Example 6 with ReqContext
use of org.apache.storm.security.auth.ReqContext in project storm by apache.
the class SimpleACLAuthorizerTest method SimpleACLUserAuthTest.
@Test
public void SimpleACLUserAuthTest() {
Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
Collection<String> adminUserSet = new HashSet<>(Arrays.asList("admin"));
Collection<String> supervisorUserSet = new HashSet<>(Arrays.asList("supervisor"));
clusterConf.put(Config.NIMBUS_ADMINS, adminUserSet);
clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, supervisorUserSet);
IAuthorizer authorizer = new SimpleACLAuthorizer();
Subject adminUser = createSubject("admin");
Subject supervisorUser = createSubject("supervisor");
Subject userA = createSubject("user-a");
Subject userB = createSubject("user-b");
authorizer.prepare(clusterConf);
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "submitTopology", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "submitTopology", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "submitTopology", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userB), "submitTopology", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileUpload", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "fileUpload", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "fileUpload", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userB), "fileUpload", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getNimbusConf", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getNimbusConf", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getNimbusConf", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userB), "getNimbusConf", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getClusterInfo", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getClusterInfo", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getClusterInfo", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userB), "getClusterInfo", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getSupervisorPageInfo", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getSupervisorPageInfo", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getSupervisorPageInfo", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(userB), "getSupervisorPageInfo", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileDownload", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(supervisorUser), "fileDownload", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(userA), "fileDownload", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "fileDownload", new HashMap<>()));
Map<String, Object> topoConf = new HashMap<>();
Collection<String> topologyUserSet = new HashSet<>(Arrays.asList("user-a"));
topoConf.put(Config.TOPOLOGY_USERS, topologyUserSet);
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "killTopology", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "killTopology", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "killTopology", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "rebalance", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "rebalance", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "rebalance", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "rebalance", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "activate", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "activate", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "activate", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "activate", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "deactivate", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "deactivate", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "deactivate", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "deactivate", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopologyConf", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopologyConf", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyConf", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyConf", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopology", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopology", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopology", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopology", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getUserTopology", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getUserTopology", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getUserTopology", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getUserTopology", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopologyInfo", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopologyInfo", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyInfo", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getTopologyPageInfo", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getTopologyPageInfo", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getTopologyPageInfo", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyPageInfo", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getComponentPageInfo", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getComponentPageInfo", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPageInfo", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPageInfo", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "uploadNewCredentials", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "uploadNewCredentials", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "uploadNewCredentials", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "uploadNewCredentials", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "setLogConfig", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "setLogConfig", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setLogConfig", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setLogConfig", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "setWorkerProfiler", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "setWorkerProfiler", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "setWorkerProfiler", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "setWorkerProfiler", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getWorkerProfileActionExpiry", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getWorkerProfileActionExpiry", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getWorkerProfileActionExpiry", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getWorkerProfileActionExpiry", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getComponentPendingProfileActions", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getComponentPendingProfileActions", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getComponentPendingProfileActions", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getComponentPendingProfileActions", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "startProfiling", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "startProfiling", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "startProfiling", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "startProfiling", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "stopProfiling", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "stopProfiling", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "stopProfiling", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "stopProfiling", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "dumpProfile", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "dumpProfile", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpProfile", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpProfile", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "dumpJstack", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "dumpJstack", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpJstack", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpJstack", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "dumpHeap", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "dumpHeap", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "dumpHeap", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "dumpHeap", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "debug", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "debug", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "debug", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "debug", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "getLogConfig", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(supervisorUser), "getLogConfig", topoConf));
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "getLogConfig", topoConf));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getLogConfig", topoConf));
}
Also used :
HashMap(java.util.HashMap)
IAuthorizer(org.apache.storm.security.auth.IAuthorizer)
ReqContext(org.apache.storm.security.auth.ReqContext)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 7 with ReqContext
use of org.apache.storm.security.auth.ReqContext in project storm by apache.
the class DRPCTest method testNotStrict.
@Test
public void testNotStrict() throws Exception {
ReqContext jt = new ReqContext(new Subject());
SingleUserPrincipal jumpTopo = new SingleUserPrincipal("jump_topo");
jt.subject().getPrincipals().add(jumpTopo);
ReqContext jc = new ReqContext(new Subject());
SingleUserPrincipal jumpClient = new SingleUserPrincipal("jump_client");
jc.subject().getPrincipals().add(jumpClient);
ReqContext other = new ReqContext(new Subject());
SingleUserPrincipal otherUser = new SingleUserPrincipal("other");
other.subject().getPrincipals().add(otherUser);
Map<String, AclFunctionEntry> acl = new HashMap<>();
acl.put("jump", new AclFunctionEntry(Arrays.asList(jumpClient.getName()), jumpTopo.getName()));
Map<String, Object> conf = new HashMap<>();
conf.put(Config.DRPC_AUTHORIZER_ACL_STRICT, false);
conf.put(Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN, DefaultPrincipalToLocal.class.getName());
DRPCSimpleACLAuthorizer auth = new DRPCSimpleACLAuthorizer() {
@Override
protected Map<String, AclFunctionEntry> readAclFromConfig() {
return acl;
}
};
auth.prepare(conf);
// JUMP
DRPC.checkAuthorization(jt, auth, "fetchRequest", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "fetchRequest", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "fetchRequest", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jt, auth, "result", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "execute", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jc, auth, "execute", "jump");
assertThrows(() -> DRPC.checkAuthorization(other, auth, "execute", "jump"), AuthorizationException.class);
// not_jump (open in not strict mode)
DRPC.checkAuthorization(jt, auth, "fetchRequest", "not_jump");
DRPC.checkAuthorization(jc, auth, "fetchRequest", "not_jump");
DRPC.checkAuthorization(other, auth, "fetchRequest", "not_jump");
DRPC.checkAuthorization(jt, auth, "result", "not_jump");
DRPC.checkAuthorization(jc, auth, "result", "not_jump");
DRPC.checkAuthorization(other, auth, "result", "not_jump");
DRPC.checkAuthorization(jt, auth, "execute", "not_jump");
DRPC.checkAuthorization(jc, auth, "execute", "not_jump");
DRPC.checkAuthorization(other, auth, "execute", "not_jump");
}
Also used :
HashMap(java.util.HashMap)
AclFunctionEntry(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer.AclFunctionEntry)
DRPCSimpleACLAuthorizer(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer)
ReqContext(org.apache.storm.security.auth.ReqContext)
SingleUserPrincipal(org.apache.storm.security.auth.SingleUserPrincipal)
Subject(javax.security.auth.Subject)
DefaultPrincipalToLocal(org.apache.storm.security.auth.DefaultPrincipalToLocal)
Test(org.junit.Test)
Example 8 with ReqContext
use of org.apache.storm.security.auth.ReqContext in project storm by apache.
the class DRPCTest method testStrict.
@Test
public void testStrict() throws Exception {
ReqContext jt = new ReqContext(new Subject());
SingleUserPrincipal jumpTopo = new SingleUserPrincipal("jump_topo");
jt.subject().getPrincipals().add(jumpTopo);
ReqContext jc = new ReqContext(new Subject());
SingleUserPrincipal jumpClient = new SingleUserPrincipal("jump_client");
jc.subject().getPrincipals().add(jumpClient);
ReqContext other = new ReqContext(new Subject());
SingleUserPrincipal otherUser = new SingleUserPrincipal("other");
other.subject().getPrincipals().add(otherUser);
Map<String, AclFunctionEntry> acl = new HashMap<>();
acl.put("jump", new AclFunctionEntry(Arrays.asList(jumpClient.getName()), jumpTopo.getName()));
Map<String, Object> conf = new HashMap<>();
conf.put(Config.DRPC_AUTHORIZER_ACL_STRICT, true);
conf.put(Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN, DefaultPrincipalToLocal.class.getName());
DRPCSimpleACLAuthorizer auth = new DRPCSimpleACLAuthorizer() {
@Override
protected Map<String, AclFunctionEntry> readAclFromConfig() {
return acl;
}
};
auth.prepare(conf);
// JUMP
DRPC.checkAuthorization(jt, auth, "fetchRequest", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "fetchRequest", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "fetchRequest", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jt, auth, "result", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "execute", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jc, auth, "execute", "jump");
assertThrows(() -> DRPC.checkAuthorization(other, auth, "execute", "jump"), AuthorizationException.class);
// not_jump (closed in strict mode)
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "fetchRequest", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "fetchRequest", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "fetchRequest", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "result", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "result", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "result", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "execute", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "execute", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "execute", "not_jump"), AuthorizationException.class);
}
Also used :
HashMap(java.util.HashMap)
AclFunctionEntry(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer.AclFunctionEntry)
DRPCSimpleACLAuthorizer(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer)
ReqContext(org.apache.storm.security.auth.ReqContext)
SingleUserPrincipal(org.apache.storm.security.auth.SingleUserPrincipal)
Subject(javax.security.auth.Subject)
DefaultPrincipalToLocal(org.apache.storm.security.auth.DefaultPrincipalToLocal)
Test(org.junit.Test)
Example 9 with ReqContext
use of org.apache.storm.security.auth.ReqContext in project storm by apache.
the class NimbusClient method getConfiguredClientAs.
/**
* Get a nimbus client as configured by conf.
* @param conf the configuration to use.
* @param asUser the user to impersonate (this does not always work).
* @param timeout the timeout to use when connecting.
* @return the client, don't forget to close it when done.
*/
public static NimbusClient getConfiguredClientAs(Map<String, Object> conf, String asUser, Integer timeout) {
Nimbus.Iface override = _localOverrideClient;
if (override != null) {
return new NimbusClient(override);
}
Map<String, Object> fullConf = Utils.readStormConfig();
fullConf.putAll(Utils.readCommandLineOpts());
fullConf.putAll(conf);
conf = fullConf;
if (conf.containsKey(Config.STORM_DO_AS_USER)) {
if (asUser != null && !asUser.isEmpty()) {
LOG.warn("You have specified a doAsUser as param {} and a doAsParam as config, config will take precedence.", asUser, conf.get(Config.STORM_DO_AS_USER));
}
asUser = (String) conf.get(Config.STORM_DO_AS_USER);
}
if (asUser == null || asUser.isEmpty()) {
// The user is not set so lets see what the request context is.
ReqContext context = ReqContext.context();
Principal principal = context.principal();
asUser = principal == null ? null : principal.getName();
LOG.debug("Will impersonate {} based off of request context.", asUser);
}
List<String> seeds = (List<String>) conf.get(Config.NIMBUS_SEEDS);
for (String host : seeds) {
int port = Integer.parseInt(conf.get(Config.NIMBUS_THRIFT_PORT).toString());
NimbusSummary nimbusSummary;
NimbusClient client = null;
try {
client = new NimbusClient(conf, host, port, timeout, asUser);
nimbusSummary = client.getClient().getLeader();
if (nimbusSummary != null) {
String leaderNimbus = nimbusSummary.get_host() + ":" + nimbusSummary.get_port();
if (shouldLogLeader(leaderNimbus)) {
LOG.info("Found leader nimbus : {}", leaderNimbus);
}
if (nimbusSummary.get_host().equals(host) && nimbusSummary.get_port() == port) {
NimbusClient ret = client;
client = null;
return ret;
}
try {
return new NimbusClient(conf, nimbusSummary.get_host(), nimbusSummary.get_port(), timeout, asUser);
} catch (TTransportException e) {
throw new RuntimeException("Failed to create a nimbus client for the leader " + leaderNimbus, e);
}
}
} catch (Exception e) {
LOG.warn("Ignoring exception while trying to get leader nimbus info from " + host + ". will retry with a different seed host.", e);
continue;
} finally {
if (client != null) {
client.close();
}
}
throw new NimbusLeaderNotFoundException("Could not find a nimbus leader, please try again after some time.");
}
throw new NimbusLeaderNotFoundException("Could not find leader nimbus from seed hosts " + seeds + ". " + "Did you specify a valid list of nimbus hosts for config " + Config.NIMBUS_SEEDS + "?");
}
Also used :
TTransportException(org.apache.storm.thrift.transport.TTransportException)
ReqContext(org.apache.storm.security.auth.ReqContext)
NimbusSummary(org.apache.storm.generated.NimbusSummary)
TTransportException(org.apache.storm.thrift.transport.TTransportException)
Nimbus(org.apache.storm.generated.Nimbus)
List(java.util.List)
Principal(java.security.Principal)
Example 10 with ReqContext
use of org.apache.storm.security.auth.ReqContext in project storm by apache.
the class SimpleACLAuthorizerTest method SimpleACLNimbusUserAuthTest.
@Test
public void SimpleACLNimbusUserAuthTest() {
Map<String, Object> clusterConf = ConfigUtils.readStormConfig();
Collection<String> adminUserSet = new HashSet<>(Arrays.asList("admin"));
Collection<String> supervisorUserSet = new HashSet<>(Arrays.asList("supervisor"));
Collection<String> nimbusUserSet = new HashSet<>(Arrays.asList("user-a"));
clusterConf.put(Config.NIMBUS_ADMINS, adminUserSet);
clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, supervisorUserSet);
clusterConf.put(Config.NIMBUS_USERS, nimbusUserSet);
IAuthorizer authorizer = new SimpleACLAuthorizer();
Subject adminUser = createSubject("admin");
Subject supervisorUser = createSubject("supervisor");
Subject userA = createSubject("user-a");
Subject userB = createSubject("user-b");
authorizer.prepare(clusterConf);
Assert.assertTrue(authorizer.permit(new ReqContext(userA), "submitTopology", new HashMap<>()));
Assert.assertFalse(authorizer.permit(new ReqContext(userB), "submitTopology", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileUpload", new HashMap<>()));
Assert.assertTrue(authorizer.permit(new ReqContext(supervisorUser), "fileDownload", new HashMap<>()));
}
Also used :
HashMap(java.util.HashMap)
IAuthorizer(org.apache.storm.security.auth.IAuthorizer)
ReqContext(org.apache.storm.security.auth.ReqContext)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Aggregations
ReqContext (org.apache.storm.security.auth.ReqContext)11
HashMap (java.util.HashMap)7
Subject (javax.security.auth.Subject)6
Test (org.junit.Test)6
HashSet (java.util.HashSet)5
Principal (java.security.Principal)4
IAuthorizer (org.apache.storm.security.auth.IAuthorizer)4
SingleUserPrincipal (org.apache.storm.security.auth.SingleUserPrincipal)3
IOException (java.io.IOException)2
Map (java.util.Map)2
AuthorizationException (org.apache.storm.generated.AuthorizationException)2
DefaultPrincipalToLocal (org.apache.storm.security.auth.DefaultPrincipalToLocal)2
DRPCSimpleACLAuthorizer (org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer)2
AclFunctionEntry (org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer.AclFunctionEntry)2
TException (org.apache.storm.thrift.TException)2
InterruptedIOException (java.io.InterruptedIOException)1
BindException (java.net.BindException)1
InetAddress (java.net.InetAddress)1
List (java.util.List)1
NavigableMap (java.util.NavigableMap)1
