND.getStatusCode());
}
try {
namespaces.setNamespaceReplicationClusters(this.testProperty, "global", "non-existing-ns", Lists.newArrayList("use"));
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.NOT_FOUND.getStatusCode());
}
mockZookKeeper.failNow(Code.SESSIONEXPIRED);
pulsar.getConfigurationCache().policiesCache().clear();
// ensure the ZooKeeper read happens, bypassing the cache
try {
namespaces.getNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName());
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), 500);
}
try {
namespaces.getNamespaceReplicationClusters(this.testProperty, this.testLocalCluster, this.testLocalNamespaces.get(0).getLocalName());
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.PRECONDITION_FAILED.getStatusCode());
}
try {
namespaces.setNamespaceReplicationClusters(this.testProperty, this.testLocalCluster, this.testLocalNamespaces.get(0).getLocalName(), Lists.newArrayList("use"));
fail("should have failed");
} catch (RestException e) {
assertEquals(e.getResponse().getStatus(), Status.PRECONDITION_FAILED.getStatusCode());
}
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class NamespacesTest method testValidateAdminAccessOnProperty.
@Test
public void testValidateAdminAccessOnProperty() throws Exception {
try {
final String property = "prop";
pulsar.getConfiguration().setAuthenticationEnabled(true);
pulsar.getConfiguration().setAuthorizationEnabled(true);
final String path = PulsarWebResource.path(POLICIES, property);
final String data = ObjectMapperFactory.getThreadLocal().writeValueAsString(new PropertyAdmin(Lists.newArrayList(namespaces.clientAppId()), Sets.newHashSet("use")));
ZkUtils.createFullPathOptimistic(pulsar.getConfigurationCache().getZooKeeper(), path, data.getBytes(), ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
namespaces.validateAdminAccessOnProperty(property);
} catch (RestException e) {
fail("validateAdminAccessOnProperty failed");
} finally {
pulsar.getConfiguration().setAuthenticationEnabled(false);
pulsar.getConfiguration().setAuthorizationEnabled(false);
}
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class PulsarWebResource method validateClusterForProperty.
protected void validateClusterForProperty(String property, String cluster) {
PropertyAdmin propertyAdmin;
try {
propertyAdmin = pulsar().getConfigurationCache().propertiesCache().get(path(POLICIES, property)).orElseThrow(() -> new RestException(Status.NOT_FOUND, "Property does not exist"));
} catch (Exception e) {
log.error("Failed to get property admin data for property");
throw new RestException(e);
}
// Check if property is allowed on the cluster
if (!propertyAdmin.getAllowedClusters().contains(cluster)) {
String msg = String.format("Cluster [%s] is not in the list of allowed clusters list for property [%s]", cluster, property);
log.info(msg);
throw new RestException(Status.FORBIDDEN, msg);
}
log.info("Successfully validated clusters on property [{}]", property);
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class BrokerDiscoveryProvider method checkAuthorization.
protected static void checkAuthorization(DiscoveryService service, TopicName topicName, String role, AuthenticationDataSource authenticationData) throws Exception {
if (!service.getConfiguration().isAuthorizationEnabled() || service.getConfiguration().getSuperUserRoles().contains(role)) {
// No enforcing of authorization policies
return;
}
// get zk policy manager
if (!service.getAuthorizationService().canLookup(topicName, role, authenticationData)) {
LOG.warn("[{}] Role {} is not allowed to lookup topic", topicName, role);
// check namespace authorization
PropertyAdmin propertyAdmin;
try {
propertyAdmin = service.getConfigurationCacheService().propertiesCache().get(path(POLICIES, topicName.getProperty())).orElseThrow(() -> new IllegalAccessException("Property does not exist"));
} catch (KeeperException.NoNodeException e) {
LOG.warn("Failed to get property admin data for non existing property {}", topicName.getProperty());
throw new IllegalAccessException("Property does not exist");
} catch (Exception e) {
LOG.error("Failed to get property admin data for property");
throw new IllegalAccessException(String.format("Failed to get property %s admin data due to %s", topicName.getProperty(), e.getMessage()));
}
if (!propertyAdmin.getAdminRoles().contains(role)) {
throw new IllegalAccessException("Don't have permission to administrate resources on this property");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Successfully authorized {} on property {}", role, topicName.getProperty());
}
}
use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.
the class PoliciesDataTest method propertyAdmin.
@Test
void propertyAdmin() {
PropertyAdmin pa1 = new PropertyAdmin();
pa1.setAdminRoles(Lists.newArrayList("role1", "role2"));
pa1.setAllowedClusters(Sets.newHashSet("use", "usw"));
assertEquals(pa1, new PropertyAdmin(Lists.newArrayList("role1", "role2"), Sets.newHashSet("use", "usw")));
assertTrue(!pa1.equals(new Object()));
assertTrue(!pa1.equals(new PropertyAdmin()));
assertTrue(!pa1.equals(new PropertyAdmin(Lists.newArrayList("role1", "role3"), Sets.newHashSet("usc"))));
assertEquals(pa1.getAdminRoles(), Lists.newArrayList("role1", "role2"));
}
Aggregations