Example 6 with IAuthorizer
use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.
the class SimpleACLAuthorizerTest method SimpleACLNimbusUserAuthTest.
@Test
public void SimpleACLNimbusUserAuthTest() {
Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
Collection<String> adminUserSet = new HashSet<>(Arrays.asList("admin"));
Collection<String> supervisorUserSet = new HashSet<>(Arrays.asList("supervisor"));
Collection<String> nimbusUserSet = new HashSet<>(Arrays.asList("user-a"));
clusterConf.put(Config.NIMBUS_ADMINS, adminUserSet);
clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, supervisorUserSet);
clusterConf.put(Config.NIMBUS_USERS, nimbusUserSet);
IAuthorizer authorizer = new SimpleACLAuthorizer();
Subject adminUser = createSubject("admin");
Subject supervisorUser = createSubject("supervisor");
Subject userA = createSubject("user-a");
Subject userB = createSubject("user-b");
authorizer.prepare(clusterConf);
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "submitTopology", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "submitTopology", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileUpload", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(supervisorUser), "fileDownload", new HashMap<>()));
}
Also used :
HashMap(java.util.HashMap)
IAuthorizer(org.apache.storm.security.auth.IAuthorizer)
ReqContext(org.apache.storm.security.auth.ReqContext)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 7 with IAuthorizer
use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.
the class StormCommon method mkAuthorizationHandlerImpl.
protected IAuthorizer mkAuthorizationHandlerImpl(String klassName, Map<String, Object> conf) throws ClassNotFoundException, IllegalAccessException, InstantiationException {
IAuthorizer aznHandler = null;
if (StringUtils.isNotBlank(klassName)) {
Class<?> aznClass = Class.forName(klassName);
if (aznClass != null) {
aznHandler = (IAuthorizer) aznClass.newInstance();
if (aznHandler != null) {
aznHandler.prepare(conf);
}
LOG.debug("authorization class name:{}, class:{}, handler:{}", klassName, aznClass, aznHandler);
}
}
return aznHandler;
}
Also used :
IAuthorizer(org.apache.storm.security.auth.IAuthorizer)
Example 8 with IAuthorizer
use of org.apache.storm.security.auth.IAuthorizer in project storm by apache.
the class Nimbus method checkAuthorization.
@VisibleForTesting
public void checkAuthorization(String topoName, Map<String, Object> topoConf, String operation, ReqContext context) throws AuthorizationException {
IAuthorizer impersonationAuthorizer = impersonationAuthorizationHandler;
if (context == null) {
context = ReqContext.context();
}
Map<String, Object> checkConf = new HashMap<>();
if (topoConf != null) {
checkConf.putAll(topoConf);
} else if (topoName != null) {
checkConf.put(Config.TOPOLOGY_NAME, topoName);
}
if (context.isImpersonating()) {
LOG.info("principal: {} is trying to impersonate principal: {}", context.realPrincipal(), context.principal());
if (impersonationAuthorizer == null) {
LOG.warn("impersonation attempt but {} has no authorizer configured. potential security risk, " + "please see SECURITY.MD to learn how to configure impersonation authorizer.", DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER);
} else {
if (!impersonationAuthorizer.permit(context, operation, checkConf)) {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
throw new WrappedAuthorizationException("principal " + context.realPrincipal() + " is not authorized to impersonate principal " + context.principal() + " from host " + context.remoteAddress() + " Please see SECURITY.MD to learn how to configure impersonation acls.");
}
}
}
IAuthorizer aclHandler = authorizationHandler;
if (aclHandler != null) {
if (!aclHandler.permit(context, operation, checkConf)) {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-denied");
throw new WrappedAuthorizationException(operation + (topoName != null ? " on topology " + topoName : "") + " is not authorized");
} else {
ThriftAccessLogger.logAccess(context.requestID(), context.remoteAddress(), context.principal(), operation, topoName, "access-granted");
}
}
}
Also used :
WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException)
HashMap(java.util.HashMap)
IAuthorizer(org.apache.storm.security.auth.IAuthorizer)
VisibleForTesting(org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)
Aggregations
IAuthorizer (org.apache.storm.security.auth.IAuthorizer)8
HashMap (java.util.HashMap)6
HashSet (java.util.HashSet)4
Subject (javax.security.auth.Subject)4
ReqContext (org.apache.storm.security.auth.ReqContext)4
Test (org.junit.Test)4
VisibleForTesting (org.apache.storm.shade.com.google.common.annotations.VisibleForTesting)2
WrappedAuthorizationException (org.apache.storm.utils.WrappedAuthorizationException)2
