Examples with ReqContext org.apache.storm.security.auth.ReqContext used on opensource projects

Search in sources :

Example 1 with ReqContext

use of org.apache.storm.security.auth.ReqContext in project storm by apache.

the class NimbusClient method withConfiguredClient.

public static void withConfiguredClient(WithNimbus cb, Map conf) throws Exception {
    ReqContext context = ReqContext.context();
    Principal principal = context.principal();
    String user = principal == null ? null : principal.getName();
    try (NimbusClient client = getConfiguredClientAs(conf, user)) {
        cb.run(client.getClient());
    }
}
Also used : ReqContext(org.apache.storm.security.auth.ReqContext) Principal(java.security.Principal)

Example 2 with ReqContext

use of org.apache.storm.security.auth.ReqContext in project storm by apache.

the class AuthorizedUserFilter method filter.

@Override
public void filter(ContainerRequestContext containerRequestContext) {
    AuthNimbusOp annotation = resourceInfo.getResourceMethod().getAnnotation(AuthNimbusOp.class);
    if (annotation == null) {
        return;
    }
    String op = annotation.value();
    if (op == null) {
        return;
    }
    Map topoConf = null;
    if (annotation.needsTopoId()) {
        final String topoId = containerRequestContext.getUriInfo().getPathParameters().get("id").get(0);
        try (NimbusClient nimbusClient = NimbusClient.getConfiguredClient(conf)) {
            topoConf = (Map) JSONValue.parse(nimbusClient.getClient().getTopologyConf(topoId));
        } catch (AuthorizationException ae) {
            LOG.error("Nimbus isn't allowing {} to access the topology conf of {}. {}", ReqContext.context(), topoId, ae.get_msg());
            containerRequestContext.abortWith(makeResponse(ae, containerRequestContext, 403));
            return;
        } catch (TException e) {
            LOG.error("Unable to fetch topo conf for {} due to ", topoId, e);
            containerRequestContext.abortWith(makeResponse(new IOException("Unable to fetch topo conf for topo id " + topoId, e), containerRequestContext, 500));
            return;
        }
    }
    ReqContext reqContext = ReqContext.context();
    if (reqContext.isImpersonating()) {
        if (uiImpersonationHandler != null) {
            if (!uiImpersonationHandler.permit(reqContext, op, topoConf)) {
                Principal realPrincipal = reqContext.realPrincipal();
                Principal principal = reqContext.principal();
                String user = "unknown";
                if (principal != null) {
                    user = principal.getName();
                }
                String realUser = "unknown";
                if (realPrincipal != null) {
                    realUser = realPrincipal.getName();
                }
                InetAddress remoteAddress = reqContext.remoteAddress();
                containerRequestContext.abortWith(makeResponse(new AuthorizationException("user '" + realUser + "' is not authorized to impersonate user '" + user + "' from host '" + remoteAddress.toString() + "'. Please" + "see SECURITY.MD to learn how to configure impersonation ACL."), containerRequestContext, 401));
                return;
            }
            LOG.warn(" principal {} is trying to impersonate {} but {} has no authorizer configured. " + "This is a potential security hole. Please see SECURITY.MD to learn how to " + "configure an impersonation authorizer.", reqContext.realPrincipal().toString(), reqContext.principal().toString(), conf.get(DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER));
        }
    }
    if (uiAclHandler != null) {
        if (!uiAclHandler.permit(reqContext, op, topoConf)) {
            Principal principal = reqContext.principal();
            String user = "unknown";
            if (principal != null) {
                user = principal.getName();
            }
            containerRequestContext.abortWith(makeResponse(new AuthorizationException("UI request '" + op + "' for '" + user + "' user is not authorized"), containerRequestContext, 403));
            return;
        }
    }
}
Also used : TException(org.apache.storm.thrift.TException) AuthorizationException(org.apache.storm.generated.AuthorizationException) NimbusClient(org.apache.storm.utils.NimbusClient) IOException(java.io.IOException) ReqContext(org.apache.storm.security.auth.ReqContext) AuthNimbusOp(org.apache.storm.daemon.ui.resources.AuthNimbusOp) Map(java.util.Map) InetAddress(java.net.InetAddress) Principal(java.security.Principal)

Example 3 with ReqContext

use of org.apache.storm.security.auth.ReqContext in project storm by apache.

the class Nimbus method submitTopologyWithOpts.

@Override
public void submitTopologyWithOpts(String topoName, String uploadedJarLocation, String jsonConf, StormTopology topology, SubmitOptions options) throws AlreadyAliveException, InvalidTopologyException, AuthorizationException, TException {
    try {
        submitTopologyWithOptsCalls.mark();
        assertIsLeader();
        assert (options != null);
        validateTopologyName(topoName);
        checkAuthorization(topoName, null, "submitTopology");
        assertTopoActive(topoName, false);
        @SuppressWarnings("unchecked") Map<String, Object> topoConf = (Map<String, Object>) JSONValue.parse(jsonConf);
        try {
            ConfigValidation.validateTopoConf(topoConf);
        } catch (IllegalArgumentException ex) {
            throw new WrappedInvalidTopologyException(ex.getMessage());
        }
        validator.validate(topoName, topoConf, topology);
        if ((boolean) conf.getOrDefault(Config.DISABLE_SYMLINKS, false)) {
            @SuppressWarnings("unchecked") Map<String, Object> blobMap = (Map<String, Object>) topoConf.get(Config.TOPOLOGY_BLOBSTORE_MAP);
            if (blobMap != null && !blobMap.isEmpty()) {
                throw new WrappedInvalidTopologyException("symlinks are disabled so blobs are not supported but " + Config.TOPOLOGY_BLOBSTORE_MAP + " = " + blobMap);
            }
        }
        ServerUtils.validateTopologyWorkerMaxHeapSizeConfigs(topoConf, topology, ObjectReader.getDouble(conf.get(Config.TOPOLOGY_WORKER_MAX_HEAP_SIZE_MB)));
        Utils.validateTopologyBlobStoreMap(topoConf, blobStore);
        long uniqueNum = submittedCount.incrementAndGet();
        String topoId = topoName + "-" + uniqueNum + "-" + Time.currentTimeSecs();
        Map<String, String> creds = null;
        if (options.is_set_creds()) {
            creds = options.get_creds().get_creds();
        }
        topoConf.put(Config.STORM_ID, topoId);
        topoConf.put(Config.TOPOLOGY_NAME, topoName);
        topoConf = normalizeConf(conf, topoConf, topology);
        OciUtils.adjustImageConfigForTopo(conf, topoConf, topoId);
        ReqContext req = ReqContext.context();
        Principal principal = req.principal();
        String submitterPrincipal = principal == null ? null : principal.toString();
        Set<String> topoAcl = new HashSet<>(ObjectReader.getStrings(topoConf.get(Config.TOPOLOGY_USERS)));
        topoAcl.add(submitterPrincipal);
        String submitterUser = principalToLocal.toLocal(principal);
        topoAcl.add(submitterUser);
        String topologyPrincipal = Utils.OR(submitterPrincipal, "");
        topoConf.put(Config.TOPOLOGY_SUBMITTER_PRINCIPAL, topologyPrincipal);
        String systemUser = System.getProperty("user.name");
        String topologyOwner = Utils.OR(submitterUser, systemUser);
        // Don't let the user set who we launch as
        topoConf.put(Config.TOPOLOGY_SUBMITTER_USER, topologyOwner);
        topoConf.put(Config.TOPOLOGY_USERS, new ArrayList<>(topoAcl));
        topoConf.put(Config.STORM_ZOOKEEPER_SUPERACL, conf.get(Config.STORM_ZOOKEEPER_SUPERACL));
        if (!Utils.isZkAuthenticationConfiguredStormServer(conf)) {
            topoConf.remove(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_SCHEME);
            topoConf.remove(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD);
        }
        if (!(Boolean) conf.getOrDefault(DaemonConfig.STORM_TOPOLOGY_CLASSPATH_BEGINNING_ENABLED, false)) {
            topoConf.remove(Config.TOPOLOGY_CLASSPATH_BEGINNING);
        }
        String topoVersionString = topology.get_storm_version();
        if (topoVersionString == null) {
            topoVersionString = (String) conf.getOrDefault(Config.SUPERVISOR_WORKER_DEFAULT_VERSION, VersionInfo.getVersion());
        }
        // Check if we can run a topology with that version of storm.
        SimpleVersion topoVersion = new SimpleVersion(topoVersionString);
        List<String> cp = Utils.getCompatibleVersion(supervisorClasspaths, topoVersion, "classpath", null);
        if (cp == null) {
            throw new WrappedInvalidTopologyException("Topology submitted with storm version " + topoVersionString + " but could not find a configured compatible version to use " + supervisorClasspaths.keySet());
        }
        Map<String, Object> otherConf = Utils.getConfigFromClasspath(cp, conf);
        Map<String, Object> totalConfToSave = Utils.merge(otherConf, topoConf);
        Map<String, Object> totalConf = Utils.merge(conf, totalConfToSave);
        // When reading the conf in nimbus we want to fall back to our own settings
        // if the other config does not have it set.
        topology = normalizeTopology(totalConf, topology);
        // we might need to set the number of acker executors and eventlogger executors to be the estimated number of workers.
        if (ServerUtils.isRas(conf)) {
            int estimatedNumWorker = ServerUtils.getEstimatedWorkerCountForRasTopo(totalConf, topology);
            setUpAckerExecutorConfigs(topoName, totalConfToSave, totalConf, estimatedNumWorker);
            ServerUtils.validateTopologyAckerBundleResource(totalConfToSave, topology, topoName);
            int numEventLoggerExecs = ObjectReader.getInt(totalConf.get(Config.TOPOLOGY_EVENTLOGGER_EXECUTORS), estimatedNumWorker);
            totalConfToSave.put(Config.TOPOLOGY_EVENTLOGGER_EXECUTORS, numEventLoggerExecs);
            LOG.debug("Config {} set to: {} for topology: {}", Config.TOPOLOGY_EVENTLOGGER_EXECUTORS, numEventLoggerExecs, topoName);
        }
        // Remove any configs that are specific to a host that might mess with the running topology.
        // Don't override the host name, or everything looks like it is on nimbus
        totalConfToSave.remove(Config.STORM_LOCAL_HOSTNAME);
        IStormClusterState state = stormClusterState;
        if (creds == null && workerTokenManager != null) {
            // Make sure we can store the worker tokens even if no creds are provided.
            creds = new HashMap<>();
        }
        if (creds != null) {
            Map<String, Object> finalConf = Collections.unmodifiableMap(topoConf);
            for (INimbusCredentialPlugin autocred : nimbusAutocredPlugins) {
                autocred.populateCredentials(creds, finalConf);
            }
            upsertWorkerTokensInCreds(creds, topologyPrincipal, topoId);
        }
        if (ObjectReader.getBoolean(conf.get(Config.SUPERVISOR_RUN_WORKER_AS_USER), false) && (submitterUser == null || submitterUser.isEmpty())) {
            throw new WrappedAuthorizationException("Could not determine the user to run this topology as.");
        }
        // this validates the structure of the topology
        StormCommon.systemTopology(totalConf, topology);
        validateTopologySize(topoConf, conf, topology);
        if (Utils.isZkAuthenticationConfiguredStormServer(conf) && !Utils.isZkAuthenticationConfiguredTopology(topoConf)) {
            throw new IllegalArgumentException("The cluster is configured for zookeeper authentication, but no payload was provided.");
        }
        LOG.info("Received topology submission for {} (storm-{} JDK-{}) with conf {}", topoName, topoVersionString, topology.get_jdk_version(), ConfigUtils.maskPasswords(topoConf));
        // cleanup thread killing topology in b/w assignment and starting the topology
        synchronized (submitLock) {
            assertTopoActive(topoName, false);
            // cred-update-lock is not needed here because creds are being added for the first time.
            if (creds != null) {
                state.setCredentials(topoId, new Credentials(creds), topoConf);
            }
            LOG.info("uploadedJar {} for {}", uploadedJarLocation, topoName);
            setupStormCode(conf, topoId, uploadedJarLocation, totalConfToSave, topology);
            waitForDesiredCodeReplication(totalConf, topoId);
            state.setupHeatbeats(topoId, topoConf);
            state.setupErrors(topoId, topoConf);
            if (ObjectReader.getBoolean(totalConf.get(Config.TOPOLOGY_BACKPRESSURE_ENABLE), false)) {
                state.setupBackpressure(topoId, topoConf);
            }
            notifyTopologyActionListener(topoName, "submitTopology");
            TopologyStatus status = null;
            switch(options.get_initial_status()) {
                case INACTIVE:
                    status = TopologyStatus.INACTIVE;
                    break;
                case ACTIVE:
                    status = TopologyStatus.ACTIVE;
                    break;
                default:
                    throw new IllegalArgumentException("Inital Status of " + options.get_initial_status() + " is not allowed.");
            }
            startTopology(topoName, topoId, status, topologyOwner, topologyPrincipal, totalConfToSave, topology);
        }
    } catch (Exception e) {
        LOG.warn("Topology submission exception. (topology name='{}')", topoName, e);
        if (e instanceof TException) {
            throw (TException) e;
        }
        throw new RuntimeException(e);
    }
}
Also used : INimbusCredentialPlugin(org.apache.storm.security.INimbusCredentialPlugin) TException(org.apache.storm.thrift.TException) WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException) ReqContext(org.apache.storm.security.auth.ReqContext) WrappedInvalidTopologyException(org.apache.storm.utils.WrappedInvalidTopologyException) SimpleVersion(org.apache.storm.utils.SimpleVersion) IStormClusterState(org.apache.storm.cluster.IStormClusterState) TopologyStatus(org.apache.storm.generated.TopologyStatus) HashSet(java.util.HashSet) WorkerMetricPoint(org.apache.storm.generated.WorkerMetricPoint) DataPoint(org.apache.storm.metric.api.DataPoint) WrappedAuthorizationException(org.apache.storm.utils.WrappedAuthorizationException) IOException(java.io.IOException) IllegalStateException(org.apache.storm.generated.IllegalStateException) AlreadyAliveException(org.apache.storm.generated.AlreadyAliveException) WrappedNotAliveException(org.apache.storm.utils.WrappedNotAliveException) WrappedInvalidTopologyException(org.apache.storm.utils.WrappedInvalidTopologyException) AuthorizationException(org.apache.storm.generated.AuthorizationException) NotAliveException(org.apache.storm.generated.NotAliveException) WrappedAlreadyAliveException(org.apache.storm.utils.WrappedAlreadyAliveException) InterruptedIOException(java.io.InterruptedIOException) KeyAlreadyExistsException(org.apache.storm.generated.KeyAlreadyExistsException) TException(org.apache.storm.thrift.TException) WrappedIllegalStateException(org.apache.storm.utils.WrappedIllegalStateException) KeyNotFoundException(org.apache.storm.generated.KeyNotFoundException) InvalidTopologyException(org.apache.storm.generated.InvalidTopologyException) BindException(java.net.BindException) Map(java.util.Map) NavigableMap(java.util.NavigableMap) RotatingMap(org.apache.storm.utils.RotatingMap) ImmutableMap(org.apache.storm.shade.com.google.common.collect.ImmutableMap) TimeCacheMap(org.apache.storm.utils.TimeCacheMap) HashMap(java.util.HashMap) NimbusPrincipal(org.apache.storm.security.auth.NimbusPrincipal) Principal(java.security.Principal) Credentials(org.apache.storm.generated.Credentials)

Example 4 with ReqContext

use of org.apache.storm.security.auth.ReqContext in project storm by apache.

the class SimpleACLAuthorizerTest method SimpleACLTopologyReadOnlyGroupAuthTest.

@Test
public void SimpleACLTopologyReadOnlyGroupAuthTest() {
    Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
    clusterConf.put(Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN, SimpleACLTopologyReadOnlyGroupAuthTestMock.class.getName());
    Map<String, Object> topoConf = new HashMap<>();
    Collection<String> topologyReadOnlyGroupSet = new HashSet<>(Arrays.asList("group-readonly"));
    topoConf.put(Config.TOPOLOGY_READONLY_GROUPS, topologyReadOnlyGroupSet);
    Subject userInReadOnlyGroup = createSubject("user-in-readonly-group");
    Subject userB = createSubject("user-b");
    IAuthorizer authorizer = new SimpleACLAuthorizer();
    authorizer.prepare(clusterConf);
    Assert.assertFalse(authorizer.permit(new ReqContext(userInReadOnlyGroup), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userInReadOnlyGroup), "getTopologyInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf));
}
Also used : HashMap(java.util.HashMap) IAuthorizer(org.apache.storm.security.auth.IAuthorizer) ReqContext(org.apache.storm.security.auth.ReqContext) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 5 with ReqContext

use of org.apache.storm.security.auth.ReqContext in project storm by apache.

the class SimpleACLAuthorizerTest method SimpleACLTopologyReadOnlyUserAuthTest.

@Test
public void SimpleACLTopologyReadOnlyUserAuthTest() {
    Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
    Map<String, Object> topoConf = new HashMap<>();
    Collection<String> topologyUserSet = new HashSet<>(Arrays.asList("user-a"));
    topoConf.put(Config.TOPOLOGY_USERS, topologyUserSet);
    Collection<String> topologyReadOnlyUserSet = new HashSet<>(Arrays.asList("user-readonly"));
    topoConf.put(Config.TOPOLOGY_READONLY_USERS, topologyReadOnlyUserSet);
    Subject userA = createSubject("user-a");
    Subject userB = createSubject("user-b");
    Subject readOnlyUser = createSubject("user-readonly");
    IAuthorizer authorizer = new SimpleACLAuthorizer();
    authorizer.prepare(clusterConf);
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "killTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "rebalance", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "rebalance", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "rebalance", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "activate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "activate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "activate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "deactivate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "deactivate", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "deactivate", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopologyConf", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyConf", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyConf", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getUserTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getUserTopology", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getUserTopology", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopologyInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getTopologyPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getComponentPageInfo", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPageInfo", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "uploadNewCredentials", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "uploadNewCredentials", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "uploadNewCredentials", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "setLogConfig", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "setWorkerProfiler", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setWorkerProfiler", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setWorkerProfiler", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getWorkerProfileActionExpiry", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getComponentPendingProfileActions", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPendingProfileActions", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPendingProfileActions", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "startProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "startProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "startProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "stopProfiling", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "stopProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "stopProfiling", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "dumpProfile", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpProfile", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpProfile", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "dumpJstack", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpJstack", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpJstack", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "dumpHeap", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpHeap", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpHeap", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(readOnlyUser), "debug", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "debug", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "debug", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(readOnlyUser), "getLogConfig", topoConf));
    Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getLogConfig", topoConf));
    Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getLogConfig", topoConf));
}
Also used : HashMap(java.util.HashMap) IAuthorizer(org.apache.storm.security.auth.IAuthorizer) ReqContext(org.apache.storm.security.auth.ReqContext) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

ReqContext (org.apache.storm.security.auth.ReqContext)11 HashMap (java.util.HashMap)7 Subject (javax.security.auth.Subject)6 Test (org.junit.Test)6 HashSet (java.util.HashSet)5 Principal (java.security.Principal)4 IAuthorizer (org.apache.storm.security.auth.IAuthorizer)4 SingleUserPrincipal (org.apache.storm.security.auth.SingleUserPrincipal)3 IOException (java.io.IOException)2 Map (java.util.Map)2 AuthorizationException (org.apache.storm.generated.AuthorizationException)2 DefaultPrincipalToLocal (org.apache.storm.security.auth.DefaultPrincipalToLocal)2 DRPCSimpleACLAuthorizer (org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer)2 AclFunctionEntry (org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer.AclFunctionEntry)2 TException (org.apache.storm.thrift.TException)2 InterruptedIOException (java.io.InterruptedIOException)1 BindException (java.net.BindException)1 InetAddress (java.net.InetAddress)1 List (java.util.List)1 NavigableMap (java.util.NavigableMap)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial