Search in sources :

Example 41 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class NamespacesTest method testGlobalNamespaceReplicationConfiguration.

@Test
public void testGlobalNamespaceReplicationConfiguration() throws Exception {
    assertEquals(namespaces.getNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName()), Lists.newArrayList());
    namespaces.setNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "usw"));
    assertEquals(namespaces.getNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName()), Lists.newArrayList("use", "usw"));
    try {
        namespaces.setNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "invalid-cluster"));
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), Status.FORBIDDEN.getStatusCode());
    }
    try {
        namespaces.setNamespaceReplicationClusters(this.testGlobalNamespaces.get(0).getProperty(), this.testGlobalNamespaces.get(0).getCluster(), this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "global"));
        fail("should have failed");
    } catch (RestException e) {
        // Ok, global should not be allowed in the list of replication clusters
        assertEquals(e.getResponse().getStatus(), Status.PRECONDITION_FAILED.getStatusCode());
    }
    try {
        namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "invalid-cluster"));
        fail("should have failed");
    } catch (RestException e) {
        // Ok, invalid-cluster is an invalid cluster id
        assertEquals(e.getResponse().getStatus(), Status.FORBIDDEN.getStatusCode());
    }
    admin.properties().updateProperty(testProperty, new PropertyAdmin(Lists.newArrayList("role1", "role2"), Sets.newHashSet("use", "usc")));
    try {
        namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use", "usw"));
        fail("should have failed");
    } catch (RestException e) {
        // Ok, usw was not configured in the list of allowed clusters
        assertEquals(e.getResponse().getStatus(), Status.FORBIDDEN.getStatusCode());
    }
    // Sometimes watcher event consumes scheduled exception, so set to always fail to ensure exception is
    // thrown for api call.
    mockZookKeeper.setAlwaysFail(Code.SESSIONEXPIRED);
    pulsar.getConfigurationCache().policiesCache().invalidate(AdminResource.path(POLICIES, this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName()));
    try {
        namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use"));
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), Status.INTERNAL_SERVER_ERROR.getStatusCode());
    } finally {
        mockZookKeeper.unsetAlwaysFail();
    }
    mockZookKeeper.failNow(Code.BADVERSION);
    try {
        namespaces.setNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName(), Lists.newArrayList("use"));
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), Status.CONFLICT.getStatusCode());
    }
    try {
        namespaces.getNamespaceReplicationClusters(this.testProperty, "global", "non-existing-ns");
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), Status.NOT_FOUND.getStatusCode());
    }
    try {
        namespaces.setNamespaceReplicationClusters(this.testProperty, "global", "non-existing-ns", Lists.newArrayList("use"));
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), Status.NOT_FOUND.getStatusCode());
    }
    mockZookKeeper.failNow(Code.SESSIONEXPIRED);
    pulsar.getConfigurationCache().policiesCache().clear();
    // ensure the ZooKeeper read happens, bypassing the cache
    try {
        namespaces.getNamespaceReplicationClusters(this.testProperty, "global", this.testGlobalNamespaces.get(0).getLocalName());
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), 500);
    }
    try {
        namespaces.getNamespaceReplicationClusters(this.testProperty, this.testLocalCluster, this.testLocalNamespaces.get(0).getLocalName());
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), Status.PRECONDITION_FAILED.getStatusCode());
    }
    try {
        namespaces.setNamespaceReplicationClusters(this.testProperty, this.testLocalCluster, this.testLocalNamespaces.get(0).getLocalName(), Lists.newArrayList("use"));
        fail("should have failed");
    } catch (RestException e) {
        assertEquals(e.getResponse().getStatus(), Status.PRECONDITION_FAILED.getStatusCode());
    }
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) RestException(org.apache.pulsar.broker.web.RestException) Test(org.testng.annotations.Test) MockedPulsarServiceBaseTest(org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest)

Example 42 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class NamespacesTest method testValidateAdminAccessOnProperty.

@Test
public void testValidateAdminAccessOnProperty() throws Exception {
    try {
        final String property = "prop";
        pulsar.getConfiguration().setAuthenticationEnabled(true);
        pulsar.getConfiguration().setAuthorizationEnabled(true);
        final String path = PulsarWebResource.path(POLICIES, property);
        final String data = ObjectMapperFactory.getThreadLocal().writeValueAsString(new PropertyAdmin(Lists.newArrayList(namespaces.clientAppId()), Sets.newHashSet("use")));
        ZkUtils.createFullPathOptimistic(pulsar.getConfigurationCache().getZooKeeper(), path, data.getBytes(), ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
        namespaces.validateAdminAccessOnProperty(property);
    } catch (RestException e) {
        fail("validateAdminAccessOnProperty failed");
    } finally {
        pulsar.getConfiguration().setAuthenticationEnabled(false);
        pulsar.getConfiguration().setAuthorizationEnabled(false);
    }
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) RestException(org.apache.pulsar.broker.web.RestException) Test(org.testng.annotations.Test) MockedPulsarServiceBaseTest(org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest)

Example 43 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class PulsarWebResource method validateClusterForProperty.

protected void validateClusterForProperty(String property, String cluster) {
    PropertyAdmin propertyAdmin;
    try {
        propertyAdmin = pulsar().getConfigurationCache().propertiesCache().get(path(POLICIES, property)).orElseThrow(() -> new RestException(Status.NOT_FOUND, "Property does not exist"));
    } catch (Exception e) {
        log.error("Failed to get property admin data for property");
        throw new RestException(e);
    }
    // Check if property is allowed on the cluster
    if (!propertyAdmin.getAllowedClusters().contains(cluster)) {
        String msg = String.format("Cluster [%s] is not in the list of allowed clusters list for property [%s]", cluster, property);
        log.info(msg);
        throw new RestException(Status.FORBIDDEN, msg);
    }
    log.info("Successfully validated clusters on property [{}]", property);
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) KeeperException(org.apache.zookeeper.KeeperException) MalformedURLException(java.net.MalformedURLException) WebApplicationException(javax.ws.rs.WebApplicationException)

Example 44 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class BrokerDiscoveryProvider method checkAuthorization.

protected static void checkAuthorization(DiscoveryService service, TopicName topicName, String role, AuthenticationDataSource authenticationData) throws Exception {
    if (!service.getConfiguration().isAuthorizationEnabled() || service.getConfiguration().getSuperUserRoles().contains(role)) {
        // No enforcing of authorization policies
        return;
    }
    // get zk policy manager
    if (!service.getAuthorizationService().canLookup(topicName, role, authenticationData)) {
        LOG.warn("[{}] Role {} is not allowed to lookup topic", topicName, role);
        // check namespace authorization
        PropertyAdmin propertyAdmin;
        try {
            propertyAdmin = service.getConfigurationCacheService().propertiesCache().get(path(POLICIES, topicName.getProperty())).orElseThrow(() -> new IllegalAccessException("Property does not exist"));
        } catch (KeeperException.NoNodeException e) {
            LOG.warn("Failed to get property admin data for non existing property {}", topicName.getProperty());
            throw new IllegalAccessException("Property does not exist");
        } catch (Exception e) {
            LOG.error("Failed to get property admin data for property");
            throw new IllegalAccessException(String.format("Failed to get property %s admin data due to %s", topicName.getProperty(), e.getMessage()));
        }
        if (!propertyAdmin.getAdminRoles().contains(role)) {
            throw new IllegalAccessException("Don't have permission to administrate resources on this property");
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Successfully authorized {} on property {}", role, topicName.getProperty());
    }
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) KeeperException(org.apache.zookeeper.KeeperException) KeeperException(org.apache.zookeeper.KeeperException) IOException(java.io.IOException) PulsarServerException(org.apache.pulsar.broker.PulsarServerException)

Example 45 with PropertyAdmin

use of org.apache.pulsar.common.policies.data.PropertyAdmin in project incubator-pulsar by apache.

the class PoliciesDataTest method propertyAdmin.

@Test
void propertyAdmin() {
    PropertyAdmin pa1 = new PropertyAdmin();
    pa1.setAdminRoles(Lists.newArrayList("role1", "role2"));
    pa1.setAllowedClusters(Sets.newHashSet("use", "usw"));
    assertEquals(pa1, new PropertyAdmin(Lists.newArrayList("role1", "role2"), Sets.newHashSet("use", "usw")));
    assertTrue(!pa1.equals(new Object()));
    assertTrue(!pa1.equals(new PropertyAdmin()));
    assertTrue(!pa1.equals(new PropertyAdmin(Lists.newArrayList("role1", "role3"), Sets.newHashSet("usc"))));
    assertEquals(pa1.getAdminRoles(), Lists.newArrayList("role1", "role2"));
}
Also used : PropertyAdmin(org.apache.pulsar.common.policies.data.PropertyAdmin) Test(org.testng.annotations.Test)

Aggregations

PropertyAdmin (org.apache.pulsar.common.policies.data.PropertyAdmin)83 Test (org.testng.annotations.Test)60 ClusterData (org.apache.pulsar.common.policies.data.ClusterData)29 MockedPulsarServiceBaseTest (org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest)13 PulsarClient (org.apache.pulsar.client.api.PulsarClient)12 BeforeMethod (org.testng.annotations.BeforeMethod)12 PulsarAdmin (org.apache.pulsar.client.admin.PulsarAdmin)11 PulsarAdminException (org.apache.pulsar.client.admin.PulsarAdminException)9 PulsarClientException (org.apache.pulsar.client.api.PulsarClientException)9 AuthenticationTls (org.apache.pulsar.client.impl.auth.AuthenticationTls)8 HashSet (java.util.HashSet)6 URI (java.net.URI)5 URL (java.net.URL)5 Pattern (java.util.regex.Pattern)5 PulsarService (org.apache.pulsar.broker.PulsarService)5 RestException (org.apache.pulsar.broker.web.RestException)5 Authentication (org.apache.pulsar.client.api.Authentication)5 AuthAction (org.apache.pulsar.common.policies.data.AuthAction)5 KeeperException (org.apache.zookeeper.KeeperException)5 PulsarServerException (org.apache.pulsar.broker.PulsarServerException)4