Search in sources :

Example 1 with IAuthorizer

use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.

the class StormCommon method mkAuthorizationHandlerImpl.

protected IAuthorizer mkAuthorizationHandlerImpl(String klassName, Map conf) throws ClassNotFoundException, IllegalAccessException, InstantiationException {
    IAuthorizer aznHandler = null;
    if (StringUtils.isNotBlank(klassName)) {
        Class<?> aznClass = Class.forName(klassName);
        if (aznClass != null) {
            aznHandler = (IAuthorizer) aznClass.newInstance();
            if (aznHandler != null) {
                aznHandler.prepare(conf);
            }
            LOG.debug("authorization class name:{}, class:{}, handler:{}", klassName, aznClass, aznHandler);
        }
    }
    return aznHandler;
}
Also used : IAuthorizer(org.apache.storm.security.auth.IAuthorizer)

Example 2 with IAuthorizer

use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.

the class Supervisor method checkAuthorization.

@VisibleForTesting
public void checkAuthorization(String topoName, Map<String, Object> topoConf, String operation, ReqContext context) throws AuthorizationException {
    if (context == null) {
        context = ReqContext.context();
    }
    Map<String, Object> checkConf = new HashMap<>();
    if (topoConf != null) {
        checkConf.putAll(topoConf);
    } else if (topoName != null) {
        checkConf.put(Config.TOPOLOGY_NAME, topoName);
    }
    if (context.isImpersonating()) {
        LOG.info("principal: {} is trying to impersonate principal: {}", context.realPrincipal(), context.principal());
        throw new WrappedAuthorizationException("Supervisor does not support impersonation");
    }
    IAuthorizer aclHandler = authorizationHandler;
    if (aclHandler != null) {
        if (!aclHandler.permit(context, operation, checkConf)) {
            ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
            throw new WrappedAuthorizationException(operation + (topoName != null ? " on topology " + topoName : "") + " is not authorized");
        } else {
            ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-granted");
        }
    }
}
Also used : WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException) HashMap(java.util.HashMap) IAuthorizer(org.apache.storm.security.auth.IAuthorizer) VisibleForTesting(org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)

Example 3 with IAuthorizer

use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.

the class SimpleACLAuthorizerTest method SimpleACLTopologyReadOnlyGroupAuthTest.

@Test
public void SimpleACLTopologyReadOnlyGroupAuthTest() {
    Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
    clusterConf.put(Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN, SimpleACLTopologyReadOnlyGroupAuthTestMock.class.getName());
    Map<String, Object> topoConf = new HashMap<>();
    Collection<String> topologyReadOnlyGroupSet = new HashSet<>(Arrays.asList("group-readonly"));
    topoConf.put(Config.TOPOLOGY_READONLY_GROUPS, topologyReadOnlyGroupSet);
    Subject userInReadOnlyGroup = createSubject("user-in-readonly-group");
    Subject userB = createSubject("user-b");
    IAuthorizer authorizer = new SimpleACLAuthorizer();
    authorizer.prepare(clusterConf);
    Assert.assertFalse(authorizer.permit(new ReqContext(userInReadOnlyGroup), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userInReadOnlyGroup), "getTopologyInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf));
}
Also used : HashMap(java.util.HashMap) IAuthorizer(org.apache.storm.security.auth.IAuthorizer) ReqContext(org.apache.storm.security.auth.ReqContext) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 4 with IAuthorizer

use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.

the class SimpleACLAuthorizerTest method SimpleACLTopologyReadOnlyUserAuthTest.

@Test
public void SimpleACLTopologyReadOnlyUserAuthTest() {
    Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
    Map<String, Object> topoConf = new HashMap<>();
    Collection<String> topologyUserSet = new HashSet<>(Arrays.asList("user-a"));
    topoConf.put(Config.TOPOLOGY_USERS, topologyUserSet);
    Collection<String> topologyReadOnlyUserSet = new HashSet<>(Arrays.asList("user-readonly"));
    topoConf.put(Config.TOPOLOGY_READONLY_USERS, topologyReadOnlyUserSet);
    Subject userA = createSubject("user-a");
    Subject userB = createSubject("user-b");
    Subject readOnlyUser = createSubject("user-readonly");
    IAuthorizer authorizer = new SimpleACLAuthorizer();
    authorizer.prepare(clusterConf);
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "killTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "rebalance", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "rebalance", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "rebalance", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "activate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "activate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "activate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "deactivate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "deactivate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "deactivate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopologyConf", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyConf", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyConf", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getUserTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getUserTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getUserTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopologyInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopologyPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getComponentPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "uploadNewCredentials", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "uploadNewCredentials", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "uploadNewCredentials", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "setLogConfig", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "setWorkerProfiler", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setWorkerProfiler", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setWorkerProfiler", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getComponentPendingProfileActions", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPendingProfileActions", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPendingProfileActions", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "startProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "startProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "startProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "stopProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "stopProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "stopProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "dumpProfile", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpProfile", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpProfile", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "dumpJstack", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpJstack", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpJstack", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "dumpHeap", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpHeap", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpHeap", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "debug", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "debug", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "debug", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getLogConfig", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getLogConfig", topoConf));
}
Also used : HashMap(java.util.HashMap) IAuthorizer(org.apache.storm.security.auth.IAuthorizer) ReqContext(org.apache.storm.security.auth.ReqContext) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 5 with IAuthorizer

use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.

the class SimpleACLAuthorizerTest method SimpleACLUserAuthTest.

@Test
public void SimpleACLUserAuthTest() {
    Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
    Collection<String> adminUserSet = new HashSet<>(Arrays.asList("admin"));
    Collection<String> supervisorUserSet = new HashSet<>(Arrays.asList("supervisor"));
    clusterConf.put(Config.NIMBUS_ADMINS, adminUserSet);
    clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, supervisorUserSet);
    IAuthorizer authorizer = new SimpleACLAuthorizer();
    Subject adminUser = createSubject("admin");
    Subject supervisorUser = createSubject("supervisor");
    Subject userA = createSubject("user-a");
    Subject userB = createSubject("user-b");
    authorizer.prepare(clusterConf);
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "submitTopology", new HashMap<>()));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "submitTopology", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "submitTopology", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userB), "submitTopology", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileUpload", new HashMap<>()));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "fileUpload", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "fileUpload", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userB), "fileUpload", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getNimbusConf", new HashMap<>()));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getNimbusConf", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getNimbusConf", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userB), "getNimbusConf", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getClusterInfo", new HashMap<>()));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getClusterInfo", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getClusterInfo", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userB), "getClusterInfo", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getSupervisorPageInfo", new HashMap<>()));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getSupervisorPageInfo", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getSupervisorPageInfo", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(userB), "getSupervisorPageInfo", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileDownload", new HashMap<>()));
    Assert.assertTrue(authorizer.permit(new ReqContext(supervisorUser), "fileDownload", new HashMap<>()));
    Assert.assertFalse(authorizer.permit(new ReqContext(userA), "fileDownload", new HashMap<>()));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "fileDownload", new HashMap<>()));
    Map<String, Object> topoConf = new HashMap<>();
    Collection<String> topologyUserSet = new HashSet<>(Arrays.asList("user-a"));
    topoConf.put(Config.TOPOLOGY_USERS, topologyUserSet);
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "killTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "rebalance", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "rebalance", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "rebalance", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "rebalance", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "activate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "activate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "activate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "activate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "deactivate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "deactivate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "deactivate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "deactivate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopologyConf", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopologyConf", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyConf", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyConf", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getUserTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getUserTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getUserTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getUserTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopologyInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopologyInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopologyPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopologyPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getComponentPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getComponentPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "uploadNewCredentials", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "uploadNewCredentials", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "uploadNewCredentials", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "uploadNewCredentials", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "setLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "setLogConfig", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setLogConfig", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "setWorkerProfiler", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "setWorkerProfiler", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setWorkerProfiler", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setWorkerProfiler", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getComponentPendingProfileActions", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getComponentPendingProfileActions", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPendingProfileActions", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPendingProfileActions", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "startProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "startProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "startProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "startProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "stopProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "stopProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "stopProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "stopProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "dumpProfile", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "dumpProfile", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpProfile", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpProfile", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "dumpJstack", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "dumpJstack", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpJstack", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpJstack", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "dumpHeap", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "dumpHeap", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpHeap", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpHeap", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "debug", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "debug", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "debug", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "debug", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getLogConfig", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getLogConfig", topoConf));
}
Also used : HashMap(java.util.HashMap) IAuthorizer(org.apache.storm.security.auth.IAuthorizer) ReqContext(org.apache.storm.security.auth.ReqContext) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

IAuthorizer (org.apache.storm.security.auth.IAuthorizer)8 HashMap (java.util.HashMap)6 HashSet (java.util.HashSet)4 Subject (javax.security.auth.Subject)4 ReqContext (org.apache.storm.security.auth.ReqContext)4 Test (org.junit.Test)4 VisibleForTesting (org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)2 WrappedAuthorizationException (org.apache.storm.utils.WrappedAuthorizationException)2